DH Group Exchange Fallback

Joseph S Testa II jtesta at positronsecurity.com
Wed Sep 27 01:50:44 AEST 2017

On 09/25/2017 01:54 AM, Mark D. Baushke wrote:
> With the group18 8192-bit MODP prime, we are getting just under 192-bits
> of security... depending on how you calculate it.
> (I think I read somewhere that, going to 16384 (2^14) will get us to
> approximately 229-bits of security and 32768 (2^15) will get us to
> almost 267-bits of security, but I am unable to find the reference right
> now.... sigh.)

According to NIST Special Publication 800-57, Part 1, Revision 4, p. 53, 
a 7680-bit modulus is estimated to provide 192 bits of security.  Hence, 
a 8192-bit modulus would provide a little over 192.

It also estimates that 256-bits of security is achieved with 15360-bit 

    - Joe

More information about the openssh-unix-dev mailing list