Implementation guides for DH?
astiglic at okiok.com
astiglic at okiok.com
Sat Jan 4 14:53:40 EST 2003
> Much of the discussion on the net
> about prime safety for DH has been about whether safe primes
> are necessary or not worth the bother, and at least with the
> current methods for factoring, it's believed they aren't needed.
> (One catch, of course, is that the best factoring method
> 10 or 50 years from now may be affected by safe vs. unsafe primes.) At
> least in the initial Photuris versions, there were some
> standard choices of primes that everybody used,
> so it made sense to pick Sophie-Germain primes anyway.
For RSA, Silverman and Rivest have a paper arguing that *strong* primes
are not currently beleived to be needed (see the paper for the def
of strong prime). In DH key exchange, when you work in a group (mod
a prime) you want to make sure that there are no little subgroups that
an attacker can exploit (choosing a *safe* prime (p = 2q + 1, q and p
prime, or p = Rq + 1, with p and q sufficiently large), and working
in the subgroup of order q guarantees you this, so it usefull to have
these kind of primes for DH.
Cheers,
--Anton
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list