LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the current recommended parameter sizes for DH, and how do they relate to symmetric key security?

For 128-bit symmetric equivalent security: DH prime $p$ must be ≥ 3072 bits, the subgroup order must be ≥ 250 bits, and ECC requires ≥ 250 bits.

NIST/BSI Parameter Recommendations:

Period Symmetric Factoring/DL Modulus DL Subgroup/ECC Key Elliptic Curve Hash
2020-2022 128 bit 2000 bit 250 bit 250 bit SHA-256+
2023-2026 128 bit 3000 bit 250 bit 250 bit SHA-256+

Key relationships:

  • The prime $p$ (3072 bits) determines resistance against index calculus attacks on the discrete log in $\mathbb{Z}_p^*$
  • The subgroup order $q$ (250 bits) determines resistance against generic attacks (Baby-step Giant-step, Pollard's rho)
  • Both must be large enough — the system is only as strong as its weakest parameter

Why 2048 bits is no longer sufficient:

  • A 2048-bit modulus provides ~112-bit symmetric equivalent security
  • 112 bits is considered marginal for long-term use
  • 3072 bits provides ~128-bit security — the current standard target

Tip: DH with 2048 bits would still be safe for now, but all new implementations should use 3072 bits for future-proofing.

Go deeper:

From Quiz: KRYPTOG / Diffie-Hellman and ElGamal | Updated: Jul 14, 2026