[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: forward secrecy in mixmaster



At 06:29 PM 9/12/96 +0000, [email protected] wrote:
>Stewart>  I think they chose a strong prime (form p = 2q+1, q prime),
...
>Strong primes are no longer of any benefit for cryptographic 
>applications.

You're probably right, for today's factoring techniques.
For a key you're only planning to use for the next couple of years,
you can pretty much ignore strong primes, unless you're stuck with
512-bit keys, in which case you need to glean any crumbs you can.
But for a value that needs to last a long time, such as a 
Diffie-Hellman modulus that's going to be a default value in a standard,
and which you're only going to generate once anyway, it makes sense
to generate a strong prime in case factoring methods that are
affected by it become popular again in the future.  It also makes sense
to turn loose a bunch of people using different primality tests
just in case somebody gets lucky (e.g. crank the test long enough that
the probability of non-primality is 10**-9 or 10**-12 instead of just 10**-6.

>Implementing strong primes won`t make your code any less secure, it 
>will just take longer to create the keys and won`t gain you any 
>security, all the big boys are using elliptic curve factoring methods 
>now so you really have nothing to gain.

Do Generalized Number Field Sieve and its friends count as
elliptic curve methods?

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# <A HREF="http://idiom.com/~wcs"> 	
# You can get PGP software outside the US at ftp.ox.ac.uk/pub/crypto