[Cryptography] Why are Diffie-Hellman key sizes multiples of 64?

[iang]

On 26/01/2026 04:16, Jon Callas wrote:
>
>> On Jan 25, 2026, at 01:14, Pierre Abbat <phma at bezitopo.org> wrote:
>>
>> Does this requirement come from the library they're using? I don't see what's
>> wrong with using a 4184-bit or 4235-bit prime, as long as it's a safe prime,
>> strong prime, or Fouvry prime.
> It's a stupid requirement coming from programmers who don't want to do the work to make it work with any machine word size. Nothing to do with the math.
>
> Now, speaking out of the other side of my mouth, if you assume your numbers fit neatly into machine words, you can write a simplified, faster algorithm. At least that's what it says on the marketing brochure.
>
> There was a time when we considered it important that a key be of any reasonable size. I remember having RSA keys that were not 1024 bits, but 1123 bits; cheekily I picked prime numbers of bits of key length because it amused me. It was also a test case for QA -- use the key of weird length in your unit test.
>
> I also remember that there were weird ass restrictions on CAPI. Pulling it out of the mental bit rot, CAPI could do an RSA key of a length that was a multiple of eight bits, plus or minus one.
>
> There's no math reason, it's an engineers-being lazy reason, where "lazy" might be a pejorative way to say "prudent." Or not.


Yeah, I remember this well. The old Cryptix RSA used to barf on your odd 
length RSA keys.

When you hinted at the time it was an odd length key, and I checked more 
closely, I realised I was dealing with an unhelpful corner case.

Since then I've just strictly limited the key lengths to known good set, 
and avoided all that. It is a valuable check, in the sense of QA, but my 
engineer's mind calls fashion statements in crypto a WOFTAM.

iang