Re: Prime example of a can of worms

[Daniel Kahn Gillmor <dkg () fifthhorseman net>]

On Thu 2015-10-22 19:37:49 -0400, Kurt Seifried wrote:
> Sorry when I said a "large" pool I meant more then the current 5 or so that
> seem to be in popular use, but certainly not more than a few hundred.

ok, that's a relief :) but, running the numbers, even 100 hundred
2048-bit groups comes out to a quarter MiB of RAM.  (i figure 256 bytes
per prime, a well-known, shared generator)

Larger groups (or more groups) inflate the size even further.  I know
RAM is cheap these days but for embedded devices a quarter meg or more
of RAM is still not insignificant.

> Basically we're in agreement, I think nothing under 2048 should even be
> considered, and we probably need to bump that up in a few years anyways.

yep, agreed.

> I've also been going through source code to see how people use dh
> params/treat them, and I have some worrying results (basically what I
> expected though, everything is terrible as usual)

:/

> I'm going to be writing this up as an article rather than a long email as I
> have a few more sticky points to raise (security rabbit holes are so much
> fun).

I look forward to reading it.

  --dkg