-
Bug
-
Resolution: Fixed
-
P3
-
6
-
beta
-
generic
-
generic
The default size of the private exponent in the DHKeyPairGenerator should be changed. The current default choice (if not explicitly specified by the application) is naively maximally conservative. The result that we are at least twice as slow as we should reasonably be.
RFC 3526 (http://www.ietf.org/rfc/rfc3526.txt) includes estimates for the strength of DH and suggested sizes for the private exponent (section 8). It has two different estimates, the more conservative suggests an exponent size of 240 bit for a 1536 bit group whereas we would choose 1535 -- more than 6 times too long.
The default could be changed to:
L = p.bitLength() / 2
but with a minimum of 384. In other words, 512 bit exponent for a 1024 bit group and 768 bit exponent for a 1536 bit group. This is still extremely conservative given the table in the RFC.
Note that exponent size is quite relevant for performance since the time required for a DH operation is directly proportional to size of the private exponent. That means with this change we would get a speedup of 50% compared to what we have now.
RFC 3526 (http://www.ietf.org/rfc/rfc3526.txt) includes estimates for the strength of DH and suggested sizes for the private exponent (section 8). It has two different estimates, the more conservative suggests an exponent size of 240 bit for a 1536 bit group whereas we would choose 1535 -- more than 6 times too long.
The default could be changed to:
L = p.bitLength() / 2
but with a minimum of 384. In other words, 512 bit exponent for a 1024 bit group and 768 bit exponent for a 1536 bit group. This is still extremely conservative given the table in the RFC.
Note that exponent size is quite relevant for performance since the time required for a DH operation is directly proportional to size of the private exponent. That means with this change we would get a speedup of 50% compared to what we have now.