I wonder if g**x , with x =(1-p)/2 is checked in current TLS 1.2 implementation ?
In RFC https://tools.ietf.org/html/rfc7919 "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)" "Traditional finite field Diffie-Hellman has each peer choose their secret exponent from the range [2, p-2]. Using exponentiation by squaring, this means each peer must do roughly 2*log_2(p) multiplications, twice (once for the generator and once for the peer's public key)." Not True !!! Even for p= safe prime (i.e. Sophie Germain prime, p=2*q+1, with p & q prime number) secret exponent x= (p-1)/2 is a security issue since : g**xy = 1 with y an even integer g**xy = g**x for y an odd integer If p is not a safe prime (like in RFC 5114) other issues occur... Pascal
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
