RFC 2785 (rfc2785) - Page 2 of 11
Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement Method for S/MIME
Alternative Format: Original Text Document
RFC 2785 Methods for Avoiding "Small-Subgroup" Attacks March 2000
technologies. All of these factors must be considered when deciding
whether or not to protect oneself from these attacks, or whether to
engineer the application so that protection is not necessary.
We will not consider "attacks" where the other party in the key
agreement merely forces the shared secret value to be "weak" (i.e.
from a small set of possible values) without attempting to compromise
the private key. It is not worth the effort to attempt to prevent
these attacks since the other party in the key agreement gets the
shared secret and can simply make the plaintext public.
The methods described in this memo may also be used to provide
protection from similar attacks on elliptic curve based Diffie-
Hellman.
1.1 Notation
In this document we will use the same notation as in [RFC 2631]. In
particular the shared secret ZZ is generated as follows:
ZZ = g ^ (xb * xa) mod p
Note that the individual parties actually perform the computations:
ZZ = (yb ^ xa) mod p = (ya ^ xb) mod p
where ^ denotes exponentiation.
ya is Party A's public key; ya = g ^ xa mod p
yb is Party B's public key; yb = g ^ xb mod p
xa is Party A's private key; xa is in the interval [2, (q - 2)]
xb is Party B's private key; xb is in the interval [2, (q - 2)]
p is a large prime
g = h^((p-1)/q) mod p, where
h is any integer with 1 1
(g has order q mod p)
q is a large prime
j a large integer such that p=q*j + 1
In this discussion, a "static" public key is one that is certified
and is used for more than one key agreement, and an "ephemeral"
public key is one that is not certified but is used only one time.
The order of an integer y modulo p is the smallest value of x greater
than 1 such that y^x mod p = 1.
Zuccherato Informational