
Presentations of Diffie-Helman leave out how to find g - zdw
https://blog.computationalcomplexity.org/2020/06/presentations-of-diffie-helman-leave.html
======
spekcular
I agree with the author and ran into the same problem when learning (and later
teaching) D–H.

A good explanation is given in the following crypto.stackexhcange answer; the
last two paragraphs in particular are the short version:
[https://crypto.stackexchange.com/a/829](https://crypto.stackexchange.com/a/829).

~~~
cryptonector
That says

| There is no security issue with Diffie-Hellman (or DSA) if you reuse
previously generated p, q and g; ...

That's... not entirely true. For small enough p an attacker can mount a
precomputation attack against the group. That's something the NSA is rumored
to have done for standard (now obsolete) 512-bit DH groups. For large enough
primes p this is not really a concern though, so, yeah.

Also, DH is pretty much obsolete now with ECDH.

~~~
spekcular
Yes, I totally agree. The qualifier "for large enough p" should be added.

For anyone reading this who's wondering about the NSA attack, some details can
be found here: [https://weakdh.org/](https://weakdh.org/). Circumstantial
evidence that the NSA did what that website describes is given in the research
paper there.

------
ThePowerOfFuet
This site is totally unreadable on mobile.

------
HelloNurse
Multiple reasons:

    
    
      -  the challenging part of the protocol (from a security point of view) is agreeing on p and g, not finding them
      -  the interesting part of the protocol is doing interesting things with p and g, not computing them by trial and error
      -  there are solid and obvious guarantees that p and g exist and are easy to find, no reason to waste even half a paragraph

~~~
alasdair_
Formatting like this makes what you posted unreadable on mobile.

~~~
cryptonector
You have to remember to wrap text when you indent it by two or more spaces on
HN.

~~~
pimlottc
Manual line wrapping is still not a very good solution since screen widths
vary wildly.

~~~
cryptonector
It's the only option HN gives us. Blame HN.

