Re: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]

To: "<tls%ietf.org@localhost>" <tls%ietf.org@localhost>, "ietf-ssh%netbsd.org@localhost" <ietf-ssh%netbsd.org@localhost>
Subject: Re: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Wed, 12 Mar 2014 22:08:55 +0000

Daniel Kahn Gillmor <dkg%fifthhorseman.net@localhost> writes:

>It's not clear to me that there is any advantage in a DH key exchange to
>using the RFC 5114 discrete log groups.

There's actually an enormous disadvantage to using those groups, the RFC 3526
and earlier MODP groups set the generator to 2, which is quite efficient to
work with.  RFC 5114 uses a generator of the same size as the prime, which is
stunningly inefficient (I've referred to the 5114 groups as the "WTF groups"
in code in the past).  I have no idea why the RFC would choose such an awful
generator...

Peter.

Prev by Date: Re: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]
Next by Date: Re: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]
Previous by Thread: Re: [TLS] MODP group modulus derivation [was: Re: I can has SHA-1 hashes for RFC 2409/3526 MODP groups?]
Next by Thread: Re: [TLS] Still missing: TLS_ECDH_anon_WITH_AES_xxx_GCM_SHAxxx
Indexes:

Home | Main Index | Thread Index | Old Index