Re: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 12 March 2014 00:25 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33D231A08A1 for <tls@ietfa.amsl.com>; Tue, 11 Mar 2014 17:25:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jTvGAEiKOxvv for <tls@ietfa.amsl.com>; Tue, 11 Mar 2014 17:25:20 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) by ietfa.amsl.com (Postfix) with ESMTP id 6BF361A0896 for <tls@ietf.org>; Tue, 11 Mar 2014 17:25:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1394583915; x=1426119915; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=PqX/Ryv0hh3BgYugDTtcwd5Mxw8zZZGb8225ZJ+eXgg=; b=PRNrnov+cD3O/VZ6HqiXiAVJ/kSrEcCcGC0xTlIM/UXCViXg2KDJYEkK jgJ+M/Yvp2+VWsnoyLu+v7O4UpCpM95vdbzRSBwuxBVaPg8WxWVFXpJ+D TzqKJojPEzPYVDp65P7tCzqkgfa15QxxwY3HRA7iy6QjrnXPDDThvTYEV c=;
X-IronPort-AV: E=Sophos;i="4.97,634,1389697200"; d="scan'208";a="238959174"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 12 Mar 2014 13:25:14 +1300
Received: from UXCN10-6.UoA.auckland.ac.nz ([169.254.10.53]) by uxchange10-fe2.UoA.auckland.ac.nz ([130.216.4.106]) with mapi id 14.03.0174.001; Wed, 12 Mar 2014 13:25:13 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Thread-Topic: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]
Thread-Index: Ac89iYieoDktMLvTRCu1CZHjC2IAVQ==
Date: Wed, 12 Mar 2014 00:25:12 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C737238A20F@uxcn10-6.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/VkLl9FSET0zCHWSJCF5L3rR4Yg0
Subject: Re: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Mar 2014 00:25:26 -0000

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

>More colloquially, this is: 64 bits of 0xFF, followed by (k-128) bits of pi,
>followed by 64 more bits of 0xFF.  I don't know why this sequence was
>selected.  Does anyone have any pointers to reasons you might want the
>modulus structured this way?

    The prime for this group was selected to have certain properties.  The high
    order 64 bits are forced to 1.  This helps the classical remainder
    algorithm, because the trial quotient digit can always be taken as the high
    order word of the dividend, possibly +1.  The low order 64 bits are forced
    to 1.  This helps the Montgomery-style remainder algorithms, because the
    multiplier digit can always be taken to be the low order word of the
    dividend.  The middle bits are taken from the binary expansion of pi.  This
    guarantees that they are effectively random, while avoiding any suspicion
    that the primes have secretly been selected to be weak.

    The prime is chosen to be a Sophie-Germain prime (i.e., (P-1)/2 is also
    prime), to have the maximum strength against the square-root attack.  The
    starting trial numbers were repeatedly incremented by 2^64 until suitable
    primes were located.

    Because this prime is congruent to 7 (mod 8), 2 is a quadratic residue.
    All powers of 2 will also be quadratic residues. This prevents an opponent
    from learning the low order bit of the Diffie-Hellman exponent.  Using 2 as
    a generator is efficient for some modular exponentiation algorithms.  [Note
    that 2 is technically not a generator in the number theory sense, because
    it omits half of the possible residues mod P. From a cryptographic
    viewpoint, this is a virtue.]

This is from an early Oakley draft draft-ietf-ipsec-isakmp-oakley-03.txt that
references another Oakley draft draft-ietf-ipsec-oakley-01.txt which, however,
doesn't actually contain the text quoted above.  So I guess the reference
would be [Citation needed ^ 2] or [Apocryphal ^ 2].

(Oh, and if anyone feels like confirming the SHA-1 hashes of the primes I
posted last week....).

Peter.