Re: [Cfrg] Question about primes of special form and the NFS
Samuel Neves <sneves@dei.uc.pt> Sun, 30 March 2014 21:48 UTC
Return-Path: <sneves@dei.uc.pt>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCA4C1A06C3 for <cfrg@ietfa.amsl.com>; Sun, 30 Mar 2014 14:48:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yDr97DRaGs3n for <cfrg@ietfa.amsl.com>; Sun, 30 Mar 2014 14:48:53 -0700 (PDT)
Received: from smtp.dei.uc.pt (smtp.dei.uc.pt [193.137.203.253]) by ietfa.amsl.com (Postfix) with ESMTP id 0E8C31A0344 for <cfrg@irtf.org>; Sun, 30 Mar 2014 14:48:52 -0700 (PDT)
Received: from [192.168.1.64] (bl21-68-111.dsl.telepac.pt [2.82.68.111]) (authenticated bits=0) by smtp.dei.uc.pt (8.14.4/8.14.4) with ESMTP id s2ULmedC024607 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sun, 30 Mar 2014 22:48:45 +0100
Message-ID: <5338911C.8010307@dei.uc.pt>
Date: Sun, 30 Mar 2014 22:48:12 +0100
From: Samuel Neves <sneves@dei.uc.pt>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <CACsn0c=seHgHNSRta5tCfbxUY2y1cqOOEPdfsDY7udi=h9P88w@mail.gmail.com>
In-Reply-To: <CACsn0c=seHgHNSRta5tCfbxUY2y1cqOOEPdfsDY7udi=h9P88w@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-FCTUC-DEI-SIC-MailScanner-Information: Please contact helpdesk@dei.uc.pt for more information
X-FCTUC-DEI-SIC-MailScanner-ID: s2ULmedC024607
X-FCTUC-DEI-SIC-MailScanner: Found to be clean
X-FCTUC-DEI-SIC-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-60.25, required 3.252, autolearn=not spam, ALL_TRUSTED -10.00, BAYES_00 -0.25, L_SMTP_AUTH -50.00)
X-FCTUC-DEI-SIC-MailScanner-From: sneves@dei.uc.pt
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/getOo7heSvxKnA1oke8MtTJ3sFc
Subject: Re: [Cfrg] Question about primes of special form and the NFS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Mar 2014 21:48:57 -0000
On 30-03-2014 21:43, Watson Ladd wrote:
> Dear all,
> draft-gillmor-tls-negotiated-dl-dhe-00 contains primes of the form
> 2^{b}-2^{b-64}+k*2^64-1 for b a multiple of 64 and k small, and
> recommends them as DHE groups. This is to close a security hole in TLS
> in which no set of DHE parameters exists, and no one realized they
> can't be validated.
>
> This is not as bad as primes of the form 2^b-small, for which the SNFS
> applies trivially. However, I am worried that some of the speedups
> might still happen. It's probably not possible, but I don't know the
> state of the art in this area, and would appreciate any references
> dealing with extensions of SNFS to numbers that aren't that special.
These primes do look risky. Oliver Schirokauer has done some work on discrete logarithms modulo primes with small signed binary representation [1], which applies in this case.
Manually finding small-coefficient NFS polynomials for these primes also seems plausible, which is what differentiates the SNFS from the GNFS. For example, for the 4096-bit prime p = 2^4096 - 2^4032 + 341664 * 2^64 - 1, degree 8 and m = 2^504, we obtain
the polynomial
(2^64-1) * x^8 + (341664 * 2^64 - 1) * x,
which has significantly better coefficient sizes than a random choice of polynomial.
[1] http://eprint.iacr.org/2006/107
- [Cfrg] Question about primes of special form and … Watson Ladd
- Re: [Cfrg] Question about primes of special form … Samuel Neves
- Re: [Cfrg] Question about primes of special form … Daniel Kahn Gillmor
- Re: [Cfrg] Question about primes of special form … Sandy Harris
- Re: [Cfrg] Question about primes of special form … Daniel Kahn Gillmor