On Fri, 2013-12-06 at 23:31 +0100, Niels Möller wrote:
The second modular exponentiation (B'^A mod p) would be similarly faster. Both of these factors seem like they might be significant in a TLS endpoint that terminates many DHE sessions per second, but i haven't profiled them.
Could well be. I'd like to hear what Nikos says about this.
Yes, this is the reason I used this format for primes in gnutls. Other implementations use a prime that as you suggested has a very large prime factor of p-1 (comparable to p), and then select their key with a size based on a security parameter (e.g. 256 bits). Both cases are considered secure, but I find the former format and usage of the group more elegant.
To make things interesting, in TLS the client has no information on the construction of p (or the order of g), so it has to select an 1<x<p-1, which make his computation a bit slower.
regards, Nikos