IETF Logo Mail Archive

Re: [TLS] STRAW POLL: Size of the Minimum FF DHE group

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 05 November 2014 01:23 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B58A31A1ADC for <tls@ietfa.amsl.com>; Tue, 4 Nov 2014 17:23:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oGehXpIquqb2 for <tls@ietfa.amsl.com>; Tue, 4 Nov 2014 17:23:17 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1426A1A1A31 for <tls@ietf.org>; Tue, 4 Nov 2014 17:23:16 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id BF7882AB04A; Wed, 5 Nov 2014 01:23:14 +0000 (UTC)
Date: Wed, 05 Nov 2014 01:23:14 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141105012314.GG23599@mournblade.imrryr.org>
References: <8E6B8F53-9E8C-46B2-A721-85E918576F3A@ieca.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <8E6B8F53-9E8C-46B2-A721-85E918576F3A@ieca.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/u36ra84CVvY3fnAiaBdoCMgVP98
Subject: Re: [TLS] STRAW POLL: Size of the Minimum FF DHE group
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Nov 2014 01:23:18 -0000

On Tue, Nov 04, 2014 at 12:49:21PM -0500, Sean Turner wrote:

> The draft currently includes a minimum group size of 2432 but the WG also
> discussed 2048.  Groups smaller than 2048 were discounted for a standards
> track document as too weak for use but might be documented in a separate
> "historic" draft.  To help us reach consensus on this point, please reply
> to this email indicating whether you favor a "2048" or "2432" minimum
> group size.  Note we're also looking to specify the smallest number of
> options for groups as is acceptable - i.e., we're not looking at specifying
> both 2048 and 2432.
> 
> Background: Regardless of whether you agree with what follows or not, the
> following has been put forward as the rationale. We don't need comments
> on the rationale, we're just providing it for background.

Has any consideration been given to the question of how much of a
barrier to the use of Forward-Secrecy larger key sizes might pose?

If using DHE imposes a sufficient performance cost, sites might
choose to disable (P)FS, and stick with RSA key exchange.

I take it the new DHE $\mathbb{Z}^*_p$ subgroups will be cyclic
with prime order $q$, where $q$ is a much shorter prime (twice the
desired security level bits as with the various DSA groups).  If
so, how much of a performance advantage does this provide relative
to using generic $F_p$ groups for which the order of the generator
is not known (as with DHE in TLS today)?

Basically, what's the expected ratio of DH-per-second between the
two proposed field sizes, and between the 2048-bit group and $F_p$
with $q = (p-1)/2$ and $p$ a 2048-bit Sophie-Germain prime.  Is
the "new" 2432 as fast or faster than the "old" 2048?

Choices of parameters are a trade-off.  With unlimited CPU/network
we could go with 16k-bit primes.  It is difficult to make such a
trade-off without some knowledge of the relative costs/benefits.

What is our lowest estimated cost to the adversary of breaking
2048-bit DH with purpose-built hardware?

What is the cost to the defender of using 2432 vs. 2048?

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email