Re: [TLS] STRAW POLL: Size of the Minimum FF DHE group

Rene Struik <> Wed, 05 November 2014 14:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 575BA1A1B31 for <>; Wed, 5 Nov 2014 06:38:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QweGdDKgkLux for <>; Wed, 5 Nov 2014 06:38:04 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 637291A890F for <>; Wed, 5 Nov 2014 06:38:04 -0800 (PST)
Received: by with SMTP id hn18so8794813igb.13 for <>; Wed, 05 Nov 2014 06:38:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=zi3DCJKtCHLnHEgdoD2vqJRIwrENFipMJko+jOqmMiY=; b=M5p17x3HdWB8XO9UL3GXwZ5Np5EquLBuREDSv8U9QgU1xgUD41QCy3eWEvOLb+DdLb fxYQ6BVYQ0zibIl72x3AMYPEwk4/yVadO3qkZ1D1mAy+rvpzEeSnvxjBIhDNN4VxUvJq wL5wlPpySDQQqyXHak8TeygK55ACfMOTcQwzenikyQZb/TpDgpqJUDV/DI/2B9maVWrR 90/TFbcfxL7nBW+EzFI7EzZkIsEBHzsc8+pI0jmhAjwnQUNWAhIPOdDpuMA99sB+zDXS ZZguApGNgaXQ0iHodAjLmc7WnWwU8Jo7rUPtcIB9/WsM1KfZO02VVC+kXY6T2JLdAdEC 45eA==
X-Received: by with SMTP id mt8mr4941545icc.22.1415198283618; Wed, 05 Nov 2014 06:38:03 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id t1sm168044ioe.17.2014. for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Nov 2014 06:38:03 -0800 (PST)
Message-ID: <>
Date: Wed, 05 Nov 2014 09:37:58 -0500
From: Rene Struik <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Sean Turner <>, " (" <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [TLS] STRAW POLL: Size of the Minimum FF DHE group
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 05 Nov 2014 14:38:06 -0000

Hi Sean:

I think supporting 2048-bit defined discrete log groups would be 

Added note (not part of scope of the straw poll):
It would be useful to explicitly state that if short exponents are used 
with these 2048-bit defined groups, these shall be drawn at random from 
the set of 224-bit integers. (The current draft does not spell this out 
explicitly.) Of course, the more conservative expression would be "drawn 
at random from the set of m-bit integers, where m is at least 224".

Best regards, Rene

On 11/4/2014 12:49 PM, Sean Turner wrote:
> Hi!
> At the TLS Interim meeting in Paris, the WG discussed the FF DHE draft (  The chairs would like to poll the WG on one of the issues in the draft namely the size of the minimum group.
> The draft currently includes a minimum group size of 2432 but the WG also discussed 2048.  Groups smaller than 2048 were discounted for a standards track document as too weak for use but might be documented in a separate “historic” draft.  To help us reach consensus on this point, please reply to this email indicating whether you favor a “2048" or “2432” minimum group size.  Note we’re also looking to specify the smallest number of options for groups as is acceptable - i.e., we’re not looking at specifying both 2048 and 2432.
> Background: Regardless of whether you agree with what follows or not, the following has been put forward as the rationale. We don’t need comments on the rationale, we’re just providing it for background.
> 1) 3DES has a 112-bit work factor and is still considered acceptable in TLS 1.2 and the DLOG keying material shouldn’t be any weaker than the symmetric cipher.
> 2) There is some disagreement about the work factor for the DLOG keys - e.g., NIST says 112-bit work factor correlates to 2048-bit DLOG keys but ECRYPT-II says 112-bit work factor correlates to 2432-bit DLOG keys (see references in draft).
> 3) The other point made about 2048-bit DLOG is that it’s a power of 2 and there’s parity with the public key sizes.
> Cheers,
> j&s
> _______________________________________________
> TLS mailing list

email: | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363