Change DH parameters to generate the order q subgroup instead of 2q

[bernd-edlinger]

This avoids leaking bit 0 of the private key.

Checklist

• documentation is added or updated
• tests are added or updated

[Fiona-J-W]

Naturally I like the direction of this, but I would suggest to also add 4 as possible generator and probably even make that the default: Since 4 is a squre over the natural numbers, it will also always be one in Z_p, allowing to both skip the test and take all safeprimes, making this into a performance-improvement as well.

(I don't know enough about efficient squaring with 2 vs. 3 vs. 4 vs. 5 to make a statement which one is the fastest, but I at least would not be surprised if 4 would outperform 3 and 5 if there is a difference at all.)

[bernd-edlinger]

Good news is: 3 is always a square over safe primes. And DH_check will now only check that
1 < g < p-1, and will no longer insist in g being a non-residue.
The significant speed-up for generating -5 and the general case is only because the
"add" parameter was not a multiple of 4 together with the fact that the probable_prime.
functions do not check if q=(p-1)/2 has a factor of 2, therefore 50% of the safe prime
candidates were == 1 mod 4.

[bernd-edlinger]

Correction: I meant 3 is always a square over safe primes > 7
it is of course not a square for p=5 and 7

[Fiona-J-W]

Good news is: 3 is always a square over safe primes

Do you have a proof for that? I'm not saying that I don't believe you, after all I just wrote a script that failed to find a counter-example, but a proof is of course still the best way to approach this topic.

[bernd-edlinger]

Yes. It is in the comment that I have unscrambled:
https://github.com/openssl/openssl/blob/a626d72da1141a2fe99ab1aa12183a5d2295c1a5/crypto/dh/dh_gen.c#L35-L55
Thus: 3 is a square modulo p if 3^((p-1)/2) == 1 (mod p).
That is simply the Legendre symbol: (3/p) == 1
Using quadratic reciprocity law I get: (3/p) == (-1)^((p-1) * (3-1)/4) * (p/3) = (-1)^((p-1)/2) * (p/3)
Since p is a safe prime (> 5) (p-1)/2 is odd: (3/p) == - (p/3)
when is (p/3) == -1 ?
by Euler criterion that is p^((3-1)/2) == -1 (mod 3) or p == 2 (mod 3), which true for all safe primes (> 7).
QED.

[kroeckx]

I wonder if this qualifies as a bug fix, and should get backported to 1.1.1

[Fiona-J-W]

Okay, I'm convinced of three. I don't claim to have an intuitive understanding of why the proof works, but doing the math (and believing a handful of theorems) it does indeed come up with that result.

So while this means that three is a good default, I still think that the very simple proof for four has enough merit to justify the inclusion on the basis that people might be more willing to trust it. Normally that shouldn't be too much of an issue, but if the option is offered in the end-user-interface in the first place, then this part shouldn't hurt.

Regarding whether this is a bug: I argued that it is one from the start because it leaks secrets (one bit in DH doesn't hurt too much, but if someone were to use the groups with ElGamal the effect could be devastating) and because it wastes a substantial amount of performance.

[bernd-edlinger]

I don't see any reason why DH parameters should change the default from 2 to any other number.

I'll explain why I think that 2, 3, 5 is a more sensible choice than say 2, 4, 5.

Let's consider for instance P=14440944214298199839
it's a random 64-bit safe prime, where g=2,3,4,5,6,7,8,9,10,11,12 are all squares.

I can instantly solve

2^x = 4 (mod P)

result: x = 2

I can even solve

4^x = 2 (mod P)

result: x = 3610236053574549960
it is the modular inverse of 2 (mod (P-1)/2)

sage: R = IntegerModRing((P-1)/2)
sage: x = R(1)/R(2)
sage: x
3610236053574549960
sage: pow(4,3610236053574549960,P)
2

but I can't solve:

2^x = 3 (mod P)
2^x = 5 (mod P)

3^x = 2 (mod P)
3^x = 5 (mod P)

5^x = 2 (mod P)
5^x = 3 (mod P)

can you solve them?

[bernd-edlinger]

but I can't solve:
2^x = 3 (mod P)

Well, actually, I am able to solve this equation:
x = log2(3) = 5031007969892198751 (mod Q)

using python you can verify:

$ python -c "print pow(2,5031007969892198751,14440944214298199839)"
3

The following is a sage program that took > 1 hour to solve the discrete log.
See https://crypto.stanford.edu/pbc/notes/crypto/factoring.html for the math.
When that is done also all other log2 from prime numbers < 1000 are available.
But in comparison to log2(4), log2(p) it is rather difficult, and IMHO as hard as
the general discrete logarithm.

$ ./sage
┌────────────────────────────────────────────────────────────────────┐
│ SageMath version 8.7, Release Date: 2019-03-23                     │
│ Using Python 2.7.15. Type "help()" for help.                       │
└────────────────────────────────────────────────────────────────────┘
sage: P=14440944214298199839
....: Q=int((P-1)/2)
....: R=IntegerModRing(Q)
....: S=1000
....: N=300
....: y=3
....: g=2
....: n=0
....: m=matrix(R,N,S)
....: b=vector(R,N)
....: def search():
....:     global n, b, m
....:     l = n+10
....:     while n < l:
....:         r=int(random()*Q)
....:         a=int(random()*Q)
....:         z=int(pow(y,r,P)*pow(g,a,P)%P)
....:         if z == 1:
....:             print n,y,"^",r,"*",g,"^",a,"=",z
....:             b[n] = a
....:             m[n,y] = - r
....:             n=n+1
....:         else:
....:             f=factor(z)
....:             s=max(f)[0]
....:             if s<S:
....:                 print n,y,"^",r,"*",g,"^",a,"=",f
....:                 b[n] = a
....:                 m[n,y] = - r
....:                 for q in f:
....:                     p = q[0]
....:                     e = q[1]
....:                     if p == y:
....:                         m[n,y] = e - r
....:                     elif p == g:
....:                         b[n] = a - e
....:                     else:
....:                         m[n,p] = e
....:                 n=n+1
....:
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
0 3 ^ 1286377192436947200 * 2 ^ 5614090551836222464 = 7 * 79 * 113 * 149 * 383 * 479 * 587 * 641
1 3 ^ 6215426641318380544 * 2 ^ 2881796573469014016 = 2^3 * 3^4 * 89 * 421 * 487 * 613 * 683 * 811
2 3 ^ 2563370672982189056 * 2 ^ 5195891563016542208 = 3 * 5 * 7 * 19^2 * 73 * 149 * 293 * 313 * 389 * 439
3 3 ^ 1175964725620276480 * 2 ^ 6675000180841379840 = 2 * 13^2 * 29 * 97 * 197 * 223 * 401 * 503 * 599
4 3 ^ 784277984012773120 * 2 ^ 1888114348664523776 = 5^2 * 11 * 47 * 109^2 * 241 * 461 * 769 * 857
5 3 ^ 1942362562488026368 * 2 ^ 870332140295590784 = 2^4 * 3 * 5 * 13 * 17 * 47 * 193 * 269 * 281 * 397 * 757
6 3 ^ 253485012112898272 * 2 ^ 5052029536869434368 = 2 * 5 * 89 * 107 * 109 * 113 * 241 * 263^2 * 659
7 3 ^ 6183031388695760896 * 2 ^ 3157196248129823744 = 2^5 * 3 * 5^2 * 11 * 17 * 19 * 41 * 53^2 * 59 * 61 * 107
8 3 ^ 6794585090072000512 * 2 ^ 1601113383929228544 = 2^2 * 3^2 * 5^2 * 29 * 61 * 101 * 109 * 281 * 547 * 593
9 3 ^ 5616165193772672000 * 2 ^ 4845816344746883072 = 2 * 3^2 * 11 * 31^4 * 83 * 103 * 127 * 193 * 373
5869666605560879797 9478590363462733906
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
10 3 ^ 5211405805128364032 * 2 ^ 6529045315258305536 = 2^4 * 3 * 5 * 17 * 41 * 131 * 331 * 563 * 709^2
11 3 ^ 6604163059734738944 * 2 ^ 5358506155483098112 = 13 * 19 * 71 * 83 * 167 * 239 * 281 * 743 * 829
12 3 ^ 684119360271367680 * 2 ^ 2262544955412249088 = 2^4 * 3 * 5^2 * 97^2 * 449 * 613 * 653 * 887
13 3 ^ 2682954478368868352 * 2 ^ 3448126427473492480 = 2 * 3^4 * 5^4 * 17 * 31 * 61 * 127 * 173 * 263 * 421
14 3 ^ 5655787020136745984 * 2 ^ 237498993636097152 = 2^2 * 3 * 19 * 23^2 * 29 * 59 * 139 * 541 * 571 * 761
15 3 ^ 5677743490661448704 * 2 ^ 4922221060854460416 = 2^3 * 3^3 * 41^2 * 61 * 79 * 113 * 157 * 359 * 701
16 3 ^ 4401720154988454912 * 2 ^ 3907382750411156480 = 17^2 * 179 * 223 * 349 * 461 * 617 * 941
17 3 ^ 5866708536796592128 * 2 ^ 428541178879099840 = 3^2 * 5^3 * 31^2 * 47 * 67 * 109 * 229 * 311 * 487
18 3 ^ 588055260615898624 * 2 ^ 3972584349254431744 = 2 * 67 * 107 * 179 * 199 * 211 * 263 * 307 * 449
19 3 ^ 2143387536063532544 * 2 ^ 4425017473762291200 = 2^2 * 23 * 31 * 41 * 233 * 349 * 449 * 557 * 727
2846951731336111996 1641819527325012894
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
20 3 ^ 6979477423321349120 * 2 ^ 341658251503170752 = 3^2 * 7^2 * 37 * 127 * 157^2 * 479 * 701 * 727
21 3 ^ 4810309813608146944 * 2 ^ 6008229350956312576 = 2 * 17 * 23 * 137 * 313 * 491 * 773^2 * 877
22 3 ^ 4025275906101099008 * 2 ^ 1960808480208007424 = 2^2 * 3^4 * 5^2 * 11 * 13 * 109 * 347 * 373 * 881 * 977
23 3 ^ 4764398454433009664 * 2 ^ 6612646264705287168 = 2^2 * 7^2 * 11^2 * 23 * 41 * 47 * 59 * 229 * 613 * 857
24 3 ^ 1875076778385616128 * 2 ^ 6161913687067096064 = 11^2 * 19 * 79 * 173 * 197 * 317 * 797 * 877
25 3 ^ 5572587828617382912 * 2 ^ 4027200615397420544 = 2 * 5^2 * 17 * 31 * 53 * 73 * 239 * 313 * 389 * 829
26 3 ^ 717998047216522112 * 2 ^ 1998603821264472320 = 2 * 5^2 * 11^2 * 37 * 401 * 509 * 521 * 619 * 761
27 3 ^ 4032764240993999872 * 2 ^ 458501563658061696 = 2 * 5 * 23 * 43 * 53 * 191 * 283 * 563 * 647^2
28 3 ^ 4460183530335649280 * 2 ^ 1987414243699914496 = 3^2 * 23^4 * 83 * 101 * 113^2 * 179 * 293
29 3 ^ 6923504876403721216 * 2 ^ 7146114679574872064 = 2^4 * 5 * 31 * 61 * 79^2 * 523 * 673 * 997
4955767379087371026 5428527278131939204
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
30 3 ^ 952047149519215616 * 2 ^ 1826436043729710848 = 2^7 * 7 * 17 * 31 * 47 * 59 * 103 * 181 * 271 * 577
31 3 ^ 2001381983400015616 * 2 ^ 4953492172173204480 = 2 * 3^3 * 5^2 * 11 * 13 * 37 * 97 * 101 * 397 * 431 * 541
32 3 ^ 3178697889281142784 * 2 ^ 3768894360332626944 = 2^3 * 13^2 * 19^4 * 307 * 379 * 383 * 739
33 3 ^ 2060641185568720640 * 2 ^ 305105875253559296 = 2^5 * 19^3 * 31 * 53^2 * 109 * 463 * 911
34 3 ^ 6502718966875447296 * 2 ^ 1927876650301579264 = 2^2 * 3^4 * 5^3 * 193 * 199 * 461 * 563 * 727
35 3 ^ 3833389546886461952 * 2 ^ 4803617029317681152 = 2^3 * 13 * 17 * 37 * 59 * 61 * 97 * 547 * 709 * 887
36 3 ^ 5088000197724412928 * 2 ^ 1660716740419896832 = 79 * 89 * 101 * 149 * 163 * 397 * 661 * 773
37 3 ^ 1635141086918691328 * 2 ^ 701364478534060672 = 2^2 * 19^2 * 23 * 31 * 41 * 53 * 151 * 257 * 347
38 3 ^ 108397457869049936 * 2 ^ 1814569174511758848 = 2^2 * 3 * 5^5 * 7 * 59 * 67 * 83 * 311 * 419 * 587
39 3 ^ 6107563711417010176 * 2 ^ 6509975534613209088 = 2^4 * 3 * 7 * 17 * 127 * 157 * 251 * 419 * 509 * 941
1765037164899770266 2329031955343922157
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
40 3 ^ 2677733798775624192 * 2 ^ 1933481709907822592 = 2^6 * 5^4 * 13^2 * 31 * 229 * 349 * 829 * 977
41 3 ^ 3465691056818857984 * 2 ^ 1057460583604953600 = 2^2 * 31 * 71 * 383 * 389 * 421 * 479 * 977
42 3 ^ 3637046389081307136 * 2 ^ 6297119452143441920 = 7 * 109 * 163^2 * 229 * 281 * 307 * 653
43 3 ^ 131478428911755088 * 2 ^ 876583443769391104 = 2^3 * 3^4 * 79 * 263 * 347 * 491 * 631 * 809
44 3 ^ 1683559887510904064 * 2 ^ 2265059250225320192 = 3 * 7 * 17 * 31 * 43^3 * 83 * 107 * 881 * 941
45 3 ^ 6444956542836342784 * 2 ^ 1830298853430399744 = 2 * 3 * 5^2 * 83 * 193^2 * 277 * 347 * 367 * 797
46 3 ^ 6568050563783374848 * 2 ^ 4704488745823840256 = 2^4 * 11 * 13 * 17 * 37 * 41 * 67 * 73 * 103 * 151 * 461
47 3 ^ 5416960323619238912 * 2 ^ 3526987580735606784 = 2 * 3^6 * 5 * 7 * 11 * 29 * 97 * 107 * 181 * 241 * 499
48 3 ^ 6748059622116148224 * 2 ^ 5030417208755948544 = 2^3 * 5^2 * 11 * 79 * 127 * 409 * 499 * 521 * 941
49 3 ^ 2511716346898049024 * 2 ^ 5800869253428524032 = 2^4 * 17 * 37 * 43 * 101 * 103 * 379 * 547 * 853
1829897580748035593 2574447743826331505
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
50 3 ^ 4280936373178890752 * 2 ^ 3042003257475328000 = 3^5 * 17 * 23 * 31 * 53 * 137 * 307 * 311 * 563
51 3 ^ 6075248109174773760 * 2 ^ 4084563462197480960 = 2^4 * 3 * 73 * 83 * 89 * 211 * 373 * 727 * 887
52 3 ^ 1021096313253877 * 2 ^ 2220476116110508032 = 2 * 3^4 * 5 * 7 * 11 * 31 * 127 * 181 * 443 * 659 * 757
53 3 ^ 955162296457505024 * 2 ^ 3735019607259872256 = 29 * 37^2 * 41 * 43 * 73 * 137 * 163^2 * 701
54 3 ^ 5113426217121699840 * 2 ^ 2916353857253378560 = 2^3 * 3 * 43 * 97 * 151 * 443 * 569 * 593 * 787
55 3 ^ 5548311662243434496 * 2 ^ 3161563324629190144 = 2 * 3 * 5^5 * 23^3 * 47 * 53 * 103 * 241 * 719
56 3 ^ 6799523050944297984 * 2 ^ 5435538629114642432 = 2^2 * 13 * 19^2 * 23 * 41 * 97 * 151 * 193 * 337 * 419
57 3 ^ 1176407591326894592 * 2 ^ 2083058634626401536 = 2 * 7^2 * 19 * 37 * 179 * 349 * 373 * 677 * 907
58 3 ^ 6084337161619051520 * 2 ^ 3145752991753392640 = 2^3 * 5^2 * 7 * 11 * 107^2 * 139 * 431 * 491 * 997
59 3 ^ 6464706050769804288 * 2 ^ 5410182259843172352 = 2^5 * 5 * 17 * 19 * 59 * 89 * 307 * 347 * 619 * 631
4685128176378965499 8499628617943751614
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
60 3 ^ 2246911832338932992 * 2 ^ 7133785258032965632 = 2 * 47 * 67 * 107 * 157 * 179^2 * 367 * 379
61 3 ^ 7199544047481755648 * 2 ^ 1853586843380509440 = 2^3 * 3 * 5 * 13 * 29 * 61 * 101 * 103 * 227 * 547 * 769
62 3 ^ 6857049389790898176 * 2 ^ 3823423387243109376 = 2 * 3^2 * 7 * 11 * 29 * 53 * 191 * 283 * 379 * 431 * 487
63 3 ^ 3466487648633010688 * 2 ^ 5472494663298302976 = 2 * 3 * 5 * 67 * 113^3 * 151 * 199 * 223 * 683
64 3 ^ 2629720954363578880 * 2 ^ 3239764441750417920 = 11 * 13 * 29 * 31 * 43 * 71^2 * 509 * 733 * 787
65 3 ^ 591293154465904640 * 2 ^ 552089005006921088 = 2^2 * 5^2 * 23^2 * 29^2 * 41^2 * 181 * 509 * 647
66 3 ^ 3074248330375231488 * 2 ^ 1210989294631553792 = 2 * 3^2 * 7 * 13 * 19 * 83 * 211 * 233 * 251 * 443 * 739
67 3 ^ 1539342201872148480 * 2 ^ 5091988764444706816 = 2 * 7^2 * 11 * 17^2 * 67 * 101 * 157 * 193 * 491
68 3 ^ 5659108162205734912 * 2 ^ 4144721240285150720 = 5 * 7^2 * 11 * 19 * 43 * 67 * 163 * 233 * 641 * 643
69 3 ^ 2433821531318755328 * 2 ^ 6599388007481348096 = 2^2 * 3 * 7^3 * 11 * 37 * 59 * 233 * 383 * 761^2
5592995947336124562 13719769503782162692
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
70 3 ^ 3101688256750643712 * 2 ^ 1057584971227064448 = 2 * 3 * 5 * 13^2 * 19^2 * 29^2 * 43 * 353 * 421 * 809
71 3 ^ 7138367345136698368 * 2 ^ 4441268516473156096 = 2^4 * 13 * 173 * 379 * 677 * 821 * 971 * 983
72 3 ^ 2060026374425667584 * 2 ^ 6857171507823351808 = 283 * 457 * 509 * 541 * 659 * 701 * 809
73 3 ^ 489047704363685056 * 2 ^ 6835175836016439296 = 11 * 89 * 151 * 193 * 313 * 541 * 659 * 769
74 3 ^ 3177198731449574912 * 2 ^ 6246019751366392832 = 2 * 3^2 * 11^3 * 59 * 73 * 127 * 149 * 727 * 823
75 3 ^ 141949317944874544 * 2 ^ 2783506489308478464 = 2 * 3^2 * 11 * 29 * 31 * 47 * 139 * 151 * 193 * 467 * 617
76 3 ^ 4541612744503835136 * 2 ^ 6705959604300692480 = 2 * 37 * 43 * 109 * 367 * 409 * 463 * 673 * 853
77 3 ^ 4580220969588525056 * 2 ^ 1596299573659781120 = 2 * 7 * 151 * 173 * 337 * 383 * 433 * 439 * 977
78 3 ^ 2595414264815675392 * 2 ^ 2122341118345632256 = 2^3 * 5^4 * 11 * 19 * 23 * 31 * 59 * 251 * 647 * 827
79 3 ^ 5050624590188595200 * 2 ^ 5427138761680701440 = 2^5 * 5 * 11 * 23 * 29^2 * 83 * 101 * 139 * 359 * 967
831289850469494704 5019414818270322207
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
80 3 ^ 4680843903107339264 * 2 ^ 4294541287133755904 = 3 * 7 * 13^2 * 31 * 41 * 113 * 139 * 307 * 563 * 863
81 3 ^ 2872941563535285760 * 2 ^ 1317804380478926336 = 2 * 11 * 17 * 31 * 131 * 137 * 151 * 173 * 307 * 353
82 3 ^ 4761432245870259200 * 2 ^ 5222777124903930880 = 2^2 * 3 * 11 * 17 * 29 * 43^2 * 53 * 73 * 113 * 197 * 479
83 3 ^ 6244674829975501824 * 2 ^ 3190272290111065088 = 2^6 * 43 * 53 * 139 * 271 * 907 * 971 * 997
84 3 ^ 4726549221746832384 * 2 ^ 4144296337832620032 = 2^2 * 3 * 11 * 13 * 29^2 * 73 * 89 * 587 * 829 * 929
85 3 ^ 3443671457696090112 * 2 ^ 474057431944047808 = 2^3 * 5 * 61 * 181 * 251 * 373 * 461 * 607 * 821
86 3 ^ 2796489930548947968 * 2 ^ 3490243747318216192 = 7^2 * 17 * 61 * 173^2 * 179 * 197 * 409 * 617
87 3 ^ 1396883159289853696 * 2 ^ 2970892200726862848 = 2 * 67 * 101 * 241 * 547 * 607 * 839 * 991
88 3 ^ 5830750454292239360 * 2 ^ 2659575369476917248 = 2 * 7 * 31 * 47 * 53 * 163 * 173 * 541 * 727 * 887
89 3 ^ 930085477710521984 * 2 ^ 2717024588131269120 = 2^5 * 3 * 5^2 * 7^2 * 17 * 29 * 127 * 619 * 877 * 937
6627763044269177345 3002270073456290327
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
90 3 ^ 3301876321339675136 * 2 ^ 2241705862197111296 = 2 * 3^3 * 5 * 13 * 41 * 61 * 71 * 97 * 263 * 443 * 859
91 3 ^ 3656462209084076032 * 2 ^ 1065083743039586816 = 2 * 11 * 13 * 47 * 269 * 277 * 409 * 653 * 947
92 3 ^ 2791131751152194048 * 2 ^ 2966075438456105984 = 2^6 * 5 * 19 * 149^2 * 293 * 397 * 607 * 641
93 3 ^ 1163058474340002304 * 2 ^ 4857212197493165056 = 2^2 * 3^3 * 5^2 * 13 * 19 * 59 * 137 * 461 * 599 * 997
94 3 ^ 1450659660186796288 * 2 ^ 6874675233891540992 = 2^3 * 3^2 * 5 * 29 * 113 * 223 * 229 * 499 * 577 * 727
95 3 ^ 5314580061037290496 * 2 ^ 6196138409417199616 = 2^5 * 13 * 17 * 37^2 * 379 * 587 * 751 * 983
96 3 ^ 1717437938460381184 * 2 ^ 6790023303179318272 = 3^2 * 5 * 11 * 89 * 103^2 * 181 * 251 * 367 * 467
97 3 ^ 3005866632701315584 * 2 ^ 5190430473932683264 = 2^7 * 3^5 * 17 * 19 * 83 * 127 * 179 * 523 * 941
98 3 ^ 3025384915848582656 * 2 ^ 4577109781338087936 = 2^2 * 3^3 * 11 * 59 * 67 * 103 * 227 * 233 * 307
99 3 ^ 2811570668675479040 * 2 ^ 5970289737996165120 = 2 * 3 * 5 * 113 * 131 * 263 * 389 * 641 * 941
4285385109843351427 1532009916247152139
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
100 3 ^ 5083227775254304768 * 2 ^ 1906975078166566656 = 2 * 23 * 67 * 97 * 317 * 431 * 509 * 751 * 863
101 3 ^ 5053551234616289280 * 2 ^ 1752823771636390912 = 3 * 5^4 * 7 * 31 * 83 * 127 * 587 * 673 * 887
102 3 ^ 2761200745698127872 * 2 ^ 476577687026266688 = 2 * 7 * 59 * 71 * 157 * 499 * 677 * 881 * 947
103 3 ^ 4217090890119217664 * 2 ^ 4530725462976993792 = 2^4 * 3^2 * 13 * 17 * 23 * 43 * 103 * 461 * 547 * 911
104 3 ^ 204275946863854912 * 2 ^ 6401644987317114880 = 2^10 * 5 * 13 * 17 * 43^2 * 67 * 251 * 487
105 3 ^ 402604847762353088 * 2 ^ 1813121023676487424 = 2 * 5^3 * 7 * 23 * 47 * 59 * 179 * 331 * 601 * 859
106 3 ^ 2407642429306191360 * 2 ^ 1824454317884903936 = 2^4 * 3 * 5 * 7 * 67 * 233 * 283 * 347 * 461 * 941
107 3 ^ 4769982051174816768 * 2 ^ 2760930516912782848 = 2^2 * 3 * 7 * 13 * 23^2 * 31 * 269 * 587 * 739 * 859
108 3 ^ 6230415404646540288 * 2 ^ 1779937293025945600 = 2^3 * 13 * 31 * 37 * 89 * 107 * 139 * 307 * 347 * 641
109 3 ^ 390748162399929984 * 2 ^ 5335972318288942080 = 5 * 7^2 * 19^3 * 41 * 61 * 71 * 107 * 139 * 673
2195783023184321931 5118660893635111320
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
110 3 ^ 1693443308641690880 * 2 ^ 981154578132265856 = 2^2 * 3^5 * 29 * 83 * 101 * 137 * 311^2 * 743
111 3 ^ 2552567299978413056 * 2 ^ 5180033978018552832 = 3^4 * 5 * 11 * 47^2 * 53 * 131 * 347 * 557 * 727
112 3 ^ 2474752932252009984 * 2 ^ 2537298814852566528 = 3 * 11 * 23 * 67 * 71 * 431 * 863 * 881
113 3 ^ 3035201118568784896 * 2 ^ 5328878979998222336 = 2^3 * 5^3 * 7 * 17 * 67 * 83 * 89 * 173 * 283 * 839
114 3 ^ 1326703796205344768 * 2 ^ 5380703079026144256 = 2^5 * 3^2 * 5 * 13 * 31 * 73 * 103 * 109 * 223 * 307 * 439
115 3 ^ 5588925613853724672 * 2 ^ 2735683659888574464 = 2^2 * 5^4 * 17 * 29^2 * 269 * 479 * 613 * 983
116 3 ^ 4665646613720377344 * 2 ^ 6077495929985314816 = 2 * 13^2 * 17 * 127 * 167 * 263 * 433 * 857 * 953
117 3 ^ 5631078582983778304 * 2 ^ 1399258243977911552 = 3 * 5 * 23 * 107 * 113^2 * 157 * 457 * 461 * 829
118 3 ^ 2672300625893829632 * 2 ^ 4138894501474652672 = 2^4 * 3 * 11 * 71 * 79 * 83 * 149 * 421 * 691 * 787
119 3 ^ 1652582729070822400 * 2 ^ 2731544010757654016 = 2^2 * 3 * 7 * 17 * 23 * 47 * 223 * 277 * 349^2 * 569
1111282004614043663 11857626314420526240
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
120 3 ^ 3723336767104578048 * 2 ^ 5363289865934430208 = 3^2 * 13^2 * 17^2 * 97 * 113 * 223 * 761 * 859
121 3 ^ 1597655837722240768 * 2 ^ 799563453597023360 = 7 * 13 * 83 * 157 * 223 * 281 * 313 * 349 * 773
122 3 ^ 4962334729344335872 * 2 ^ 2727679536135156736 = 7 * 17 * 73 * 127 * 131 * 151 * 461 * 647 * 691
123 3 ^ 4504204988585094144 * 2 ^ 7029361150466657280 = 71 * 79 * 89 * 127 * 163 * 271 * 659 * 919
124 3 ^ 5669931509198772224 * 2 ^ 840992032418135040 = 2 * 13 * 23 * 47 * 61 * 107 * 181 * 277 * 461 * 997
125 3 ^ 5677542392464963584 * 2 ^ 2940537285623856640 = 2 * 3^2 * 5 * 31 * 41^2 * 67 * 233 * 293 * 677 * 739
126 3 ^ 5010285016155520000 * 2 ^ 610843607842457600 = 2^7 * 17 * 43 * 109 * 443 * 601 * 929^2
127 3 ^ 792209564566495104 * 2 ^ 3112261838093617152 = 5^2 * 19 * 137 * 263^2 * 811 * 907 * 983
128 3 ^ 6371336820240495616 * 2 ^ 366199772782459712 = 2^2 * 5 * 7^2 * 107 * 193 * 743 * 907^2 * 983
129 3 ^ 3486587079677486080 * 2 ^ 1359216928526616064 = 2 * 7 * 11^2 * 13 * 109 * 163^2 * 277 * 691 * 829
4564845984634232071 2985419775271494982
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
130 3 ^ 4322286755484418560 * 2 ^ 2217736468623444224 = 2^8 * 11^2 * 17 * 19 * 43 * 53 * 733 * 821 * 991
131 3 ^ 1528760249716409088 * 2 ^ 1498634765019036928 = 2^5 * 3 * 7^2 * 11 * 13 * 43 * 67 * 107 * 211 * 433 * 743
132 3 ^ 3569086992197360128 * 2 ^ 1260699033038076160 = 2^5 * 13 * 53 * 59 * 61 * 101 * 317 * 463 * 839
133 3 ^ 1558229851362385920 * 2 ^ 2349484895804423168 = 2^2 * 5^2 * 11^2 * 53 * 229 * 263 * 283 * 701 * 787
134 3 ^ 4552085608903014912 * 2 ^ 3342469928925788672 = 7 * 17 * 19 * 43 * 73 * 103 * 479 * 761 * 947
135 3 ^ 7151125741996265472 * 2 ^ 5191804274123631616 = 61 * 127 * 173 * 281 * 283 * 331 * 457 * 577
136 3 ^ 6704814757274741760 * 2 ^ 1559021042329256448 = 2^2 * 3^9 * 229 * 673 * 937 * 991 * 997
137 3 ^ 3921448143447753728 * 2 ^ 5303622232905123840 = 2^6 * 19 * 23 * 233 * 307 * 389 * 521 * 773
138 3 ^ 5706758442770380800 * 2 ^ 6813450060740365312 = 2^6 * 3 * 7 * 13 * 23 * 61 * 79 * 157 * 199 * 397 * 521
139 3 ^ 3493838723466032128 * 2 ^ 6661732251436161024 = 7 * 19 * 31 * 61 * 67 * 383 * 463 * 491 * 751
3948009120452798057 3740403396597409788
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
140 3 ^ 4512200133143913984 * 2 ^ 2699451743158530048 = 2^3 * 5 * 37 * 103 * 233 * 241 * 293 * 523 * 569
141 3 ^ 3561306972789641728 * 2 ^ 365607863996683712 = 13 * 67 * 101 * 109^2 * 113 * 241 * 383 * 647
142 3 ^ 6380676893867797504 * 2 ^ 2080228667587450880 = 2^2 * 3 * 5 * 19 * 41^2 * 167 * 307 * 359 * 571 * 619
143 3 ^ 2599477586191758848 * 2 ^ 5645750110438279168 = 47 * 89 * 97 * 113 * 157 * 223 * 509 * 853
144 3 ^ 7056202287054149632 * 2 ^ 7180555934933350400 = 3 * 5^2 * 29 * 61 * 89 * 191 * 211 * 421 * 643
145 3 ^ 6324337844057915392 * 2 ^ 1298083127437147904 = 2^7 * 5 * 79 * 163 * 241 * 293 * 719 * 761
146 3 ^ 4640450284147259392 * 2 ^ 5439038521670841344 = 3^3 * 5 * 43 * 73 * 97 * 103 * 419 * 907 * 971
147 3 ^ 6242040441174990848 * 2 ^ 2311374440672311296 = 2 * 13 * 53 * 101 * 127 * 131 * 139^2 * 157 * 857
148 3 ^ 6046725654386468864 * 2 ^ 3410129904169076736 = 5^2 * 7 * 13 * 29 * 31 * 37^2 * 97 * 103 * 127 * 563
149 3 ^ 6625880052194905088 * 2 ^ 43390667254575064 = 5 * 29 * 31 * 89 * 109^2 * 127 * 139 * 251 * 509
3322066151495225759 6572885793134298732
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
150 3 ^ 5668171830254029824 * 2 ^ 2633245142077920256 = 2 * 31 * 43 * 59 * 73 * 269 * 521 * 557 * 919
151 3 ^ 1565554322987257344 * 2 ^ 35093217780068152 = 2^8 * 7 * 13 * 17 * 37 * 79 * 113 * 137 * 227 * 421
152 3 ^ 98341814056001824 * 2 ^ 144995941727846944 = 2^2 * 13^2 * 59 * 107 * 443 * 751 * 769 * 881
153 3 ^ 3541658806849977856 * 2 ^ 2603363991463424000 = 2^4 * 5^4 * 17 * 41 * 53 * 239 * 379 * 397 * 401
154 3 ^ 5449409492021605376 * 2 ^ 2829047940999411200 = 2^4 * 3^2 * 11 * 13^2 * 37 * 41 * 101 * 433 * 599 * 631
155 3 ^ 1814530216539122688 * 2 ^ 5818668125691641856 = 2^2 * 3 * 7 * 11 * 37^2 * 83 * 293 * 353 * 757 * 887
156 3 ^ 4617799572595081216 * 2 ^ 6365718990600427520 = 2 * 7^2 * 13 * 19 * 107 * 181^3 * 541 * 773
157 3 ^ 2354677884747606016 * 2 ^ 2933100503455932928 = 5^4 * 17 * 23^2 * 29 * 47 * 71^2 * 563 * 577
158 3 ^ 3340097069197299200 * 2 ^ 7185715550829084672 = 2^2 * 11 * 83 * 173 * 191 * 269 * 487 * 547 * 607
159 3 ^ 5503913696117571584 * 2 ^ 2337675668523956736 = 5^9 * 19 * 41 * 71 * 173 * 397 * 499
4217087264500536085 11694820656002289212
sage: search(); log=m.solve_right(b); print log[3], pow(2,log[3],P)
160 3 ^ 138587721838801200 * 2 ^ 6110639602664293376 = 2^4 * 19 * 23^2 * 53 * 89 * 107 * 181 * 881
161 3 ^ 6227582662185768960 * 2 ^ 3981484022169435136 = 2^2 * 3^2 * 5 * 7^2 * 13^2 * 37 * 53 * 131 * 367 * 547
162 3 ^ 979318690808092800 * 2 ^ 6416124097068174336 = 2^2 * 3 * 7^2 * 71 * 97 * 109 * 157 * 331 * 389 * 547
163 3 ^ 4115542205204449792 * 2 ^ 3436887081227319808 = 2 * 7 * 53 * 101 * 263 * 367 * 569 * 683 * 809
164 3 ^ 3569739278299934208 * 2 ^ 4063295087039218176 = 2^2 * 5^2 * 17 * 71 * 109 * 113^2 * 151 * 281 * 599
165 3 ^ 4542922646786686976 * 2 ^ 2316251350701615616 = 2^2 * 3^3 * 7^2 * 11 * 17 * 41 * 53 * 101 * 227 * 233 * 521
166 3 ^ 2061973495705407488 * 2 ^ 6712368606973018112 = 3 * 5^6 * 17 * 73 * 233 * 373 * 751 * 947
167 3 ^ 6198049408548477952 * 2 ^ 2826005127338852864 = 3^2 * 5 * 11 * 71 * 151 * 173 * 227 * 241 * 347 * 613
168 3 ^ 816385152732361088 * 2 ^ 7132072165020309504 = 2 * 23 * 41 * 43 * 47 * 83 * 127 * 277 * 401 * 557
169 3 ^ 65728163448290984 * 2 ^ 336062915756654784 = 2^2 * 7 * 29 * 31 * 107 * 149 * 193 * 263 * 599 * 739
5031007969892198751 3
sage: print log[5], pow(2,log[5],P)
1570515639556296858 5
sage: print log[7], pow(2,log[7],P)
2768943948351930331 7
sage: print log[11], pow(2,log[11],P)
362781609455291976 11
sage: print log[13], pow(2,log[13],P)
6222614964455843566 14440944214298199826
sage: print log[13], pow(-2,log[13],P)
6222614964455843566 14440944214298199826
sage: print log[13], -pow(2,log[13],P)
6222614964455843566 13
sage: print log[17], pow(2,log[17],P)
3953741070557527444 17
sage: print log[19], pow(2,log[19],P)
6688450836673576577 14440944214298199820
sage: print log[19], -pow(2,log[19],P)
6688450836673576577 19
sage: print log[997], pow(2,log[997],P)
4572009413956270358 14440944214298198842
sage: print log[997], -pow(2,log[997],P)
4572009413956270358 997
sage:
Exiting Sage (CPU time 74m35.66s, Wall time 89m24.37s).

[vdukhovni]

Largely cosmetic changes suggested.

[vdukhovni]

The order of any element in a group of size 2q with q a prime, is 1, 2, q or 2q. Only 1 and p-1 have the first two orders, all other values of g have order q if g is a quadratic residue mod p and 2q otherwise. We should generally prefer quadratic residues and order q as this avoids having Z_2 as a subgroup, and "leaking bit 0" (do we really care about that???).

The choice of 2 as a generator is a sound default, because it makes key agreement computations more efficient. All the FFDHE groups for TLS 1.3 have g = 2 with g a quadratic residue of order q: https://tools.ietf.org/html/rfc7919#appendix-A

What this means for OpenSSL is that we should generally prefer p = 7 mod 8 to make 2 a quadratic residue, and also p = 2 mod 3 so that q = (p-1)/2 stands a chance of being prime, which combines to p = 23 mod 24 and q = 11 mod 12.

If we wanted 2 to be a non-residue so that g generates the whole order 2q multiplicative group, we'd need p = 3 mod 8, and p = 2 mod 3 as before, and so p = 11 mod 24. So OpenSSL previously prefers o(g) = 2q, but that's less preferred than o(g) = q. So our default choice of prime should switch from 11 mod 24 to 23 mod 24.

[bernd-edlinger]

right.

[vdukhovni]

Should we perhaps check that g != p - 1? Right now we're only checking for g < p.

[bernd-edlinger]

Yes, not 0, 1, p-1, not negative, not larger than p-1, etc...
That is why I added a call to DH_check_params above.

[vdukhovni]

Did I miss the check for p-1 somewhere? I did not see it where I expected to see it, perhaps did not look in the right place.

[vdukhovni]

Are you sure you're using DH_check_params() correctly? It does not return true/false for valid parameters, rather it returns a mask of misfeatures via its second argument...

[vdukhovni]

Is the idea to accumulate more "misfeature" bits before returning?

[bernd-edlinger]

Yes, I hope so.
The idea is to accumulate all bits from DH_check_params, and or in all bits from DH_check.

[bernd-edlinger]

Yes, exactly, in case DH_check_params adds more checks in the future.

[vdukhovni]

But 1 mod 8 makes q divisible by 4, so only 7 mod 8 is viable, and then as above also 2 mod 3, or in all 23 mod 24`.

[bernd-edlinger]

Right, this holds for any p = odd prime.
I use the properties of safe primes in the next paragraph.

[vdukhovni]

Again, 1 mod 12 is excluded, so 11 mod 12.

[bernd-edlinger]

yes. I wanted that result to be in sync with the literature about the Legendre symbol,
where p is odd prime, not safe prime.

[vdukhovni]

Again, only 4 mod 5, but also 3 mod 4 and 2 mod 3, so 59 mod 60.

[bernd-edlinger]

yes, that follows from p being a safe prime.
Again the reference below gives this result for p is odd prime.

[vdukhovni]

Probably harmless, but is this useful or necessary?

[bernd-edlinger]

Certainly harmless.
One might argue, it saves one additional modular multiplication by g.

[vdukhovni]

In the mod 5 case, what is the cost of computing p mod 5 every time we generate a key? Is it worth it? Since 256 mod 5 is one, the residue is just the sum of all the octets of p mod 5, which can perhaps be computed faster than a generic mod 5 reduction. But do we really case about g = 5? Does anybody actually use that?

[bernd-edlinger]

no, I'd bet 5, is never used. and it is probably more expensive than what it could save theoretically.

[bernd-edlinger]

please look here.

[bernd-edlinger]

*ret = 0; is removed, and DH_check_params used to initialize *ret.
So DH_check_params returns 1, but *ret is already DH_NOT_SUITABLE_GENERATOR.

[vdukhovni]

Please rebase so that CI checks can run.

[bernd-edlinger]

done.

[vdukhovni]

This can now be merged, after rebasing again (conflict in the CHANGES file?)

[bernd-edlinger]

Yes, okay, I wanted to wait 24H but that is quite difficult with that CHANGES file.

[bernd-edlinger]

Merged as a38c878. Thanks!

[mspncp]

Just an academical question, to satisfy my curiosity:

Does it really make a practical difference whether I choose my secret from an order 2q subgroup and leak a single bit, or choose it from an order q subgroup? Wouldn't my secret have log2(q) bits in both cases?

[bernd-edlinger]

No, don't worry, your parameters are still safe, if you use them for DH and not something else.
The main motivation for this was that RFC 7919 parameters use an order q subgroup as well,
but those did not pass the DH_check sanity test, however those parameters are perfectly sane.

[sam-github]

We have tests in Node.js that depended on this block of removed code. Perhaps wrongly. See nodejs/node#29550 (comment) for a discussion of what we could do work around this change as we update to 1.1.1d. Is it the position of OpenSSL that mods of 11 and 7 are in fact suitable generators, and that no one using DH with this param should have/would have been paying attention to this rc?

[bernd-edlinger]

You need a safe prime of at least 1024 bits, or better 2048 that will be safe for 30+ years.
g can generate the order-q or 2q subgroup but must of course not be 0, 1, p-1.

So 11 and 7 are safe primes, but they will be rejected in not too far future.

The order-q subgroup is preferable but even if we stop generating 2q subgroups
we will not have a check for g being a quadratic residue for backward compatibility.

For good tests vectors I would suggest use p=2048-bit safe prime,
and g=quadratic non-residue (as generated previously)

For bad test vectors use g=p-1, or p=not prime, or not safe prime.

[sam-github]

Thanks for the background, @bernd-edlinger

[Fiona-J-W]

@mspncp: It depends: For pure DHKX it doesn't really matter (though even if you argue that, the code was buggy before since it essentially had halve the performance it could trivially have had), for ElGamal the security of the entire scheme hinges on it. See my original article and bug-report for more information on the topic.