Re: [Cfrg] What groups to use for Diffie Hellman?

Peter Gutmann <> Mon, 31 October 2016 10:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 01D9012964F for <>; Mon, 31 Oct 2016 03:07:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.697
X-Spam-Status: No, score=-5.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Agca4MQAp3Q1 for <>; Mon, 31 Oct 2016 03:07:36 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A074412964B for <>; Mon, 31 Oct 2016 03:07:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1477908455; x=1509444455; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=NMEOw64ni/X6YT3e+LVw5Z0ZKFhEOMj1448LRx+Nlc4=; b=O0aV7GTbXdhhAAnEKjhm3mFi3zMcidzOEhRMYXJ0f3pEASGsL+/Ugjf6 R0I+h3PmL3EY2/RvRL2FmqQQlUyz30YBoppPLACtWBI4nwLuDaGgCkiL5 1Bc3WvJP7q7Jdj95eeaf+XLqCev5boul+KzBt8yIQi2/BAFCVd0LFiYQ1 kIgIQaEq+WpbGF4wNDvcV3KS43E9R6YsyL7JAllIZOtyMEPoGo7yFpL/D cf2+KfdL/Pk2GTeIKkq4qA33WU/kXCRwmDaQlt0Z3ksUBjoAblJQPRXkN wRiZBFUzIBs8RMSkt5YFY+TgLiuIMOfvB1lTiXK5rRmc3ItjszX1t6n7L g==;
X-IronPort-AV: E=Sophos;i="5.31,426,1473076800"; d="scan'208";a="112833385"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 31 Oct 2016 23:07:34 +1300
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 31 Oct 2016 23:07:34 +1300
Received: from ([]) by ([]) with mapi id 15.00.1178.000; Mon, 31 Oct 2016 23:07:33 +1300
From: Peter Gutmann <>
To: jonas weber <>, "" <>
Thread-Topic: [Cfrg] What groups to use for Diffie Hellman?
Thread-Index: AQHSMxxtY9gGeJmmR0OrS3v+ehmNA6DCVrbO
Date: Mon, 31 Oct 2016 10:07:32 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Cfrg] What groups to use for Diffie Hellman?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 31 Oct 2016 10:07:37 -0000

jonas weber <> writes:

>Given the uncertainty over the RFC-5114 groups, I believe it would be helpful
>to have an RFC with a list of primes as you describe. Many of us use shorter
>exponents to save computation and having a list of verifiable primes would be
>useful, particularly if they could be registered for use in IKE and TLS.

I've been having a discussion about this off-list, may as well make it public
if others are interested... the main issue is how to generate the values,
presumably you'd want safe primes (so p = 2q + 1), g = 2 for efficiency, and
some NUMS source for the primes.  One suggestion was PBKDF2( "DH 2048" ),
PBKDF2( "DH 1024" ), etc as the seed value and then some deterministic way to
get from there to the final prime.  And maybe pseudocode so anyone can
replicate it using whatever bignum library they prefer (rather than, say,
"plug the following formula into Mathematica").  How NUMS does it have to get?