PuTTY wish retire-short-dh-exponents

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Stop using short Diffie-Hellman exponents
class: wish: This is a request for an enhancement.
difficulty: fun: Just needs tuits, and not many of them.
absent-in: 0.51
fixed-in: cd60a602f541ac44aecd207f4e055279b86d1898 (0.77)

Ever since PuTTY 0.52, Diffie-Hellman key exchange (of the ordinary integer kind, not elliptic-curve) has been done using an exponent of smaller size than the prime modulus. Now it's using a full-sized exponent.

This was originally done to save time, because Diffie-Hellman was more computationally expensive even than an RSA private-key operation of the same size (because in RSA you can use the Chinese remainder theorem to reduce the work).

A cryptography paper at the time gave a rationale for why it was OK to use short exponents, provided your Diffie-Hellman modulus is a safe prime (which all the standard SSH ones are, and group exchange is supposed to use safe primes as well).

However, there is of course a theoretical risk in trusting a piece of reasoning like that: it might be proved wrong by further research, or a new attack might be found against it, or a mistake in deployment might combine badly with taking that particular shortcut (e.g. suppose a mis-implemented server didn't use safe primes for DH group exchange).

Now computers are significantly faster than they were in 2001, and PuTTY's arithmetic code is also more highly optimised than it was then. So I've decided it isn't worth taking that risk any more. From 0.77, PuTTY will use full-sized exponents for integer Diffie-Hellman.

This change is not classed as a vulnerability fix, because I don't know of any actual attacks against the previous strategy. It's more in the nature of "being extra cautious just in case".


If you want to comment on this web site, see the Feedback page.
Audit trail for this wish.
(last revision of this bug record was at 2022-05-15 14:15:31 +0100)