[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: FIPS 186 and X9.42: One of these things is not like the other

To: "Ben Laurie" <ben@algroup.co.uk>
Subject: RE: FIPS 186 and X9.42: One of these things is not like the other
From: "John C. Kennedy" <jkennedy@trustpoint.com>
Date: Sun, 21 Nov 1999 13:43:23 -0800
Cc: <pgut001@cs.auckland.ac.nz>, <ietf-pkix@imc.org>, <ietf-smime@imc.org>, <ipsec@lists.tislabs.com>, <ekr@rtfm.com>, <djohnson@certicom.com>, <housley@spyrus.com>, <amit@trustpoint.com>
Disposition-Notification-To: "John C. Kennedy" <jkennedy@trustpoint.com>
Importance: Normal
In-Reply-To: <3837CD01.1910F28A@algroup.co.uk>
Sender: owner-ipsec@lists.tislabs.com

As I recall, I argued the same point and lost.  I believe the prevailing
argument was that including both j and q saved a parameter validator the
cost of doing a division to derive the other value.  If j=2, the most common
case, the division is simply a right-shift, and the argument is moot.  If
you are using a q of 160 and j>>2, say in the case where DSA parameters are
being overloaded for use as DH parameters, the p/q calculation is more
expensive.  If you are doing the calculation on a memory/CPU limited smart
card the inclusion of p,q,j may be useful.

The values q and j are made available for verification of domain parameters
and for guiding selection of appropriately sized private keys.

-John
jkennedy@trustpoint.com

-----Original Message-----
From: Ben Laurie [mailto:ben@algroup.co.uk]
Sent: Sunday, November 21, 1999 2:44 AM
To: John C. Kennedy
Cc: pgut001@cs.auckland.ac.nz; ietf-pkix@imc.org; ietf-smime@imc.org;
ipsec@lists.tislabs.com; ekr@rtfm.com; robert.zuccherato@entrust.com;
djohnson@certicom.com; wpolk@nist.gov; housley@spyrus.com; jis@mit.edu;
mleech@nortelnetworks.com
Subject: Re: FIPS 186 and X9.42: One of these things is not like the
other

"John C. Kennedy" wrote:
> (9) RFC 2459 (PKIX) shows ASN.1 encoding of the DH parameters as:
>  DomainParameters ::= SEQUENCE {
>               p       INTEGER, -- odd prime, p=jq +1
>               g       INTEGER, -- generator, g
>               q       INTEGER, -- factor of p-1
>               j       INTEGER OPTIONAL, -- subgroup factor
>               validationParms  ValidationParms OPTIONAL }

I was perusing the OpenSSL DH code recently, and I noticed that DH was
using a Germain prime for p (miscommented as a strong prime, btw),
which, of course, makes j=2. But q and j are not kept - what are they
actually used for? (Answers in the form "read XXX" are welcome)

BTW, why the redundancy? If you have any two of p, j and q, you don't
need the other, and surely the work involved to recover the third one is
minimal in comparison to anything else you'd need to do, sumswise?

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi

References:

Re: FIPS 186 and X9.42: One of these things is not like the other

From: Ben Laurie <ben@algroup.co.uk>

Prev by Date: Re: suggested clarification regarding port handling in ike
Next by Date: RE: FIPS 186 and X9.42: One of these things is not like the other
Prev by thread: Re: FIPS 186 and X9.42: One of these things is not like the other
Next by thread: RE: FIPS 186 and X9.42: One of these things is not like the other
Index(es):
- Main
- Thread