IETF Logo Mail Archive

Re: [86attendees] Pie?

Tero Kivinen <kivinen@iki.fi> Thu, 14 March 2013 15:02 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: 86attendees@ietfa.amsl.com
Delivered-To: 86attendees@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68E6B11E8142 for <86attendees@ietfa.amsl.com>; Thu, 14 Mar 2013 08:02:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oCwuSwKs+sO7 for <86attendees@ietfa.amsl.com>; Thu, 14 Mar 2013 08:02:49 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEDEF11E820F for <86attendees@ietf.org>; Thu, 14 Mar 2013 08:02:45 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id r2EF1Lve029539 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 14 Mar 2013 17:01:21 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id r2EF1KK6028046; Thu, 14 Mar 2013 17:01:21 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20801.58944.846117.787676@fireball.kivinen.iki.fi>
Date: Thu, 14 Mar 2013 17:01:20 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Stephane Bortzmeyer <bortzmeyer+ietf@nic.fr>
In-Reply-To: <20130314143540.GA16749@laperouse.bortzmeyer.org>
References: <CAPRuP3nnSCr5Wd42RsEPOxPLr-9323Bp_juL8GwhUe5sXMj03Q@mail.gmail.com> <E1UG92n-00067N-00@www.xplot.org> <20130314143540.GA16749@laperouse.bortzmeyer.org>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 11 min
X-Total-Time: 13 min
Cc: "86attendees@ietf.org" <86attendees@ietf.org>
Subject: Re: [86attendees] Pie?
X-BeenThere: 86attendees@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <86attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/86attendees>, <mailto:86attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/86attendees>
List-Post: <mailto:86attendees@ietf.org>
List-Help: <mailto:86attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/86attendees>, <mailto:86attendees-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 15:02:51 -0000

Stephane Bortzmeyer writes:
> > If you're not already aware of this, read the Tau Manifesto 
> 
> I'm not sure it has practical consequences for the IETF. Is there even
> one RFC which uses the number Pi? ("pi" in RFC 2865 is a different
> beast)

Almost all of our security protocols doing Diffie-Hellman uses Pi. For
example RFCs 2409, 2412, 2539, 2786, 3526, 4306, 4535, 5054, 5201, and
5996. And of course all documents referencing to those RFCs.

Just using grep and searching first 32 bits of PI in hex gives that
list... 

> fgrep -li 'C90FDAA2' rfc*.txt
rfc2409.txt
rfc2412.txt
rfc2539.txt
rfc2786.txt
rfc3526.txt
rfc4306.txt
rfc4535.txt
rfc5054.txt
rfc5201.txt
rfc5683.txt
rfc5996.txt

>From 2412 you can find reason for that:

----------------------------------------------------------------------
APPENDIX E The Well-Known Groups
...
   Classical Diffie-Hellman Modular Exponentiation Groups

   The primes for groups 1 and 2 were selected to have certain
   properties.  The high order 64 bits are forced to 1.  This helps the
   classical remainder algorithm, because the trial quotient digit can
   always be taken as the high order word of the dividend, possibly +1.
   The low order 64 bits are forced to 1.  This helps the Montgomery-
   style remainder algorithms, because the multiplier digit can always
   be taken to be the low order word of the dividend.  The middle bits
   are taken from the binary expansion of pi.  This guarantees that they
   are effectively random, while avoiding any suspicion that the primes
   have secretly been selected to be weak.

   Because both primes are based on pi, there is a large section of
   overlap in the hexadecimal representations of the two primes.  The
   primes are chosen to be Sophie Germain primes (i.e., (P-1)/2 is also
   prime), to have the maximum strength against the square-root attack
   on the discrete logarithm problem.

   The starting trial numbers were repeatedly incremented by 2^64 until
   suitable primes were located.

   Because these two primes are congruent to 7 (mod 8), 2 is a quadratic
   residue of each prime.  All powers of 2 will also be quadratic
   residues.  This prevents an opponent from learning the low order bit
   of the Diffie-Hellman exponent (AKA the subgroup confinement
   problem).  Using 2 as a generator is efficient for some modular
   exponentiation algorithms.  [Note that 2 is technically not a
   generator in the number theory sense, because it omits half of the
   possible residues mod P.  From a cryptographic viewpoint, this is a
   virtue.]
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email