[1521] in cryptography@c2.net mail archive
Re: Speeding up DH
daemon@ATHENA.MIT.EDU (Bill Stewart)
Thu Sep 18 10:51:36 1997
Date: Tue, 16 Sep 1997 12:38:28 -0700
To: Adept <adept@cep.yale.edu>, Bill Frantz <frantz@netcom.com>
From: Bill Stewart <stewarts@ix.netcom.com>
Cc: cryptography@c2.net
In-Reply-To: <Pine.LNX.3.96.970916044739.6950B-100000@www.cep.yale.edu>
At 04:48 AM 9/16/97 -0400, Adept wrote:
>> >The DH moduli I generated for Photuris a while back used random() to
>> >generate a random starting point, and then searched forward from that
...
>I'm sure someone has already noted this, but, with this sort of search you
>will have certain primes that are more likely--such as those that fall at
>the end of a long sequence of composite numbers.
Not really a risk, since the prime will be public anyway;
the main value of using different primes rather than always using the same one
is avoiding pre-computation attacks (which are devastating to short constant
primes like the one originally used for Sun's Secure NFS.) There are enough
primes in the relevant length ranges that nobody's going to pre-compute values
for an appreciable fraction of them, and for the longer keys probably not
for any.
Thanks!
Bill
Bill Stewart, stewarts@ix.netcom.com
Regular Key PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
