[Cryptography] RSA FIPS 186-5 Provable or probable primes?
Phillip Hallam-Baker
phill at hallambaker.com
Thu Sep 5 01:29:45 EDT 2024
Some time ago I wrote a proposal to generate various key pairs
deterministically from a compact seed expressed in Base-32 format. The idea
being that instead of having to copy key files and passwords about, the
keys would be short enough to type.
The main application for this work is to simplify test vector generation.
But I could see myself using it for Ed448 or P521 keys on occasion.
So ZAAA-XKKQ-X2QK-5GRD-IKIP-SFQ6-XSRN-M4R4-EVYG-WXR2-TK5Q
is an ML-KEM512 key.
ZAAA-ZAB5-2RDQ-YVHM-3NFP-PRMX-7J2C-NAK2-CAFL-QLKC-FAZ7-WVLK-4F57-4EJ6 is
ML-KEM-1024
Can do Ed25519, Ed448, X25519, Ed448 and all the FIPS203/FIPS204
algorithms. I also specified code points to generate RSA2048, RSA3096 and
RSA409 keys but never implemented.
Having extended the code to do FIPS203/FIPS204, I am thinking to do
implement RSA generation as specified in FIPS 186-5.
So the question comes up, should I use the provable or probable generator
and if probable should I do 2^100 security or 2^security strength? I am
thinking the second.
Since the generation process could well cause a small device to frazzle, I
am thinking I will keep track of the number of prime trials as proposed by
Sophie Schmieg on a PQC list.
So a 2048 bit RSA key without hints might be
ZAAA-ZSYS-CVIB-MHWC-MI6K-HIQE-GYUP-EE3M-IDTX-YLBU-P2E4-GTOV-AAES-ALWG
And with hints:
ZAAA-ZSYS-CVIB-MHWC-MI6K-HIQE-GYUP-EE3M-IDTX-YLBU-P2E4-GTOV-AAES-ALWG/OAYI-EBFT-GAGQ-MCLA-QZEA
Thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20240905/7d530131/attachment.htm>
More information about the cryptography
mailing list