Re: [Cfrg] What groups to use for Diffie Hellman?

Phillip Hallam-Baker <> Mon, 31 October 2016 21:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 108B1129AFB for <>; Mon, 31 Oct 2016 14:24:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A1b_1m0kyjRF for <>; Mon, 31 Oct 2016 14:24:55 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EE319129ADE for <>; Mon, 31 Oct 2016 14:24:54 -0700 (PDT)
Received: by with SMTP id t79so74495435wmt.0 for <>; Mon, 31 Oct 2016 14:24:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=s53HWT+IqH/2cbbzepXoynyMspEfrZcpH8040vMHumk=; b=fJPVNp3GGnb4T+j0P4yJIk0hP+sOf9qZJ89pahlgQhgl+N9Gk77K/MeKEhQu+8Rj4/ 5BVEzK621YzWt3LveW50uZeGuab9KzNNwXmdtO/HGP4cudnL6XAtJ7KjmL4wU+zgHKMO h+mUVJpyeyja9ZxXN1rNwZmNePuRgaUgWe73sh6LtxeKRHoONeUqgY1kGx1WrpF7pe3y YI8lC4d0GXIlsBqaXqdyb2RjffEOMjcoXzyUj8lRZ713/JBRRxLD75/90umlXr5AkBA4 lBzdzm2lp92j0J1nGxnKQNw0zPsHJsyVVX4eNEtCXPC9MZPCxLlIBVUnfjqjqNw24qKR zL+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=s53HWT+IqH/2cbbzepXoynyMspEfrZcpH8040vMHumk=; b=dnXO3OnVLfSR3fbeT6UoTOoFBc8DrvPGW1xe3jtYH9BSp0GdzJ6uqwlzZ8HSltRwAd IadLOoMrP8Jq0+tztKeUV2BG2tX62Mtu04k4K8junuYCLELRM1ZUw3ixyrfIwsudydII MooKKSiREIjEJdY2AHid4QTBmmbI7xYxgfjPyN/b8yQFuZsBdQlAlhSfDCVDdyfzAbsy ShzVmlXHQya8hw/WF3hvTqYzg+LjTeBXCIOBsf/GiWugOqEntnKf25LZ3gP4aq+1o+ma J+MGtBcd87juED4XJ4GXFrmN/OfZgwOPuK1+4u+IsMAAst7BMbWsGFMikVUqRBNGGDy5 2/tw==
X-Gm-Message-State: ABUngvf2bjrSSzm46aL5HF7Q14FlMwGdyB1UH85Hg/SG/vRqfw5e3/UKjvIeCl6nxgxV9QIYpUyx2zj4OW6DNw==
X-Received: by with SMTP id z18mr11818463wmz.97.1477949093273; Mon, 31 Oct 2016 14:24:53 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 31 Oct 2016 14:24:52 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
From: Phillip Hallam-Baker <>
Date: Mon, 31 Oct 2016 17:24:52 -0400
X-Google-Sender-Auth: ZrEZc4bzMW-fS1D-uX4nf7F9wYQ
Message-ID: <>
To: Yoav Nir <>
Content-Type: multipart/alternative; boundary="001a114345e8b36aad05402fd631"
Archived-At: <>
Cc: jonas weber <>, "" <>, Peter Gutmann <>
Subject: Re: [Cfrg] What groups to use for Diffie Hellman?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 31 Oct 2016 21:24:57 -0000

On Mon, Oct 31, 2016 at 3:57 PM, Yoav Nir <> wrote:

> On 31 Oct 2016, at 20:45, Phillip Hallam-Baker <>
> wrote:
> > Based on my conversations with NSA folk, the governing doctrine is
> 'NOBUS' nobody but us. Introducing a weakness that only the NSA could
> exploit with hidden knowledge nobody else could discover independently is
> one thing. Developing a system with a hole anyone can find if they look
> long enough is not acceptable.
> Whatever else he may have accomplished, Edward Snowden proved that NSA
> hidden knowledge can and does get unhidden. At least to people who failed
> to learn that from PFC Manning.
> So it’s best not to deploy a group that only the NSA can break, even if
> you are not concerned about the NSA monitoring your data. The next Snowden
> can make it so that the people that you are concerned about will also be
> doing it.

​Well it came up in a response to my complaint about BULLRUN...​


​I think that point is now appreciated. And not just because of Snowden.
There was also the hacking tools dump that appears to have been finger
trouble without ​actual criminal intent.

It is useful to enumerate and distinguish the attacks we are avoiding and
the ones we are not. Especially when we have no way to avoid some pitfalls.
There is no deterministic procedure that is going to guarantee strong
parameters against unknown attacks. We have no way of knowing which
parameters are strong.

​We can nail down backdoor free and eliminate the NOBUS attacks. That does
not prevent some sociopath smurfing a set of weak parameters. But if they
did, the US govt would likely be among the biggest victims as a result.​