Re: [Cfrg] Question about primes of special form and the NFS
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 01 April 2014 20:38 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 077391A09CA for <cfrg@ietfa.amsl.com>; Tue, 1 Apr 2014 13:38:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uspJgPvlCYD3 for <cfrg@ietfa.amsl.com>; Tue, 1 Apr 2014 13:38:08 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 4161E1A06BC for <cfrg@irtf.org>; Tue, 1 Apr 2014 13:38:08 -0700 (PDT)
Received: from [10.255.96.244] (unknown [24.139.127.47]) by che.mayfirst.org (Postfix) with ESMTPSA id 3D363F989; Tue, 1 Apr 2014 16:38:01 -0400 (EDT)
Message-ID: <533B1EC3.8060609@fifthhorseman.net>
Date: Tue, 01 Apr 2014 16:17:07 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.3.0
MIME-Version: 1.0
To: Samuel Neves <sneves@dei.uc.pt>, Watson Ladd <watsonbladd@gmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <CACsn0c=seHgHNSRta5tCfbxUY2y1cqOOEPdfsDY7udi=h9P88w@mail.gmail.com> <5338911C.8010307@dei.uc.pt>
In-Reply-To: <5338911C.8010307@dei.uc.pt>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="lhLUR258q00jgLV76f7MHgbUELSIb87AF"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/g8XAryDDMm0z4uB-tqphAWctAaQ
Subject: Re: [Cfrg] Question about primes of special form and the NFS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 20:38:11 -0000
Hi all--
On 03/30/2014 05:48 PM, Samuel Neves wrote:
> On 30-03-2014 21:43, Watson Ladd wrote:
>> Dear all,
>> draft-gillmor-tls-negotiated-dl-dhe-00 contains primes of the form
>> 2^{b}-2^{b-64}+k*2^64-1 for b a multiple of 64 and k small, and
>> recommends them as DHE groups. This is to close a security hole in TLS
>> in which no set of DHE parameters exists, and no one realized they
>> can't be validated.
>>
>> This is not as bad as primes of the form 2^b-small, for which the SNFS
>> applies trivially. However, I am worried that some of the speedups
>> might still happen. It's probably not possible, but I don't know the
>> state of the art in this area, and would appreciate any references
>> dealing with extensions of SNFS to numbers that aren't that special.
>
> These primes do look risky. Oliver Schirokauer has done some work on discrete logarithms modulo primes with small signed binary representation [1], which applies in this case.
>
> Manually finding small-coefficient NFS polynomials for these primes also seems plausible, which is what differentiates the SNFS from the GNFS. For example, for the 4096-bit prime p = 2^4096 - 2^4032 + 341664 * 2^64 - 1, degree 8 and m = 2^504, we obtain
> the polynomial
>
> (2^64-1) * x^8 + (341664 * 2^64 - 1) * x,
>
> which has significantly better coefficient sizes than a random choice of polynomial.
>
> [1] http://eprint.iacr.org/2006/107
Thanks to Watson for raising this question to the group and thanks to
Samuel for his prompt analysis. The choice of primes for this draft are
not set in stone, and i really value the feedback of this group in
choosing a good set.
My current selection looks for safe primes of a reasonable size that can
provide efficient forms for common operations, while avoiding re-using
discrete log groups that are already used elsewhere (to reduce the value
of any particular group as a target for a powerful adversary).
The general form of the construction used in RFC 3526 (high and low
words all-ones, with the middle bits selected by deterministic search
over a known space, with no magic numbers selected) seems reasonable to
me; if anyone has any stronger recommendations for better mechanisms to
generate groups acceptable for public use, please share them.
If there are no other concrete recommendations, i'll replace the groups
in the next draft of tls-negotiated-dl-dhe with groups with non-sparse
prime moduli derived using the binary representation of e instead of
all-zeros for the central bits (this is similar to the use of pi in the
creation of the 3526 MODP groups, but wouldn't share the groups across
protocols).
I'd be happy to hear any suggestions or concerns about this approach, or
any other commentary on the draft.
Regards,
--dkg
- [Cfrg] Question about primes of special form and … Watson Ladd
- Re: [Cfrg] Question about primes of special form … Samuel Neves
- Re: [Cfrg] Question about primes of special form … Daniel Kahn Gillmor
- Re: [Cfrg] Question about primes of special form … Sandy Harris
- Re: [Cfrg] Question about primes of special form … Daniel Kahn Gillmor