IETF Logo Mail Archive

Re: [Cfrg] One question about MODP: the structure of DLP prime in a finite field

Nasrul Zikri <nasrulzikri@outlook.com> Wed, 20 November 2019 05:51 UTC

Return-Path: <nasrulzikri@outlook.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68FCD12000F for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 21:51:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eHWvupt6gDBq for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 21:51:17 -0800 (PST)
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-oln040092254050.outbound.protection.outlook.com [40.92.254.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FA65120124 for <cfrg@irtf.org>; Tue, 19 Nov 2019 21:51:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bK4ZhVuB7RW9WFEcrUfCfFrNufcQdqZ+rd6rg0teXodM6pJ5uN252PQdLTZoNRIg4KytfUktQ9sAvS9sP91QCU5Exy++bv0gDkqSyEuA2CsOHFO2WD9TKVx+5dBpiVBhGYx0C5z2Sygui3SZbr4vud8+F+HDEx6yqgyfuRreU/OOa1LRVUHXmAqHZWAEWs6DIKvURSiQRc7UCAIsraOnG08ZBb7PDgAKuw0oZLAZDEEofp6mNOxdCtZ5YoWgXlNOfU2TXsOTm8ou1/JXA2+mFYkiVR1VQC+QnJ4PA9IlmR8BGfTBMeF7oVYal/Pvzah0/M5q0QhVr2Qt4VtceWt4Kg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rvw6neDkwGls/kwkaYNEZXbP2QN0KQtNcQlfTKNZQgA=; b=Emx/vVU6xxEHLE0AMiqaWH6VsB6pG86O/iLuTM9l0f7i0mgp3xYhteM82k665NpC5pEVTpnA8MzA+ngk1AkG7WWTpW5GUfl/+QTVYEHkXRgrrL1lIo2GX3XLzm+GzwHEnY/GciT7+PE8zLooeQ2Lyu6VjSjl5G7wB6KH4GmHA39CY3Njc97uZaW2cg8WTp+6DW0uV8ZDbHCJ17IqS9Re++TWn4EuZ+9yIxc45m9y8H7BHA6dDdRAFtmv9tt2+J8PQfl/63qUkX21UkqpIybH6iXb3BH02JIK4xQijgtLgD7zTGsv+/fGO9qWq7ac1ZbpSGYT4Gw0KuGHqiPSG7PaWw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rvw6neDkwGls/kwkaYNEZXbP2QN0KQtNcQlfTKNZQgA=; b=mYO5CxlDTetPOaJc9xPADB+uLOYW43Y7wlr9sFfqbrroShd0mZ4aM4baQ5UfMJiiRukQBeBB4m55gMKu5w5y3dhff8ePWN/3rQTuxvGerReAdS1cwRzL0vXOASeTuMa//a+v+F1SgnTbsXMXk+qgywOXr+LtRUFcE6oa4AutxArNkOi9JwTpRne3ehu/0RPDeI75WbLpooe40LUo6Nw9esnVUpnGY9gScBNZibXxa8grZBWZy8VvGRV9ELvzXhs3/u3gd/FCXB155zA3hgu+mlsU8hVl11JyG1kyujBEovInDxWc0QDscWouIS1bA8ZVf2ldIgwAoXRdPjnczAGOLA==
Received: from SG2APC01FT017.eop-APC01.prod.protection.outlook.com (10.152.250.52) by SG2APC01HT082.eop-APC01.prod.protection.outlook.com (10.152.251.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.23; Wed, 20 Nov 2019 05:51:14 +0000
Received: from PU1PR01MB1947.apcprd01.prod.exchangelabs.com (10.152.250.58) by SG2APC01FT017.mail.protection.outlook.com (10.152.250.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.23 via Frontend Transport; Wed, 20 Nov 2019 05:51:14 +0000
Received: from PU1PR01MB1947.apcprd01.prod.exchangelabs.com ([fe80::3076:a7ea:eac2:8b10]) by PU1PR01MB1947.apcprd01.prod.exchangelabs.com ([fe80::3076:a7ea:eac2:8b10%5]) with mapi id 15.20.2451.029; Wed, 20 Nov 2019 05:51:13 +0000
From: Nasrul Zikri <nasrulzikri@outlook.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] One question about MODP: the structure of DLP prime in a finite field
Thread-Index: AQHVnwiS6e5Tx8g770SUJf1lozUSTQ==
Date: Wed, 20 Nov 2019 05:51:13 +0000
Message-ID: <PU1PR01MB19472DD1575F50D48FA82646A84C0@PU1PR01MB1947.apcprd01.prod.exchangelabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:26AF03D5F3D0D07ADBDFB85FF62FF796D89B0963E0481E18D64CFCFACD5C2A79; UpperCasedChecksum:2DBA609C5D03F9737B88BF3A07F97D65897C3047786F552D727C56F308920008; SizeAsReceived:6831; Count:43
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [QQU7NkrJTGkE8m7RRZfmKlzjSZAxX09T]
x-ms-publictraffictype: Email
x-incomingheadercount: 43
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 10377984-2eae-4ff3-8c4a-08d76d7da734
x-ms-traffictypediagnostic: SG2APC01HT082:
x-ms-exchange-purlcount: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wg4DBdx5/jTv2qs7jevYhgblyt5oqEWla26+lvCr2JQZWIOFAJAz1kk/sqSpRI2TLsxEuvv5fdeNIVB09WLZm9f3xdhMWEeVFCv03Rum48IuYJKWKGpoo2cWGNygnq+s1A3XFp4cV+K0LnkTG0YSR6uOAxAKxTKXPBGtWJGkya2XOyJVoXHnyAWFsI/n65ZX4F54sqV1lKAGuDxPP4H3JOSn6l62dCejFI8WTUR08XI=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_PU1PR01MB19472DD1575F50D48FA82646A84C0PU1PR01MB1947apcp_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 10377984-2eae-4ff3-8c4a-08d76d7da734
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Nov 2019 05:51:13.7674 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2APC01HT082
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KkeTLajXKeBWVV3_OCPQ2Ih_lsU>
Subject: Re: [Cfrg] One question about MODP: the structure of DLP prime in a finite field
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 05:52:52 -0000

Hello Guilin,

The parameters from RFC 3526 have been added to by other RFC (RFC 5114, RFC 7919). I think that Group 23 and 24 (from RFC 5114) may give you the structure you want. Group 23 describe 2048-bit MODP Group with 224-bit Prime Order Subgroup, and Group 24 describe 2048-bit MODP Group with 256-bit Prime Order Subgroup.

For Group 24, The hexadecimal value of the prime is:

   p = 87A8E61D B4B6663C FFBBD19C 65195999 8CEEF608 660DD0F2
       5D2CEED4 435E3B00 E00DF8F1 D61957D4 FAF7DF45 61B2AA30
       16C3D911 34096FAA 3BF4296D 830E9A7C 209E0C64 97517ABD
       5A8A9D30 6BCF67ED 91F9E672 5B4758C0 22E0B1EF 4275BF7B
       6C5BFC11 D45F9088 B941F54E B1E59BB8 BC39A0BF 12307F5C
       4FDB70C5 81B23F76 B63ACAE1 CAA6B790 2D525267 35488A0E
       F13C6D9A 51BFA4AB 3AD83477 96524D8E F6A167B5 A41825D9
       67E144E5 14056425 1CCACB83 E6B486F6 B3CA3F79 71506026
       C0B857F6 89962856 DED4010A BD0BE621 C3A3960A 54E710C3
       75F26375 D7014103 A4B54330 C198AF12 6116D227 6E11715F
       693877FA D7EF09CA DB094AE9 1E1A1597

   The hexadecimal value of the generator is:

   g = 3FB32C9B 73134D0B 2E775066 60EDBD48 4CA7B18F 21EF2054
       07F4793A 1A0BA125 10DBC150 77BE463F FF4FED4A AC0BB555
       BE3A6C1B 0C6B47B1 BC3773BF 7E8C6F62 901228F8 C28CBB18
       A55AE313 41000A65 0196F931 C77A57F2 DDF463E5 E9EC144B
       777DE62A AAB8A862 8AC376D2 82D6ED38 64E67982 428EBC83
       1D14348F 6F2F9193 B5045AF2 767164E1 DFC967C1 FB3F2E55
       A4BD1BFF E83B9C80 D052B985 D182EA0A DB2A3B73 13D3FE14
       C8484B1E 052588B9 B7D2BBD2 DF016199 ECD06E15 57CD0915
       B3353BBB 64E0EC37 7FD02837 0DF92B52 C7891428 CDC67EB6
       184B523D 1DB246C3 2F630784 90F00EF8 D647D148 D4795451
       5E2327CF EF98C582 664B4C0F 6CC41659

   The generator generates a prime-order subgroup of size:

   q = 8CF83642 A709A097 B4479976 40129DA2 99B1A47D 1EB3750B
       A308B0FE 64F5FBD3

I hope this is helpful.

Tk,
Nasrul



> Dear everyone,
>
> Highly appreciate if anyone can help on the following question.
>
> RFC 3526 (https://tools.ietf.org/html/rfc3526) offers a number of DLP parameters in a finite field. An example is group ID 14, detailed specification copied below.
>
> =========================
> This group is assigned id 14.
>
>    This prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }
>
>    Its hexadecimal value is:
>       FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
>       29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
>       EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
>       E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
>       EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
>       C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
>       83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
>       670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
>       E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
>       DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
>       15728E5A 8AACAA68 FFFFFFFF FFFFFFFF
>
>    The generator is: 2.
> =========================
>
> The question is: What is the structure or factors of prime p-1, where the value of p is given above? Also, if we do not know the factors of p-1, it is risky to just use g=2 as a generator as the order of 2 could be quite small. In FRC 3526, the suggested exponent size for group ID 14 is 220 bits or more.
>
> My real reason to ask this question is: We want to test SPEKE (a PAKE protocol) by using group ID 14. However, to run SPEKE, we need to know a prime factor q of p-1, i.e. (p-1)=qk, where k is an integer. Ideally, the bit length of q is between 220-256. Once we know such a prime factor q for p-1, then both client and server in SPEKE can calculate a generator something like g=(H(pw, salt))^k. Then, they can run DH key exchange normally by using g.
>
> So, the difficulty here is: Without knowing the factors of p-1 in group ID 14, it seems not possible to generate such a generator g in SPEKE.
>
> Thanks in advance,
>
> Guilin

v2.23.0 | Report a Bug | By Email