Re: [TLS] STRAW POLL: Size of the Minimum FF DHE group
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 05 November 2014 01:23 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B58A31A1ADC for <tls@ietfa.amsl.com>; Tue, 4 Nov 2014 17:23:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oGehXpIquqb2 for <tls@ietfa.amsl.com>; Tue, 4 Nov 2014 17:23:17 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1426A1A1A31 for <tls@ietf.org>; Tue, 4 Nov 2014 17:23:16 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id BF7882AB04A; Wed, 5 Nov 2014 01:23:14 +0000 (UTC)
Date: Wed, 05 Nov 2014 01:23:14 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141105012314.GG23599@mournblade.imrryr.org>
References: <8E6B8F53-9E8C-46B2-A721-85E918576F3A@ieca.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <8E6B8F53-9E8C-46B2-A721-85E918576F3A@ieca.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/u36ra84CVvY3fnAiaBdoCMgVP98
Subject: Re: [TLS] STRAW POLL: Size of the Minimum FF DHE group
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Nov 2014 01:23:18 -0000
On Tue, Nov 04, 2014 at 12:49:21PM -0500, Sean Turner wrote: > The draft currently includes a minimum group size of 2432 but the WG also > discussed 2048. Groups smaller than 2048 were discounted for a standards > track document as too weak for use but might be documented in a separate > "historic" draft. To help us reach consensus on this point, please reply > to this email indicating whether you favor a "2048" or "2432" minimum > group size. Note we're also looking to specify the smallest number of > options for groups as is acceptable - i.e., we're not looking at specifying > both 2048 and 2432. > > Background: Regardless of whether you agree with what follows or not, the > following has been put forward as the rationale. We don't need comments > on the rationale, we're just providing it for background. Has any consideration been given to the question of how much of a barrier to the use of Forward-Secrecy larger key sizes might pose? If using DHE imposes a sufficient performance cost, sites might choose to disable (P)FS, and stick with RSA key exchange. I take it the new DHE $\mathbb{Z}^*_p$ subgroups will be cyclic with prime order $q$, where $q$ is a much shorter prime (twice the desired security level bits as with the various DSA groups). If so, how much of a performance advantage does this provide relative to using generic $F_p$ groups for which the order of the generator is not known (as with DHE in TLS today)? Basically, what's the expected ratio of DH-per-second between the two proposed field sizes, and between the 2048-bit group and $F_p$ with $q = (p-1)/2$ and $p$ a 2048-bit Sophie-Germain prime. Is the "new" 2432 as fast or faster than the "old" 2048? Choices of parameters are a trade-off. With unlimited CPU/network we could go with 16k-bit primes. It is difficult to make such a trade-off without some knowledge of the relative costs/benefits. What is our lowest estimated cost to the adversary of breaking 2048-bit DH with purpose-built hardware? What is the cost to the defender of using 2432 vs. 2048? -- Viktor.
- [TLS] STRAW POLL: Size of the Minimum FF DHE group Sean Turner
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Martin Thomson
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Peter Gutmann
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Yoav Nir
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Manuel Pégourié-Gonnard
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Paul Hoffman
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Nikos Mavrogiannopoulos
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Stephen Checkoway
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Daniel Kahn Gillmor
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Nikos Mavrogiannopoulos
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Andrey Jivsov
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Martin Thomson
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Viktor Dukhovni
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Watson Ladd
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Russ Housley
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Bodo Moeller
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Bodo Moeller
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Hanno Böck
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Michael Sweet
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Bodo Moeller
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Manuel Pégourié-Gonnard
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Bodo Moeller
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Michael Sweet
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Bodo Moeller
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Manuel Pégourié-Gonnard
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Hubert Kario
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Daniel Kahn Gillmor
- Re: [TLS] STRAW POLL: Size of the Minimum FF DHE … Rene Struik
- [TLS] closing - Re: STRAW POLL: Size of the Minim… Sean Turner