Fwd: Tor security advisory: DH handshake flaw
Simon Josefsson
jas at extundo.com
Wed Aug 31 04:42:41 EDT 2005
Ben Laurie <ben at algroup.co.uk> writes:
> Simon Josefsson wrote:
>> No, the certificate is verifiable in deterministic polynomial time.
>> The test is probabilistic, though, but as long as it works, I don't
>> see why that matters. However, I suspect the ANSI X9.80 or ISO 18032
>> paths are more promising. I was just tossing out URLs.
>
> Surely Miller-Rabin is polynomial time anyway?
Yes, but it doesn't produce certificates; the algorithm that I cited
do. The algorithm to _verify_ the certificate was not probabilistic,
only the algorithm to _produce_ the certificates was probabilistic.
Btw, could you describe the threat scenario where you believe this
test would be useful?
Thanks,
Simon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list