Re: [Cfrg] What groups to use for Diffie Hellman?

Phillip Hallam-Baker <> Mon, 31 October 2016 18:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 28488129A0C for <>; Mon, 31 Oct 2016 11:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YPFyLqQtVz9P for <>; Mon, 31 Oct 2016 11:45:22 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A1B661299F5 for <>; Mon, 31 Oct 2016 11:45:21 -0700 (PDT)
Received: by with SMTP id p190so164802304wmp.1 for <>; Mon, 31 Oct 2016 11:45:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=1odqB9FHooKZLB6kNZ4bxg8imIaHb0UK92WMaP6zrDo=; b=EtJRW7L7j3RziNARGUR12CQBo2AEpXvetmNUuptY3LTuBw6Qg+Y6BjGqNGUYfDWfTL 84IcLU+GlMGtjrvMtY6WeM/FEbl+xOjok7xaYxEI1O3zeIbEda5BCLfKl0YUnAbCQPW6 rq4DHmf3MheY2bUIXA6dyj9MEOLNnJV4JmDp66K2TnbMPvQAlEZyw0ITrk4/RNuJxeiD RyJilgy0g7Aa/BQzixaWPbRIB5KiRyIrgQUEvXHf/Bp7x0UeVvLY+N2YanmzTkrrTcPW ybFb72XhnqlycxnpYnkf6yIcz+btzmJPqZaQK+abgGOOdGZCvsE+ZpXeJntodEU1W6cg j9Iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=1odqB9FHooKZLB6kNZ4bxg8imIaHb0UK92WMaP6zrDo=; b=Y2kSJOneapAL17WZr1Ulni5viz5ruQpJr+GW7VHDE0HwuT0twSmvspsERhK4w4+Ruo 8a/4Mn4uOZsAyOOxdh3WzCFhPHIKDgKje24YOqHMWHdnveyVCSwSaNHaPeFIYTNDJ84C 8+VC4ZVply+kjNAAI9/xnwGKYNZsobSu2EZVT2OUa21ZzwQIc4BF0f1uibMAzP7lyUP+ mDBxTqSCxsCYgQHtC9+LuPboIzm6cs/uzSC/51Loz0DEKJ4UmGru0DF6zg5JOFaNrdKh wOtCbIKXe79xLSZ3mcpR492iDzP4Wftj43kIZqFJv8wyJbPz6ncrnPi5X5sHAk/ZacOs Bg/w==
X-Gm-Message-State: ABUngvdeKnQ/BMRP/XH6C9578zF54xuHU4+Q2zNY1sK6pXajXohOsZo6FV2EaTxYGj0dLD/gR3PVI3uUY6EkLg==
X-Received: by with SMTP id z18mr11352329wmz.97.1477939519978; Mon, 31 Oct 2016 11:45:19 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 31 Oct 2016 11:45:18 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Phillip Hallam-Baker <>
Date: Mon, 31 Oct 2016 14:45:18 -0400
X-Google-Sender-Auth: 9T8spHS5z5oUdWyftf1FHvmHayk
Message-ID: <>
To: Peter Gutmann <>
Content-Type: multipart/alternative; boundary="001a114345e816842405402d9cff"
Archived-At: <>
Cc: jonas weber <>, "" <>
Subject: Re: [Cfrg] What groups to use for Diffie Hellman?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 31 Oct 2016 18:45:24 -0000

The way I got suckered into RFC5441 is that it is the only RFC that appears
to be consistent with RFC2631 on how to do DH:

I see the following ways forward:

1) Update RFC2631 to say use  of a short exponent is OK, and then kill

2) Do a draft consistent with RFC2631 that has rigid construction and kill

3) Both.

I don't really mind which.

As far as the rigidity issue goes, I see the following hazards to avoid:

1) An attacker is one of a small circle that knows a set of parameters to
be weak and steers the group towards them.

2) An attacker constructs a set of parameters in such a way that they
contain what is in effect a backdoor that can only be used by a party that
knows the secret of the construction.

Our current approaches to rigidity are only designed to address the second
case. There really isn't a way to address the first. It is quite possible,
likely even that fast primes also speed up attacks They might even make
whole classes of attack possible or they might not.

A process that is based on H("DH2048") for a seed might or might not result
in a choice of weak parameters but it does mean that there isn't a hidden

Based on my conversations with NSA folk, the governing doctrine is 'NOBUS'
nobody but us. Introducing a weakness that only the NSA could exploit with
hidden knowledge nobody else could discover independently is one thing.
Developing a system with a hole anyone can find if they look long enough is
not acceptable.