In the x942 draft we presently specify that in some instances of
ephemeral-static Diffie-Hellman, public key validation does not need to be
performed; but for static-static Diffie-Hellman, public key validation is
needed. I would like to call to the group's attention another option. If
the prime p is chosen so that p-1=2*q*r where r is a product of large
(greater than 160 bits) primes then the "small subgroup" attacks are not a
concern here (except for the possible loss of 1 bit of the private key).
Perhaps we could specify this as another option for those situations that
require resistance to these attacks.
If we did decide to allow this option, we would then have to specify how to
choose the prime to be of this form. We could either change the prime
generation algorithm, or we could specify that the prime generation algorithm
should be run enough number of times until this condition is met.
This is just them Lim-Lee algorithm, which is already defined fairly clearly,
so it wouldn't be hard to include it. I'd be quite keen on this option since
it avoids using the (unnecessarily complex) FIPS 186 kosherizer, and has, as
you point out, some useful properties (it may also be faster, has anyone
compared it to the kosherizer for speed?). One possible downside is that it's
not so easy to generate a prime of exactly n bits, but I can't see why this
would be a drawback.
Peter.