Re: [Cfrg] What groups to use for Diffie Hellman?

jonas weber <> Mon, 31 October 2016 02:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 827C31294C8 for <>; Sun, 30 Oct 2016 19:13:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.55
X-Spam-Status: No, score=0.55 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8MZ02yUB3eMt for <>; Sun, 30 Oct 2016 19:13:57 -0700 (PDT)
Received: from ( [IPv6:2a02:6b8:0:1630::b3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0F7461294BA for <>; Sun, 30 Oct 2016 19:13:57 -0700 (PDT)
Received: from ( []) by (Yandex) with ESMTP id 6914A21509 for <>; Mon, 31 Oct 2016 05:13:54 +0300 (MSK)
Received: from ( []) by (nwsmtp/Yandex) with ESMTP id 2GGwM1ykCh-Ds7aJg4w; Mon, 31 Oct 2016 05:13:54 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mail; t=1477880034; bh=Zhk9N3aQ9sMmb3HXPUwMwHWTcS/tTvpjZWLOp5yVeEQ=; h=From:To:Subject:Message-Id:Date; b=IJGI/1YBaTtXwfZ2T+nKynvHUXnGl42/CcmeWHsyoMb3l7jsEHycxmf9HNJgvdPkm jOajgn/WAk+wlX7JRc2JHn0eZ4L2ZhBvlNa3lIIJGqRyb1CBfZlJDSM554zLEm98T3 6sfkSt0LOESLCRUlw4zlEXwS/h1CoCLrsf7iIM2M=
Authentication-Results:; dkim=pass
Received: by with HTTP; Mon, 31 Oct 2016 05:13:54 +0300
From: jonas weber <>
MIME-Version: 1.0
Message-Id: <>
X-Mailer: Yamail [ ] 5.0
Date: Sun, 30 Oct 2016 22:13:54 -0400
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="utf-8"
Archived-At: <>
Subject: Re: [Cfrg] What groups to use for Diffie Hellman?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 31 Oct 2016 02:13:59 -0000

In your last post on this topic you write:
On a related subject, is there any interest in an RFC that just lists, say,
ten DH parameter sets of various sizes with their generation machanism to
allow replication?  So no list of things you can and can't do, just the
parameters to use wherever you want.  My code uses Lim-Lee, as long as people
don't object to that I can generate them by that process, it'd just mean you'd
need another implementation that can handle verifying primes of the form
'p = 2 * q * ( prime[1] * ... prime[n] ) + 1'.

I'd also supply them as bignums of 32- and 64-bit words, since that's how
they're going to end up in people's code and it'll save lots of developers
having to manually reformat them from whatever form they're otherwise
published in.
Given the uncertainty over the RFC-5114 groups, I believe it would be helpful to have an RFC with a list of primes as you describe. Many of us use shorter exponents to save computation and having a list of verifiable primes would be useful, particularly if they could be registered for use in IKE and TLS.