[1457] in cryptography@c2.net mail archive
Re: Speeding up DH
daemon@ATHENA.MIT.EDU (David Jablon)
Wed Sep 10 11:44:10 1997
Date: Wed, 10 Sep 1997 09:17:46 -0400
To: Colin Plumb <colin@nyx.net>, cryptography@c2.net, frantz@communities.com
From: David Jablon <dpj@world.std.com>
In-Reply-To: <199709100233.UAA20189@nyx10.nyx.net>
Colin Plumb wrote:
>If p-1 is divisible by k, for any small factor k, then x mod k is
>revealed, assuming g is a generator. Choosing g not a generator is
>equivalent to choosing x a multiple of k (for some divisors k),
>so it renders the leak useless. ...
Here's a slight correction for sticklers.
Choosing g as "not a generator" of the full group
may be insufficient to stop all leaks;
g must specifically be of order (p-1)/k.
A simple way to get one is to use g=g_0^k
for any g_0, as long as g <> 1.
------------------------------------
David Jablon
dpj@world.std.com
<http://world.std.com/~dpj/>
