Add description of how the primes from RFC 3526/7919 were generated

2017-09-27 12:42:59 +01:00 · 2017-09-27 12:42:59 +01:00 · b1d4d1fa6e
commit b1d4d1fa6e
parent 8c8b0ab877
1 changed files with 16 additions and 0 deletions
--- a/include/mbedtls/dhm.h
+++ b/include/mbedtls/dhm.h
@ -77,6 +77,22 @@
 * \deprecated The primes from RFC 5114 are superseded by the primes
 *             from RFC 3526 and RFC 7919 and should no longer be used.
 *             They will be removed in the next major revision.
+ *
+ * The primes from RFC 3526 and RFC 7919 have been generating by the following
+ * trust-worthy procedure:
+ * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number
+ *   the first and last 64 bits are all 1, and the remaining N - 128 bits of
+ *   which are 0x7ff...ff.
+ * - Add the smallest multiple of the first N - 129 bits of the binary expansion
+ *   of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string
+ *   such that the resulting integer is a safe-prime.
+ * - The result is the respective RFC 3526 / 7919 prime, and the corresponding
+ *   generator is always chosen to be 2 (which is a square for these prime,
+ *   hence the corresponding subgroup has order (p-1)/2 and avoids leaking a
+ *   bit in the private exponent).
+ *
+ * The above description can be validated using the
+ * the program programs/util/rfc_3526_7919_verify.
 */

 const char *mbedtls_dhm_rfc3526_modp_2048_p;