Re: [Cfrg] Unknown order DH groups, e.g. as in RFC3526.
Markku-Juhani Olavi Saarinen <mjos@iki.fi> Fri, 08 March 2019 23:48 UTC
Return-Path: <mjos.crypto@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 392FA12796B for <cfrg@ietfa.amsl.com>; Fri, 8 Mar 2019 15:48:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Level:
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 58-PqaGI2oUT for <cfrg@ietfa.amsl.com>; Fri, 8 Mar 2019 15:48:34 -0800 (PST)
Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EE24126DFA for <cfrg@irtf.org>; Fri, 8 Mar 2019 15:48:34 -0800 (PST)
Received: by mail-ed1-f48.google.com with SMTP id j89so17687898edb.9 for <cfrg@irtf.org>; Fri, 08 Mar 2019 15:48:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=2CWCEOj2W17UJ5CvP2LocAkdMfyW4Mjkr7IZXivH8eU=; b=kfcc+RgW4xcfeEwoyYsmsGNI8sS1nIHMzEoIyLvY5qSngWwr44L4O0oKmr/VSVIZZK FTUPvx501W4dmcifei7kDOcoZEzGI4x2jVHFkc6Ub3NJ6cHed7Q1O7okSE7PJZy3itoo ItBTiiYhaI4E6RsRN48CZU47n54K3jCE38DuC+ENpqSBzySbLr3z7O/ayYwFQPIppzbc 1cQ+h5WVRUfh+FiOd1VIsM01gMlGZKfwfNmGycXGYG0FZcRWP8mK7BQxE4nQIwW8yUJw RL3K04wpmqAb4YmToTQqRTm/5t56rUx7TJgRLITSPYCINPVbGp829OBfP5FNIHEN9SSm 9MSw==
X-Gm-Message-State: APjAAAXmZV60we7vetVDgiC3uV4FKB22OY2f4E2s2/iOeIV0BCIyIREH iWv6DEoR4SHiZGilFz0r+C/cPkXsycalXOOTMtM=
X-Google-Smtp-Source: APXvYqxOEs/RaMRVmLtjr8ITiFptD90eluGsm6zoupA7RG2c3aWhkpenXkVA5TPCIflRv7xDNuAmzHPleeD/J1kSWHA=
X-Received: by 2002:a50:9259:: with SMTP id j25mr1024147eda.247.1552088912542; Fri, 08 Mar 2019 15:48:32 -0800 (PST)
MIME-Version: 1.0
References: <CAKUk3buNuoFk0BnhqkefrGezPJiAcqkwNi35TOB_QZwEaQ8ycw@mail.gmail.com> <875074e405cb4fa08917e6e7ba96e022@XCH-RTP-006.cisco.com> <CAKUk3bvY_tnfTQnx3XSBjM4zAJz5V_9T3Dm3Q=bLPN-LhEut_Q@mail.gmail.com> <CA+iU_qmdDrO5=WOXF0-3spbV0VoYtAiZtv2u-HZM3s2QwGXttA@mail.gmail.com>
In-Reply-To: <CA+iU_qmdDrO5=WOXF0-3spbV0VoYtAiZtv2u-HZM3s2QwGXttA@mail.gmail.com>
From: Markku-Juhani Olavi Saarinen <mjos@iki.fi>
Date: Fri, 08 Mar 2019 23:48:21 +0000
Message-ID: <CA+iU_qmgjp6_AMwTn4BMtYewe_1ZEh0t_y9heEwvq7BWW8ap_w@mail.gmail.com>
To: Andrey Jivsov <crypto@brainhub.org>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yTtetbh4_A0kp5Sqo0kFbI9-YuQ>
Subject: Re: [Cfrg] Unknown order DH groups, e.g. as in RFC3526.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 23:48:38 -0000
Hi, Further note: The primes of RFC 3526 were generated to match the criteria given in Appendix E of RFC 2412 - those earlier computations were performed by Richard Schroeppel for OAKLEY, a predecessor of IKE. Mika Kojo just used the same "cookbook formula" to determnistically search for larger primes. If you applied the same rules, you should be able to find the same primes. The primes in RFC 2412 and RFC 3526 are based on binary digits of Pi, while primes RFC 7919 seem to be based on natural exponent e. Cheers, - markku Dr. Markku-Juhani O. Saarinen <mjos@iki.fi> On Fri, Mar 8, 2019 at 11:30 PM Markku-Juhani Olavi Saarinen <mjos@iki.fi> wrote: > > Hi Andrey, > > It is true that RFC 3526 does not explicitly give out the group orders > -- these are safe primes. I recall when my late colleague at SSH, Mika > Kojo computed (or "found") them some 20 years ago -- they were > published posthumously and that's probably why such mathematical > details are missing. You can run a primality test of your choosing on > each (p-1)/2 to verify this if you like. > > All of this, including Diffie-Hellman in a basically any group, is of > course of historical interest only.. but let me expand on this for > posteriority: > > It is (or at least used to be) "common knowledge" that the MODP groups > (including RFC3526) were based on Sophie Germain primes, i.e. primes > of type p=2q+1 where q is also a prime. Therefore the group order of > any element x that is coprime with p can only be one of {1, 2, q, > 2*q}. The latter two classes correspond to quadratic residues and > quadratic non-residues. There are O(log a log b) algorithms for > Legendre/Jacobi symbol so the group order of any element can be > efficiently evaluated if you accept that p is a "S.G." prime. In most > cases it is sufficient to check that x mod p is not one of { 0, 1, p-1 > }, meaning that the group order is at least q -- the quadratic residue > check will only reveal the least significant bit of a secret exponent > -- if the generator happens to be a q.n.r. > > Cheers, > - markku > > Dr. Markku-Juhani O. Saarinen <mjos@iki.fi> > > On Fri, Mar 8, 2019 at 11:17 PM Andrey Jivsov <crypto@brainhub.org> wrote: > > > > Sorry, a correction: https://tools.ietf.org/html/rfc7919 is the RFC that defines safe primes, and thus the group order is (p-1)/2 for each of them. > > > > What's the group order for random primes in https://tools.ietf.org/html/rfc3526 ? Do you mean the composite group order p-1 with potentially unpleasant many-small-factors factorization? > > > > On Fri, Mar 8, 2019 at 2:59 PM Scott Fluhrer (sfluhrer) <sfluhrer@cisco..com> wrote: > >> > >> I suspect you mistyped the RFC number you meant; instead of saying that the groups listed in RFC3526 didn’t specify an order (they do), you meant to talk about the groups in some other RFC… > >> > >> > >> > >> From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Andrey Jivsov > >> Sent: Friday, March 08, 2019 5:44 PM > >> To: cfrg@irtf.org > >> Subject: [Cfrg] Unknown order DH groups, e.g. as in RFC3526. > >> > >> > >> > >> Greetings. > >> > >> > >> > >> A quick question on DH primes. > >> > >> > >> > >> The IKE DH groups document didn't specify the group order https://tools.ietf.org/html/rfc3526 . > >> > >> > >> > >> This is in contrast to https://tools.ietf.org/html/rfc3526 that uses safe primes. > >> > >> > >> > >> Is my understanding correct that, as a general rule, these primes should not be used, e.g. where a contributory behaviour of DH is needed? The issue here is that a random element, received from a peer, can be in any subgroup, possibly in a subroup with lower security than 128 bits, and there is no way to verify this efficiently. > >> > >> > >> > >> Thank you. > > > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Unknown order DH groups, e.g. as in RFC352… Andrey Jivsov
- Re: [Cfrg] Unknown order DH groups, e.g. as in RF… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Unknown order DH groups, e.g. as in RF… Andrey Jivsov
- Re: [Cfrg] Unknown order DH groups, e.g. as in RF… Markku-Juhani Olavi Saarinen
- Re: [Cfrg] Unknown order DH groups, e.g. as in RF… Markku-Juhani Olavi Saarinen