[1464] in cryptography@c2.net mail archive
Re: Speeding up DH
daemon@ATHENA.MIT.EDU (Bill Stewart)
Thu Sep 11 12:21:07 1997
Date: Wed, 10 Sep 1997 23:04:17 -0700
To: cryptography@c2.net
From: Bill Stewart <stewarts@ix.netcom.com>
In-Reply-To: <199709100233.UAA20189@nyx10.nyx.net>
At 08:33 PM 9/9/97 -0600, Colin Plumb wrote:
>If you look in PGP 5, you'll see some precomputed primes with (p-1)/2
>prime, and some on-the-fly code that generates p-1/2 = k*q for k "as
>small as possible" while still ensuring that a multiple of q in the
>right range will be prime. This bounds k small enough that the leakage
>is contained within the paranoia padding, so we don't worry about
>generator or not.
Is there any way to bully the user interface into making these visible?
There are some primes that the Photuris people picked, for several
useful sizes.
>My choice in PGP5 was to use 3*80 bits = 240 for the exponent. No
>attack I know is better than sqrt(x), but that provides safety against
>a hypothetical future cbrt(x) attack and isn't that big a hit.
>You still get a 4x speedup.
How fast is the calculation on a typical machine, compared to the
rest of the calculations performed? Is 4x enough to be critical?
