mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 01:48:00 +00:00
cd60a602f5
I recently encountered a paper [1] which catalogues all kinds of things that can go wrong when one party in a discrete-log system invents a prime and the other party chooses an exponent. In particular, some choices of prime make it reasonable to use a short exponent to save time, but others make that strategy very bad. That paper is about the ElGamal encryption scheme used in OpenPGP, which is basically integer Diffie-Hellman with one side's key being persistent: a shared-secret integer is derived exactly as in DH, and then it's used to communicate a message integer by simply multiplying the shared secret by the message, mod p. I don't _know_ that any problem of this kind arises in the SSH usage of Diffie-Hellman: the standard integer DH groups in SSH are safe primes, and as far as I know, the usual generation of prime moduli for DH group exchange also picks safe primes. So the short exponents PuTTY has been using _should_ be OK. However, the range of imaginative other possibilities shown in that paper make me nervous, even so! So I think I'm going to retire the short exponent strategy, on general principles of overcaution. This slows down 4096-bit integer DH by about a factor of 3-4 (which would be worse if it weren't for the modpow speedup in the previous commit). I think that's OK, because, firstly, computers are a lot faster these days than when I originally chose to use short exponents, and secondly, more and more implementations are now switching to elliptic-curve DH, which is unaffected by this change (and with which we've always been using maximum-length exponents). [1] On the (in)security of ElGamal in OpenPGP. Luca De Feo, Bertram Poettering, Alessandro Sorniotti. https://eprint.iacr.org/2021/923 |
||
|---|---|---|
| .. | ||
| aes-common.c | ||
| aes-neon.c | ||
| aes-ni.c | ||
| aes-select.c | ||
| aes-sw.c | ||
| aes.h | ||
| arcfour.c | ||
| argon2.c | ||
| bcrypt.c | ||
| blake2.c | ||
| blowfish.c | ||
| blowfish.h | ||
| chacha20-poly1305.c | ||
| CMakeLists.txt | ||
| crc32.c | ||
| des.c | ||
| diffie-hellman.c | ||
| dsa.c | ||
| ecc-arithmetic.c | ||
| ecc-ssh.c | ||
| ecc.h | ||
| hash_simple.c | ||
| hmac.c | ||
| mac_simple.c | ||
| mac.c | ||
| md5.c | ||
| mpint_i.h | ||
| mpint.c | ||
| prng.c | ||
| pubkey-pem.c | ||
| pubkey-ppk.c | ||
| pubkey-ssh1.c | ||
| rsa.c | ||
| sha1-common.c | ||
| sha1-neon.c | ||
| sha1-ni.c | ||
| sha1-select.c | ||
| sha1-sw.c | ||
| sha1.h | ||
| sha3.c | ||
| sha256-common.c | ||
| sha256-neon.c | ||
| sha256-ni.c | ||
| sha256-select.c | ||
| sha256-sw.c | ||
| sha256.h | ||
| sha512-common.c | ||
| sha512-neon.c | ||
| sha512-select.c | ||
| sha512-sw.c | ||
| sha512.h | ||
| xdmauth.c | ||