Re: [Cfrg] What groups to use for Diffie Hellman?

Peter Gutmann <> Fri, 28 October 2016 08:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2381D12947D for <>; Fri, 28 Oct 2016 01:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.631
X-Spam-Status: No, score=-4.631 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id o19j3WaUmkjo for <>; Fri, 28 Oct 2016 01:37:12 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1F93D1294E9 for <>; Fri, 28 Oct 2016 01:37:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1477643831; x=1509179831; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=BSRqAqX5hs6cJ4nISBAAEylXwwkJ6Ug00BjAirJYNbg=; b=mn/qphAgc3SFD4W8c+Zdeg0WrqNRc8ZxWJ3yWBSILFC4AptZc3qLrQ76 wmcy68rdQhE0LqMzI99zAc3cY702y343gc9VVoqNN5osCAtPdRK47OGkM L3kVgspXiUr4euEmPlgmkWMYa5KD/u+67xnfXDlLRoaMc6xp5XitmxI0Z 67zuBSQbCMeGJS5JNUdc2iG2uU582QxYL4/xR9iGlbnXn54loVc/Fysor LdioP7dGGr0KIAweWARfNXMRKyqNK9hN23D3aKouQ7mO8vM+tJejiqryY XokWanrMVu5JjO6mgi+lUr2Qf6t/4hC7B8yvJTAThV9se1DLJ/CbcnllJ A==;
X-IronPort-AV: E=Sophos;i="5.31,557,1473076800"; d="scan'208";a="112462595"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 28 Oct 2016 21:37:08 +1300
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 28 Oct 2016 21:37:08 +1300
Received: from ([]) by ([]) with mapi id 15.00.1178.000; Fri, 28 Oct 2016 21:37:08 +1300
From: Peter Gutmann <>
To: Martin Thomson <>, Phillip Hallam-Baker <>
Thread-Topic: [Cfrg] What groups to use for Diffie Hellman?
Thread-Index: AQHSMGEZY9gGeJmmR0OrS3v+ehmNA6C8fE4AgAENagM=
Date: Fri, 28 Oct 2016 08:37:07 +0000
Message-ID: <>
References: <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] What groups to use for Diffie Hellman?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Oct 2016 08:37:18 -0000

Martin Thomson <> writes:

>RFC 7919 (and RFC 3526, as Peter points out) haven't been called into question.

Yup, 7919 is fine too, as long as you just use the values and not the rest of
the RFC (as it applies to TLS).  So you could, for example, use the DH-2048's
from either RFC, switching at random, in case one of the two has a problem.

One caveat with 7919 is that the values aren't as widely-used as 3526, so if
you've got something that whitelists/fastpaths 3526 then you'll take a slight
performance hit with the 7919 values.

On a related subject, is there any interest in an RFC that just lists, say,
ten DH parameter sets of various sizes with their generation machanism to
allow replication?  So no list of things you can and can't do, just the
parameters to use wherever you want.  My code uses Lim-Lee, as long as people
don't object to that I can generate them by that process, it'd just mean you'd
need another implementation that can handle verifying primes of the form
'p = 2 * q * ( prime[1] * ... prime[n] ) + 1'.

I'd also supply them as bignums of 32- and 64-bit words, since that's how
they're going to end up in people's code and it'll save lots of developers
having to manually reformat them from whatever form they're otherwise
published in.