Quiz Entry - updated: 2026.07.14
What are the current recommended parameter sizes for DH, and how do they relate to symmetric key security?
For 128-bit symmetric equivalent security: DH prime $p$ must be ≥ 3072 bits, the subgroup order must be ≥ 250 bits, and ECC requires ≥ 250 bits.
NIST/BSI Parameter Recommendations:
| Period | Symmetric | Factoring/DL Modulus | DL Subgroup/ECC Key | Elliptic Curve | Hash |
|---|---|---|---|---|---|
| 2020-2022 | 128 bit | 2000 bit | 250 bit | 250 bit | SHA-256+ |
| 2023-2026 | 128 bit | 3000 bit | 250 bit | 250 bit | SHA-256+ |
Key relationships:
- The prime $p$ (3072 bits) determines resistance against index calculus attacks on the discrete log in $\mathbb{Z}_p^*$
- The subgroup order $q$ (250 bits) determines resistance against generic attacks (Baby-step Giant-step, Pollard's rho)
- Both must be large enough — the system is only as strong as its weakest parameter
Why 2048 bits is no longer sufficient:
- A 2048-bit modulus provides ~112-bit symmetric equivalent security
- 112 bits is considered marginal for long-term use
- 3072 bits provides ~128-bit security — the current standard target
Tip: DH with 2048 bits would still be safe for now, but all new implementations should use 3072 bits for future-proofing.
Go deeper:
RFC 7919 — Negotiated finite-field DH groups for TLS — standardised safe DH parameters and their strengths.
Key size — Wikipedia — the symmetric-to-asymmetric equivalence tables.