Why not use Diffie/Hellman Prime Numbers MUCH larger than 2048 bits?

Searches here indicate that D/H primes of 2048 bits are "safe"? How do we know that this is true? Using a pathetic retail laptop (Intel N5000 Silver) it's possible to find 60,000 bit primes and test them in about a week! Using a 60,000 bit prime in a custom D/H encryption program, and using the same pathetic retail laptop, encryption (or decryption) of a 100K byte message only takes a few seconds.

So the resource intensive piece is finding long primes.....after that the encryption or decryption is fast and accurate.

Why not use really long primes in D/H?

Searches here indicate that D/H primes of 2048 bits are "safe"? How do we know that this is true?

Actually, we don't - we don't know that Diffie-Hellman with any specific sized prime is secure [1]. That is, we don't know that the Diffie-Hellman problem is hard, that is, if the attacker sees the values $g^x \bmod p$, $g^y \bmod p$, and also knows the values $g, p$, it might be an easy problem to find the common value $g^{xy} \bmod p$.

Now, for a properly chosen value $p$ of 2048 bits in length (and also a good value of $g$ and $x, y$ chosen from good distributions), well, a lot of clever people have thought about it, and no one knows a way. Now, it is certainly possible that everyone missed something, however that's generally always true in cryptography.

So, you ask, why don't we go ultraconservative and use huge (say, 60,000 bit) primes? Well, mostly because of the costs:

• 60,000 bit primes would imply 60,000 bit = 7.5kbyte keyshares - that would need to be exchanged each time. Exchanging 15k of data for each new exchange is more costly than we'd prefer.

• The time taken - you said that a DH operation would take 'only a few second'; however if you're on a big TLS server making tens of thousands of connections per second, a 'few second' per connection is rather a big deal.

[1]: The term 'safe prime' is most often used to denote a specific meaning; it is a prime $p$ with the value $(p-1)/2$ also being prime. I assume that you don't intend that specific meaning of 'safe' and that you really mean 'secure'

You seem to be under the impression that a $\approx 2,000$ bit DH prime is (potentially) unsafe, but a $\approx 60,000$ bit DH prime is clearly safe. I don't know how well-supported this is. I mention this as DH over galois fields of small characteristic has had enormous breakthroughs in the last $\approx 15$ years (I believe the current cryptanalysis record is something like $p\approx 2^{30,000}$, at least when one assumes $\mathsf{GF}(p)$ has characteristic 2).

If similar breakthroughs occurred for the case of large-characteristic galois fields (or even prime fields), it would shake confidence in both $p$ with $\log_2p\approx 2,000$ and $\log_2p\approx 60,000$. This is to say that for your "very secure" DH prime parameters to make sense, you need to be simultaneously

1. paranoid enough that you believe there are large improvements over the state of the art for attacks lurking, namely that attacks against $\log_2 p\approx 2,000$ are feasible, yet
2. confident enough in DH that you don't think the extremely efficient attacks in the case of small characteristic can extend to the prime field case.

I don't see a real reason to hold both these opinions simultaneously. If you find finite field DH sketchy (fair), switch to something like DH based on elliptic curves, or a post-quantum assumption. If you believe in finite field DH, use parameters that cryptanalysis justify as being hard.