Re: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]
Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 12 March 2014 00:25 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33D231A08A1 for <tls@ietfa.amsl.com>; Tue, 11 Mar 2014 17:25:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jTvGAEiKOxvv for <tls@ietfa.amsl.com>; Tue, 11 Mar 2014 17:25:20 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) by ietfa.amsl.com (Postfix) with ESMTP id 6BF361A0896 for <tls@ietf.org>; Tue, 11 Mar 2014 17:25:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1394583915; x=1426119915; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=PqX/Ryv0hh3BgYugDTtcwd5Mxw8zZZGb8225ZJ+eXgg=; b=PRNrnov+cD3O/VZ6HqiXiAVJ/kSrEcCcGC0xTlIM/UXCViXg2KDJYEkK jgJ+M/Yvp2+VWsnoyLu+v7O4UpCpM95vdbzRSBwuxBVaPg8WxWVFXpJ+D TzqKJojPEzPYVDp65P7tCzqkgfa15QxxwY3HRA7iy6QjrnXPDDThvTYEV c=;
X-IronPort-AV: E=Sophos;i="4.97,634,1389697200"; d="scan'208";a="238959174"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 12 Mar 2014 13:25:14 +1300
Received: from UXCN10-6.UoA.auckland.ac.nz ([169.254.10.53]) by uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id 14.03.0174.001; Wed, 12 Mar 2014 13:25:13 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Thread-Topic: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]
Thread-Index: Ac89iYieoDktMLvTRCu1CZHjC2IAVQ==
Date: Wed, 12 Mar 2014 00:25:12 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C737238A20F@uxcn10-6.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/VkLl9FSET0zCHWSJCF5L3rR4Yg0
Subject: Re: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Mar 2014 00:25:26 -0000
Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes: >More colloquially, this is: 64 bits of 0xFF, followed by (k-128) bits of pi, >followed by 64 more bits of 0xFF. I don't know why this sequence was >selected. Does anyone have any pointers to reasons you might want the >modulus structured this way? The prime for this group was selected to have certain properties. The high order 64 bits are forced to 1. This helps the classical remainder algorithm, because the trial quotient digit can always be taken as the high order word of the dividend, possibly +1. The low order 64 bits are forced to 1. This helps the Montgomery-style remainder algorithms, because the multiplier digit can always be taken to be the low order word of the dividend. The middle bits are taken from the binary expansion of pi. This guarantees that they are effectively random, while avoiding any suspicion that the primes have secretly been selected to be weak. The prime is chosen to be a Sophie-Germain prime (i.e., (P-1)/2 is also prime), to have the maximum strength against the square-root attack. The starting trial numbers were repeatedly incremented by 2^64 until suitable primes were located. Because this prime is congruent to 7 (mod 8), 2 is a quadratic residue. All powers of 2 will also be quadratic residues. This prevents an opponent from learning the low order bit of the Diffie-Hellman exponent. Using 2 as a generator is efficient for some modular exponentiation algorithms. [Note that 2 is technically not a generator in the number theory sense, because it omits half of the possible residues mod P. From a cryptographic viewpoint, this is a virtue.] This is from an early Oakley draft draft-ietf-ipsec-isakmp-oakley-03.txt that references another Oakley draft draft-ietf-ipsec-oakley-01.txt which, however, doesn't actually contain the text quoted above. So I guess the reference would be [Citation needed ^ 2] or [Apocryphal ^ 2]. (Oh, and if anyone feels like confirming the SHA-1 hashes of the primes I posted last week....). Peter.
- Re: [TLS] MODP group modulus derivation [was: Re:… Peter Gutmann
- Re: [TLS] MODP group modulus derivation [was: Re:… Jeffrey Hutzelman
- Re: [TLS] MODP group modulus derivation [was: Re:… Daniel Kahn Gillmor
- Re: [TLS] MODP group modulus derivation [was: Re:… Fedor Brunner
- Re: [TLS] MODP group modulus derivation [was: Re:… Peter Gutmann