Re: [TLS] STRAW POLL: Size of the Minimum FF DHE group

Viktor Dukhovni <> Wed, 05 November 2014 01:23 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B58A31A1ADC for <>; Tue, 4 Nov 2014 17:23:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oGehXpIquqb2 for <>; Tue, 4 Nov 2014 17:23:17 -0800 (PST)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1426A1A1A31 for <>; Tue, 4 Nov 2014 17:23:16 -0800 (PST)
Received: by (Postfix, from userid 1034) id BF7882AB04A; Wed, 5 Nov 2014 01:23:14 +0000 (UTC)
Date: Wed, 05 Nov 2014 01:23:14 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [TLS] STRAW POLL: Size of the Minimum FF DHE group
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 05 Nov 2014 01:23:18 -0000

On Tue, Nov 04, 2014 at 12:49:21PM -0500, Sean Turner wrote:

> The draft currently includes a minimum group size of 2432 but the WG also
> discussed 2048.  Groups smaller than 2048 were discounted for a standards
> track document as too weak for use but might be documented in a separate
> "historic" draft.  To help us reach consensus on this point, please reply
> to this email indicating whether you favor a "2048" or "2432" minimum
> group size.  Note we're also looking to specify the smallest number of
> options for groups as is acceptable - i.e., we're not looking at specifying
> both 2048 and 2432.
> Background: Regardless of whether you agree with what follows or not, the
> following has been put forward as the rationale. We don't need comments
> on the rationale, we're just providing it for background.

Has any consideration been given to the question of how much of a
barrier to the use of Forward-Secrecy larger key sizes might pose?

If using DHE imposes a sufficient performance cost, sites might
choose to disable (P)FS, and stick with RSA key exchange.

I take it the new DHE $\mathbb{Z}^*_p$ subgroups will be cyclic
with prime order $q$, where $q$ is a much shorter prime (twice the
desired security level bits as with the various DSA groups).  If
so, how much of a performance advantage does this provide relative
to using generic $F_p$ groups for which the order of the generator
is not known (as with DHE in TLS today)?

Basically, what's the expected ratio of DH-per-second between the
two proposed field sizes, and between the 2048-bit group and $F_p$
with $q = (p-1)/2$ and $p$ a 2048-bit Sophie-Germain prime.  Is
the "new" 2432 as fast or faster than the "old" 2048?

Choices of parameters are a trade-off.  With unlimited CPU/network
we could go with 16k-bit primes.  It is difficult to make such a
trade-off without some knowledge of the relative costs/benefits.

What is our lowest estimated cost to the adversary of breaking
2048-bit DH with purpose-built hardware?

What is the cost to the defender of using 2432 vs. 2048?