Can we disable diffie-hellman-group-exchange-sha1 by default?

Mark D. Baushke mdb at
Fri Feb 15 19:34:06 AEDT 2019

Yegor Ievlev <koops1997 at> writes:

> I referred to the fact that there is no value for 4096-bit groups at
> all. For higher strengths than 128 bits one should probably not use
> non-EC crypto at all, as the document suggests.

For Diffie-Hellman 4096-bits, running one of the mathematical methods
gives you on the order of 150 bits of security. See RFC 3526 section 8.

For a 190-bits of security, you need a Diffie-Hellman of 8k-bits in

Of course, using a larger Q-ordered subgroup such as we get with
safe-primes helps to increase the computation time needed even beyond
the standard sieve techniques.

The speed of an ECC computation is indeed faster than FFC. However, you
need to assume that you can trust that the standard curves have not been
heavily pre-computed too.

You may wish to visit 

for an interesting view on ECDH and ECDSA technology.

I am given to understand that NIST is going to be considering EdDSA and
things like Curve25519 and Curve448 in the coming year for release.

The other thing happening is the consideration of using paired curves.
Right now that is not a part of the SSHv2 protocol, but the field
continues to get new research.

	-- Mark

More information about the openssh-unix-dev mailing list