Re: iSCSI: SRP groups in Security-14 strawman

[Tom Wu <tom@arcot.com>]

Paul Koning wrote:
>>>>>>"Black" == Black David <Black_David@emc.com> writes:
>>>>>
> 
>  >> If I remember right, there are performance benefits in some bignum
>  >> implementations to having a modulus with a bunch of leading and/or
>  >> trailing 1 bits.  The IKE primes are constructed to achieve that,
>  >> the SRP primes are not.  In other words, because of that
>  >> construction there IS value in allowing those primes; the IKE
>  >> primes are NOT superfluous and should be allowed whether or not
>  >> there are primes in the SRP reference software package of the same
>  >> size.  In other words, keep the 1024, 1536, and 2048 bit MODP
>  >> primes, using the generator that Tom Wu identified.
> 
>  Black> Could you or someone double check on these performance impacts
>  Black> and their magnitude?
>  
> I looked in RFC2412, which mentions the benefit but doesn't quantify
> it.  I also looked in the Handbook of Applied Cryptography, which
> describes a whole bunch of exponentiation algorithms.  I'm not well
> enough versed in this stuff to translate the brief comment in RFC 2412
> plus the algorithms in HAC into a specific percentage benefit.

Also keep in mind that RFC 2412 also suggests advantages in using 2 as a 
generator/base for modexp, though those advantages aren't quantified 
either.  I generated the SRP primes to have 2 as a base, whereas the 
MODP primes cannot use 2 as a base with SRP.

Perhaps a simple benchmark might shed some more light on this.

Tom