Hi Joy,
"q" is the order of the group defined by the "g". If you want to use
the FIPS 186-3 process for generating a D-H key pair with the other MODP
groups that don't have a defined order (like 5, 14, 15, 16...) you can
just use (p-1/2) for the value "q".
There are going to be q distinct elements in the group and while
D-H will work with a private value x: q < x < p, you will be doing more
modular exponentiation. The FIPS 186-3 process is ensuring that your
private value, x, will be taken from a uniformly random distribution of
numbers less than q and therefore the public value y=g^x mod p will be
a random element in the group (which is what you need for D-H).
regards,
Dan.
On Fri, March 26, 2010 2:25 pm, Joy Latten wrote:
> Hi,
>
> I am looking to implement modp groups 22, 23, and 24 into IKE but have a
> question.
>
> RFC 5114 gives the prime, p, the generator, g and a subgroup, q, with a
> specific size...
>
> Because prior rfcs for modp groups did not specify a "q", I was not sure
> if this was a new constant or just stating a size requirement?
> So I took a look at NIST 800-56A. In particular,
>
> 5.6.1 Private/Public Key Pair Generation
>
> 5.6.1.1 FFC Key Pair Generation
> For the FFC schemes, each static and ephemeral private key and public
> key shall be generated using an Approved method and the selected valid
> domain parameters (p, q, g{, SEED,pgenCounter}) (see Appendix B of FIPS
> 186-3).
> ...
>
> I then took a look at FIPS 186-3, Appendix B, which documents 2 methods
> for finite field cryptography (FFC) key pair generation.
> For example, one method is "Key Pair Generation Using Extra Random
> Bits". It actually states that "q" is an input and it is used to do an
> additional computation to compute "x".
>
> I am somewhat confused, are the modp groups 22, 23 & 24 suppose to use
> one of these new methods and that is why "q" is given in rfc 5114?
> Or am I to ignore this and just continue with existing way
> where "q" is not used and there aren't any additional computations
> to compute x.
>
> I am not even sure this is correct place to ask, but any advice
> would be welcome.
>
> regards,
> Joy
>
>
> (Cut-n-paste from FIPs 186-3 below to show input and process)
>
> Input:
> (p, q, g) The subset of the domain parameters that are used
> for this process. p, q and g shall either be
> provided as integers during input, or shall be
> converted to integers prior to use.
>
> Process:
> 1. N = len(q); L = len(p). Comment: Check that the (L, N) pair
> is specified in Section 4.2.
> 2. If the (L, N) pair is invalid, then return an ERROR indicator,
> Invalid_x, and Invalid_y.
> 3. requested_security_strength = the security strength associated
> with the (L, N) pair; see SP 800-57.
> 4. Obtain a string of N+64 returned_bits from an RBG with a security
> strength of requested_security_strength or more. If an ERROR
> indication is returned, then return an ERROR indication,
> Invalid_x, and Invalid_y.
> 5. Convert returned_bits to the (non-negative) integer c (see
> Appendix C.2.1).
> 6. x = (c mod (qâ1)) + 1. Comment: 0 ⤠c mod (qâ1) ⤠qâ2
> and
> implies that 1 ⤠x ⤠qâ1.
> 7. y = gx mod p.
> 8. Return SUCCESS, x, and y.
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
