Home Explore Help
Register Sign In
third
/
freeswitch
2
0
Fork 0
Files
Branch: v1.4
Branches Tags
freeswitch
/
libs
/
libzrtp
/
third_party
/
bnlib
/
test
/
primes.doc

primes.doc 11 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215 
  1. 	The choice of Diffie-Hellman parameters
    2. 

  2. 

  3. * Background
    4. 

  4. 

  5. Diffie-Hellman key exchange uses two parameters, a prime p and a
    6. 

  6. generator g, which are used to derive the public parameters
    7. 

  7. y1 = g^x1 (mod p) and y2 = g^x2 (mod p), and then the shared secret
    8. 

  8. z = y1^x2 = (g^x1)^x2 = g^(x1*x2) = (g^x2)^x1 = y2^x1 (mod p).
    9. 

  9. 

  10. For the computation to be secure, several conditions must be true.
    11. 

  11. The exponent must be big enough, for there is a square-root search
    12. 

  12. algorithm to find the exponent.  (E.g. a 16-bit exponent can be found
    13. 

  13. in about 2^8 = 256 steps.)  And then the modulus must be chosen so
    14. 

  14. as to make the general discrete log problem difficult.
    15. 

  15. 

  16. The general discrete log problem can be solved for each prime-power
    17. 

  17. factor of p-1 independently, so if all of the factors of p-1 are small,
    18. 

  18. this is easy to do.  Since p-1 is even, it must have a factor of 2, but
    19. 

  19. the remaining portion q = (p-1)/2 can be chosen to be prime, making the
    20. 

  20. problem as difficult as possible.  Finding such numbers is computationally
    21. 

  21. expensive, but as they are parameters which are only computed once, this
    22. 

  22. is a reasonable up-front cost.
    23. 

  23. 

  24. * Number theory
    25. 

  25. 

  26. A second advantage of prime moduli of this form is that all generators
    27. 

  27. g are good.  This is because the generator must have a large order in
    28. 

  28. the group Z*_p.  But that group is of size p-1 = 2*q, and the order of
    29. 

  29. any element of a group must divide the size of the group.  The only
    30. 

  30. divisors this has are 1, 2, q and 2*q.  The only element of order 1 is
    31. 

  31. 1, and the only element of order 2 is -1.  All other elements, from 2
    32. 

  32. through -2, have orders of either p-1 or (p-1)/2, which are both large.
    33. 

  33. 

  34. If the generator g has order p-1, it is a generator of the group Z*_p,
    35. 

  35. and this is generally how one is advised to generate Diffie-Hellman
    36. 

  36. parameters.  This explains the similarity in names.  However, if g is
    37. 

  37. of order p-1, then it must be a quadratic non-residue modulo p.  That
    38. 

  38. is, it must not be a square of another number.  If it were a square,
    39. 

  39. then since the size of the group is even, no power of it would ever
    40. 

  40. equal its square root, so it could not be a generator.
    41. 

  41. 

  42. If g is indeed of order p-1, then even powers of g are quadratic
    43. 

  43. residues (squares, modulo p), and odd powers are quadratic non-residues
    44. 

  44. (non-squares).  Given a number y and a prime p, the Legendre symbol
    45. 

  45. (y/p) is straightforward to compute, and this tells you if y is a
    46. 

  46. quadratic residue.  If it is, and y = g^x, then x must be even.  If not,
    47. 

  47. then x would have to be odd.  In this way, for a generator which is a
    48. 

  48. quadratic non-residue, the low-order bit of the exponent x is easily
    49. 

  49. computed.
    50. 

  50. 

  51. If g is a quadratic residue, then the useful values of exponents x is
    52. 

  52. more limited, since only the value of the exponent x modulo q = (p-1)/2
    53. 

  53. has any effect on the output y = g^x (mod p), but generally exponents x
    54. 

  54. are much less than p in any case, so this limitation on range is not an
    55. 

  55. issue.
    56. 

  56. 

  57. Essentially, in either case, only the value of x modulo q is secret,
    58. 

  58. but if g is a quadratic non-residue, the low-order bit of x is
    59. 

  59. available to an attacker, while if it is a quadratic residue, the
    60. 

  60. high-order bit is known to be 0.
    61. 

  61. 

  62. Thus, it does not really matter whether g is a quadratic residue or
    63. 

  63. not, but if it is not, the exponent x should be chosen one bit larger.
    64. 

  64. This adds a trivial amount of work to the computation of y, and for
    65. 

  65. that reason it may be preferable to choose g to be a quadratic
    66. 

  66. residue.  This is not currently done, however.
    67. 

  67. 

  68. * Choice of generator g
    69. 

  69. 

  70. Because any g will do, and the choice of g does not affect the difficulty
    71. 

  71. of performing the discrete log computation, choosing it for convenience
    72. 

  72. of computation is best, and g = 2 is simplest to compute with.
    73. 

  73. 

  74. If in fact it is desirable to choose a generator which is a quadratic
    75. 

  75. residue, then g = 2 can still be used if the prime p is suitably
    76. 

  76. chosen.  If p = +/-1 (mod 8), then 2 is a quadratic residue.  If
    77. 

  77. p = +/-3 (mod 8), then 2 is a non-residue.
    78. 

  78. 

  79. * Choice of prime-generation technique
    80. 

  80. 

  81. There may be additional primes of special form for which the discrete
    82. 

  82. logarithm problem is particularly easy.  The authors are not aware of
    83. 

  83. any, but theoretical advances are possible and it would be nice to
    84. 

  84. assure users of the system that the prime was not chosen to have any
    85. 

  85. hidden special properties: only the published criteria were used.
    86. 

  86. David Kravitz of the NSA has suggested a technique for generating
    87. 

  87. "kosherized" primes for DSS which has been adapted to generate
    88. 

  88. Diffie-Hellman primes.
    89. 

  89. 

  90. The technique uses a string of bytes as a seed to a cryptographically
    91. 

  91. strong one-way hash function.  This generator produces the initial
    92. 

  92. value for a search for a suitable prime.
    93. 

  93. 

  94. David Kravitz' technique generates random numbers from successive seeds
    95. 

  95. until one is found to be a suitable prime.  This is unbearably slow for
    96. 

  96. primes of the special form being sought, but it can be sped up, at a
    97. 

  97. negligible cost in uniformity of the chosen primes by generating only a
    98. 

  98. starting position for a linear search for a suitable prime.  Such a
    99. 

  99. search can be carried out particularly efficiently.
    100. 

  100. 

  101. * Details of the technique
    102. 

  102. 

  103. The generator is based on SHA.1, the FIPS 180.1 secure hash algorithm.
    104. 

  104. This takes the given seed as input and produces a 160-bit output
    105. 

  105. sequence in 20 bytes.  These bytes are taken as a big-endian number to
    106. 

  106. produce a number n0 from 0 to 2^160-1.
    107. 

  107. (I.e. n0 = 2^152 * byte0 + 2^144 * byte1 + ... + 2^8 * byte19 + byte20.)
    108. 

  108. 

  109. Then, the seed is incremented, as a big-endian array of bytes, modulo its
    110. 

  110. size (i.e. the last byte is incremented, propagating carry if necessary),
    111. 

  111. and hashed again to produce n1, then n2, etc.
    112. 

  112. 

  113. A number of arbitrary size may be constructed by concatenating
    114. 

  114. N = n0 + 2^160 * n1 + 2^320 * n2 + ....  To get a number no larger
    115. 

  115. than 2^k, take the low-order k bits of N, N mod 2^k.  Obviously,
    116. 

  116. if k is 1024, it is only necessary to compute n0 through n6.
    117. 

  117. 

  118. To generate a k-bit prime p (2^k > p >= 2^(k-1)), take t = N mod 2^(k-2),
    119. 

  119. i.e. a number with at most k-2 significant bits.  Then add 2^(k-1),
    120. 

  120. to force the number into the desired range, and 2^(k-2), to force it
    121. 

  121. into the high half of the range.  This extra refinement makes an attack
    122. 

  122. more expensive, without affecting the time required to do computations
    123. 

  123. mod p.  Additional high-order 1 bits could be forced, but the incremental
    124. 

  124. benefit rapidly diminishes.
    125. 

  125. 

  126. The resultant number t is used as the starting point in a search for a
    127. 

  127. suitable prime p.  p is chosen to be the first number >= t such that p
    128. 

  128. is prime and (p-1)/2 is prime.
    129. 

  129. 

  130. * Choice of seed
    131. 

  131. 

  132. Because SHA.1 is a cryptographic hash, it is computationally infeasible
    133. 

  133. to find an input which has a given output.  Indeed, there is no known
    134. 

  134. technique better than brute-force search to find an input which
    135. 

  135. produces an output with any special properties.  Assuming that there is
    136. 

  136. an unknown class of primes which are easy to solve the discrete
    137. 

  137. logarithm problem for, this ensures that the chance of choosing a prime
    138. 

  138. p which is a member of that class is no better than random chance,
    139. 

  139. regardless of malice on the part of the designer.
    140. 

  140. 

  141. The seed chosen is arbitrary, so was chosen for aesthetic reasons.
    142. 

  142. It is the 79 bytes of the ASCII representation of a quote by Mahatma
    143. 

  143. Gandhi:
    144. 

  144. 

  145. Whatever you do will be insignificant, but it is very important that you do it.
    146. 

  146. 

  147. * Implementation details
    148. 

  148. 

  149. Obviously, a program was written to find a prime according to these
    150. 

  150. rules.  To aid anyone who wishes to repeat the search to confirm that
    151. 

  151. the published primes were indeed generated in this way, here is a
    152. 

  152. description of how it was done.  The primes if the desired form have a
    153. 

  153. density of about (ln p)^-2.  E.g. for 1024-bit p, about one out of
    154. 

  154. every 503791 numbers meets these criteria, so a considerable amount of
    155. 

  155. searching is required.  The following techniques can make the
    156. 

  156. computation tolerable.
    157. 

  157. 

  158. First, note that q must be odd and not congruent to 0, modulo 3.  Thus,
    159. 

  159. q must be congruent to +/-1, modulo 6.  Thus p = 2*q+1 must be
    160. 

  160. congruent to 2*1+1 = 3 or 2*-1+1 = -1 modulo 12.  But p congruent to 3
    161. 

  161. mod 12 would be divisible by 3, and not prime, so p must be congruent
    162. 

  162. to 11 mod 12.
    163. 

  163. 

  164. Thus, the initial search point t can first be increased until it is
    165. 

  165. congruent to 11 modulo 12.  Searching from this point forward, only
    166. 

  166. every 12th number, t+12*i, needs to be considered.
    167. 

  167. 

  168. If it is desired to choose p so that 2 is a quadratic residue (meaning
    169. 

  169. that p is congruent to +/-1 modulo 8), then this additional constraint
    170. 

  170. can be met with no additional difficulty by beginning at the next
    171. 

  171. number which is congruent to 23 mod 24 and searching in steps of 24.
    172. 

  172. But in the following discussion, a step size of 12 is assumed.
    173. 

  173. 

  174. Then, a sieve is built for trial division by a number of small primes
    175. 

  175. for a range of following i values.  For large primes, a large search
    176. 

  176. space is required, so a large sieve is desirable.  The value used was
    177. 

  177. 65536 bits (8K bytes).  It may be necessary to rebuild the sieve
    178. 

  178. beginning at t+12*65536 if no suitable prime is found before then, but
    179. 

  179. this sieve is large enough that the refilling is infrequent and the
    180. 

  180. overhead is negligible.
    181. 

  181. 

  182. Initially, every position in the sieve is marked as a potential prime.
    183. 

  183. Then, for the small primes s from 5 through 65521, position i in the
    184. 

  184. sieve is marked as unsuitable if t+12*i is divisble by s, i.e.
    185. 

  185. definitely not prime.  To do this cheaply, consider that t+12*i = 0
    186. 

  186. (mod s) if i = -12^-1 * t (mod s).  So finding t mod s, then 12^-1 (mod
    187. 

  187. s) and multiplying (mod s) will produce the first i value which is
    188. 

  188. known to be divisible by s, and then every s positions thereafter in
    189. 

  189. the sieve will be divisible.  This does the equivalent of a great deal
    190. 

  190. of trial division with minimal effort.
    191. 

  191. 

  192. Positions in the sieve are also marked as as unsuitable if (t-1)/2+6*i
    193. 

  193. = 0 (mod s), because these positions will have (p-1)/2 divisible by s
    194. 

  194. and thus non-prime.  This works similarly, and (t-1)/2 mod s can be
    195. 

  195. derived from t mod s without actually doing another full division.
    196. 

  196. 

  197. This sieve filters out all but 1/591 of the possible values of i as
    198. 

  198. obviously composite, leaving an expected 852 numbers to be checked by
    199. 

  199. stronger means before a suitable prime p is found.
    200. 

  200. 

  201. After these two sieving operations have removed all numbers from
    202. 

  202. consideration where p or q = (p-1)/2 have small divisors, the remaining
    203. 

  203. candidates are subjected to a fast optimized Fermat test, to the base 2,
    204. 

  204. once for p and once for q.  This eliminates, for practical purposes,
    205. 

  205. all composite numbers.
    206. 

  206. 

  207. Special composite numbers can be chosen which pass this test and yet
    208. 

  208. are not primes - they are called pseudoprimes - but they are so rare in
    209. 

  209. the ranges considered that the chances of finding one without
    210. 

  210. deliberate search are utterly negligible.  And the stating value for
    211. 

  211. the search was carefully chosen to have no hidden special properties.
    212. 

  212. 

  213. If p and q are found to be prime by this test, some extra confirmation
    214. 

  214. pseudoprimality tests are performed just to make sure of the conclusion
    215. 

  215. and p is returned as the result.
    216.