[Cryptography] "NSA could put undetectable “trapdoors” in millions of crypto keys"
Stephen Farrell
stephen.farrell at cs.tcd.ie
Tue Oct 11 15:59:06 EDT 2016
On 11/10/16 20:24, Ray Dillinger wrote:
>
>
> On 10/11/2016 08:56 AM, Jerry Leichter wrote:
>
>> Basically the researchers describe a way to generate primes for which number sieve is much easier if you know the secret - and there's no way to detect this by looking at the prime. In the case of 1024 bit D-H primes, the result would be to move cracking into a fairly easy range. And in the case of most of the widely-used 1024-bit D-H primes, nothing is known about how they were generated.
>
> So there is now a potentially very large undetectable class of
> weak keys.
>
> I suppose the prudent thing to do would be to behave as if there
> has been a breakthrough in factoring such that primes now require
> about twice as many bits length to achieve the same level of
> security against factoring. For primes whose origins we don't
> know anyway - but that pretty much includes all 'ephemeral' DH
> primes, as well as the primes used to construct RSA keys created
> by others.
>
> Am I right in thinking that this affects pretty much all pubkey
> crypto operations performed on a modular field -- RSA, DH, ECC,
> etc?
No. I believe this affects integer DH only. And not
2048-bit DH, the paper is about 1024 and progress
beyond that gets harder.
And nothing to do with RSA or elliptic curves at all.
S.
>
> Bear
>
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161011/4fc3900a/attachment.sig>
More information about the cryptography
mailing list