[Cryptography] mathematical constants

[Peter Gutmann]

Paul Wouters <paul at nohats.ca> writes:

>There was also the RFC 5114 MODP values, but I guess it doesn't count either
>because we don't have trapdoor values, even if we are fairly sure they exist
>:P

Well... we strongly suspect them but no-one's ever come forward with any
evidence, but then you'd still have to have rocks in your head to use them:
For people not familiar with the numbers, first there were the Oakley groups,
RFC 2409, updated with more modern ones in RFC 3526, both with known,
published, and independently verified generation techniques.

Then RFC 5114, with MODP groups equivalent to a smaller subset of the existing
widely-used RFC 3526 ones appeared but with no explanation for where the magic
values came from (to quote a paper on password complexity rules, "they appear
to have been pulled out of thin air, or perhaps less well-lit regions").  Like
a number of other RFCs, there is literally no reason for RFC 5114 to exist,
and in fact given that far more comprehensive sets of MODP groups with public,
verified derivation values exist the RFC with its unknown-source values may as
well have been published with a giant "Never use this" banner across the top.

Finally, the TLS folks had a go at inventing their own values in RFC 7919 [0],
again doing the same thing as RFC 3526 but with usage requirements so... well,
I can't think of an appropriate euphemism for "braindamaged" so let's call it
that, that by more or less universal unspoken consensus among implementers
everyone ignored it until TLS 1.3 came along and said you had to use the 7919
groups instead of the universal-standard RFC 3526 values as a means of finally
getting these orphaned groups adopted... but then everyone ignored that as
well.

Peter.

[0] You can't be a real country unless you have a beer and an airline.  It
    helps if you have some kind of a football team, or some nuclear weapons,
    but at the very least you need a beer.

    And some MODP groups -- Frank Zappa.