Fwd: Tor security advisory: DH handshake flaw
Ben Laurie
ben at algroup.co.uk
Sun Aug 28 08:40:42 EDT 2005
astiglic at okiok.com wrote:
> So Miller-Rabin is good for testing random candidates, but it is easy to
> maliciously construct an n that passes several rounds of Miller-Rabin.
Interesting! So how does one go about constructing such an n?
> Maurer’s method doesn’t pick and test random candidates, rather it
> constructs, in a special way, an integer that is guaranteed to be prime.
> Don’t be concerned about secrecy of prime generated with Maurer’s method,
> the method generates primes that are almost uniformly distributed over the
> set of all numbers (this is different from another algorithm called
> Shawe-Taylor, which is similar in functioning but only reaches 10% of all
> primes of a specified set).
I presume you mean densely distributed over the set of all primes?
Uniform distribution isn't much use if its sparse!
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list