[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: More MODP Diffie-Hellman groups for IKE

To: "'William Dixon'" <wdixon@windows.microsoft.com>, ipsec@lists.tislabs.com
Subject: RE: More MODP Diffie-Hellman groups for IKE
From: "Mason, David" <David_Mason@nai.com>
Date: Fri, 27 Jul 2001 01:54:50 -0700
Cc: Tero Kivinen <kivinen@ssh.fi>
Sender: owner-ipsec@lists.tislabs.com

A cryptographer had told me that with the larger MODP DH groups (2048 and
higher) that it would be advantageous if the least and most significant
128-bits were set to 1's.

Cons:
CPU time required to generate and validate new primes
People who have already implemented the drafts would have to change their
implementations
Less random bits in the primes
The format would change slightly compared to the smaller primes

Pros:
Large word processors could take advantage of certain performance improving
optimizations
Primes still contain more random bits than the smaller primes
Since the DOI numbers haven't been assigned yet people will have to change
their code anyways
Future advances in CPU architecture might make the optimizations available
to general purpose CPUs
Special purpose DH acceleration cards might take advantage of the
optimizations
Decision would be made based on a cryptographic basis rather than format
looks

Are there any cryptographers out there listening that could comment on the
classical remainder algorithm and the Montgomery-style remainder algorithms
and how much of an advantage the trial quotient digit always taken as the
high order word of the dividend and the multiplier digit always taken to be
the low order word of the dividend is?  I'm guessing that all that is
required to take advantage of these optimizations is the ability to perform
64-bit integer operations with a 128-bit result (but it could be 128-bit
operations with a 256-bit result).  Either way I think it is important to
take a forward looking approach on this matter.  These larger DH groups are
really going to slow down the key exchange so any optimization that can be
found should be taken advantage of.

-dave


-----Original Message-----
From: William Dixon [mailto:wdixon@windows.microsoft.com]
Sent: Wednesday, July 25, 2001 12:00 AM
To: ipsec@lists.tislabs.com
Cc: Tero Kivinen
Subject: More MODP Diffie-Hellman groups for IKE


Does anybody have any problems with this draft ?  Anyone oppose last
call for it ?  Tero said he hasn't heard much from people, and so we
aren't sure who is implementing.  It seems people are happy with the
numbers.

We should get this out so DOI numbers can be assigned so we can actually
interop w/o new group mode.

Wm

Prev by Date: RE: IPSec Standard - No Flow Control?
Next by Date: I-D ACTION:draft-ietf-ipsec-ike-lifetime-00.txt
Prev by thread: RE: More MODP Diffie-Hellman groups for IKE
Next by thread: IPSec vs Ipv6
Index(es):
- Main
- Thread