[STDS-802-11-TGAI] modp group question
Rene Struik writes:
> RFC 3526 specifies a number of MODP groups Zp, but does not seem to
> specify the order q of the prime-order subgroup G of Zp\{0} to be used
> with DH. The RFC document does not mention what the presumed
> cryptographic bit strength of any of these discrete log groups is. Do
> you know where the q-values in RFC 3526 are defined?
All the group specified in the RFC3526 are generated using rules set
in the RFC2412, i.e. they are Sophie Germain primes. That means p and
(p-1)/2 are both primes, and if I have understood correctly the order
q of the prime-order subgroup is that (p-1)/2.
See Appendix E in RFC2412 for information how those groups were
generated.
> This topic came up, since 802.11ai/D0.4 refers to the IANA DLP groups as
> allowed groups for FILS authentication.
>
> For specification purposes, one needs to know
> a) presumed cryptographic bit strength;
As the strength estimates between different cryptographers changes
depending what kind of estimation is used, the RFC 3526 section 8
includes two different values:
+--------+----------+---------------------+---------------------+
| Group | Modulus | Strength Estimate 1 | Strength Estimate 2 |
| | +----------+----------+----------+----------+
| | | | exponent | | exponent |
| | | in bits | size | in bits | size |
+--------+----------+----------+----------+----------+----------+
| 5 | 1536-bit | 90 | 180- | 120 | 240- |
| 14 | 2048-bit | 110 | 220- | 160 | 320- |
| 15 | 3072-bit | 130 | 260- | 210 | 420- |
| 16 | 4096-bit | 150 | 300- | 240 | 480- |
| 17 | 6144-bit | 170 | 340- | 270 | 540- |
| 18 | 8192-bit | 190 | 380- | 310 | 620- |
+--------+----------+---------------------+---------------------+
> b) value of order q of prime order subgroup.
(p-1)/2.
> The value of q is required for use of DSS with the groups in question
> (since signatures have size roughly 2*bit-size(q)). The presume
> bit-strength would help in specifying which hash functions are supposed
> to be used of "matching" security strength.
--
kivinen@xxxxxx
_______________________________________________________________________________
IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your request to this
CLOSED reflector. We use this valuable tool to communicate on the issues at hand.
SELF SERVICE OPTION:
Point your Browser to - http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGAI and
then amend your subscription on the form provided. If you require removal from the reflector
press the LEAVE button.
Further information can be found at: http://www.ieee802.org/11/Email_Subscribe.html
_______________________________________________________________________________