Validating diffie hellman public private keys

By default Open SSL will work with PEM files for storing EC private keys.

These are text files containing base-64 encoded data.

Possibly we should at least implement a test that detects special cases, so that weak primes (such as the one used in libtomcrypt) are detected. [Eurocrypt92 panel]: "The Eurocrypt'92 Controversial Issue Trapdoor Primes and Moduli", EUROCRYPT '92, LNCS 658, pp.

validating diffie hellman public private keys-48validating diffie hellman public private keys-38

We use this lower limit because that is what the SUN provider is currently doing. "A kilobit hidden SNFS discrete logarithm computation".

TODO(bleichen): Find a reference supporting or disproving that decision.

Gordon has analyzed methods to generate and detect weak parameters [G92].

Section 4 of Gordons paper describes a method that can detect some special cases, but no general method was given. showed that 1024 bit discrete logarithms with the special number field sieve are feasible [FGHT16]. "Designing and detecting trapdoors for discrete log cryptosystems." CRYPTO’92, pp.

Moreover, the SUN provider uses the minimal sizes specified by NIST for q. Lee, "A key recovery attack on discrete log-based schemes using a prime order subgroup", CRYPTO' 98, pp 249–263.

Essentially the provider reuses the parameters for DSA. To avoid big disasters the tests below require that key sizes are not minimal. I.e., currently the tests require at least 512 bit keys for 1024 bit fields. $$q=(p-1)/2),$$ hence the only elements of small order are 1 and p-1. 2, Section only requires that the size of the subgroup generated by the generator g is big enough to prevent the baby-step giant-step algorithm. for 80-bit security p must be at least 1024 bits long and the prime q must be at least 160 bits long. A 2048 bit prime p and a 224 bit prime q are sufficient for 112 bit security. The DH parameters must be carefully chosen to avoid security issues.