[Please don't quote entire messages. It's a good way to make sure your words afterwards get read by far fewer people.] The one precaution I did not take is: (from discussion above) [looking for number of small order] Does the careful choosing of n and g eliminate this problem, or do I need to modify my Diffie-Hellman code to check g^a for short order? How do you check a number for short order? If you wish to use generators mod p, proper choice of the prime will minimize the problem; the generator has nothing to do with it. All generators are symmetric, or, more precisely, the automorphism group takes each generator to every other. Picking the prime p so that p=2q+1 and q prime will reduce the number of elements with small order to 2, namely 1 and -1. In the more general case, let p=kq+1, where q is the large prime factor of p-1 necessary for security. Now the order of an element x must divide p-1, so if it's not of order q or larger, i.e. safe, then it must be of order k. So calculate x^k (mod p) and see if it's equal to 1. If it is, then x has small order. On the other hand, the tests for small order can be minimized by using a generator of the subgroup of size q inside the group mod p, rather than a generator of the full group. Let p=kq+1 and let g be a generator of Z/pZ (notation for the group of integers modulo p). Then g^k has order q in Z/pZ. Since g generates the group, kq is the smallest positive integer t such that g^t = 1 (mod p). g^(kq) = (g^k)^q, so g^k has order q. Now if you use h=g^k as the base for the D-H exchange, the only h^x with small order happens when x=0. One can simply make the range of the random numbers from 1 to q-1. Because h has order q, and since q is prime, every h^x except x=0 will also have order q. Therefore there are no "bad" values for x. They have been removed by construction in advance. Eric