From: "Perry E. Metzger" <perry@imsi.com>
Date: Fri, 20 May 94 08:10:57 PDT
To: hughes@ah.com (Eric Hughes)
Subject: Re: D-H key exchange - how does it work?
In-Reply-To: <9405201502.AA10802@ah.com>
Message-ID: <9405201510.AA06846@snark.imsi.com>
MIME-Version: 1.0
Content-Type: text/plain



Eric Hughes says:
>    It takes hours and hours of searching to find a 1024 bit strong
>    prime on a workstation.  Granted, you don't need to change very
>    often perhaps, but some people would like to change every day.
> 
> If they really want to change that often, they can buy a dedicated
> machine.  There's no good cryptographic reason to change that often,
> if the modulus is large enough.

I dunno. The paper by LaMacchia and Odlysko on how to break
Diffie-Hellman quickly once you've done a lot of precomputation on a
static modulus is sufficiently disturbing to me that I would prefer to
be able to change modulii fairly frequently if possible. If the
opponent knows a way thats a constant factor of a few tens of
thousands cheaper to do discrete logs, it might be worth their while
to spend a large sum on doing that precomputation once in the hopes of
breaking lots of traffic.

> In addition, changing the modulus can have unpleasant effects on
> traffic analysis, if not done properly.

Of what sort?

> Just fine.  The complexity of taking discrete logs is dependent on the
> largest prime factor of the modulus.

It is BELIEVED dependent -- lets be precise...

Perry