Fwd: Tor security advisory: DH handshake flaw

astiglic at okiok.com astiglic at okiok.com
Mon Aug 29 11:57:47 EDT 2005 

> Ben Laurie <ben at algroup.co.uk> writes:
>
>> astiglic at okiok.com wrote:
>>> So Miller-Rabin is good for testing random candidates, but it is easy
>>> to
>>> maliciously construct an n that passes several rounds of
>>> Miller-Rabin.
>>
>> Interesting! So how does one go about constructing such an n?
>
> I wonder if the original author didn't think of Carmichael numbers,
> which are Fermat pseudoprime in every base.  Some applications,
> e.g. Libgcrypt used by GnuPG, use Fermat tests, so if you have control
> of the random number generator, I believe you could make GnuPG believe
> it has found a prime when it only found a Carmichael number.

Carmichael numbers with Fermat's test is a worst case example.  A
Carmichael number will pass Fermat's test for all bases.  So if you give
some one a Carmichael number (which is not a prime), and the person
verifying the primality uses Fermat's test, you are sure to fool him.

For Miller-Rabin, as you mentioned, it can be proven that in worst case,
for a particular n,  there is only 1/4 of bases for which the test will
return "prime" when in fact the candidate is composite.  But what I said
is that you can "maliciously construct an n that passes several rounds of
Miller-Rabin".   In worst case, you can construct a prime that will pass
several rounds of Miller-Rabin, for specific bases.
Of course, if the person testing n uses random bases, the more tests the
person does the greater the chance the person will catch the fact that n
is in fact composite.  But if you knew, in advance, the sequence of
candidates that will be used, than it's a different game.

The Miller true primality test I referred to in my initial post will
always work assuming the Extended Riemann Hypothesis (ERH).  In such a
test, you start with base 2 and test, as long as the test passes increment
by one, up to Poly(size(n)).  I would have no problem believe ERH and
using such an algorithm.  In the worst case, if my code happened to
generate a pseudo-prime, than I would have disproved the ERH hypothesis
and could make allot of money out of that
http://www.claymath.org/millennium/

If at the end all iterations passed, n is surely prime if ERH is true. 
The value of Poly(size(n)) that would need to be used for large n will be
much smaller than 1/4*n, but (the big ick, considering all of the
constants in the actual polynomial that needs to be considered) is still a
very large number.

In any case, go with Maurer's test, it really rocks and has been
standardized.

--Anton


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list