[12210] in cryptography@c2.net mail archive
RE: Implementation guides for DH?
daemon@ATHENA.MIT.EDU (astiglic@okiok.com)
Sat Jan 4 20:16:13 2003
Date: Sat, 4 Jan 2003 14:53:40 -0500 (EST)
From: <astiglic@okiok.com>
To: <bill.stewart@pobox.com>
In-Reply-To: <5.1.1.6.2.20030101215841.053138e8@idiom.com>
Cc: <adam@homeport.org>, <cryptography@wasabisystems.com>
> Much of the discussion on the net
> about prime safety for DH has been about whether safe primes
> are necessary or not worth the bother, and at least with the
> current methods for factoring, it's believed they aren't needed.
> (One catch, of course, is that the best factoring method
> 10 or 50 years from now may be affected by safe vs. unsafe primes.) At
> least in the initial Photuris versions, there were some
> standard choices of primes that everybody used,
> so it made sense to pick Sophie-Germain primes anyway.
For RSA, Silverman and Rivest have a paper arguing that *strong* primes
are not currently beleived to be needed (see the paper for the def
of strong prime). In DH key exchange, when you work in a group (mod
a prime) you want to make sure that there are no little subgroups that
an attacker can exploit (choosing a *safe* prime (p = 2q + 1, q and p
prime, or p = Rq + 1, with p and q sufficiently large), and working
in the subgroup of order q guarantees you this, so it usefull to have
these kind of primes for DH.
Cheers,
--Anton
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
