From: "Perry E. Metzger" <pmetzger@lehman.com>
Date: Mon, 7 Feb 94 07:56:22 PST
To: cypherpunks@toad.com
Subject: Re: Some stuff about Diffie-Hellman (and more :-)
In-Reply-To: <199402052205.OAA06854@jobe.shell.portal.com>
Message-ID: <199402071555.KAA04653@snark>
MIME-Version: 1.0
Content-Type: text/plain



Hal says:
>From: rcain@netcom.com (Robert Cain)
> > Now, the tutorial over :-), the question is; is there a "standard"
> > well-known-prime, w, and a "standard" well-known-modulus, m, and if
>              ^^^^^-- generator
> > not, let's define one.
> 
> I don't think there is a need for this.  The two sides need to agree on
> a pair but they could just pick it at the beginning.  If everyone uses
> the same m,w it would help attackers of the scheme to focus their efforts
> on these numbers.

Indeed, a paper has been published on how to break Sun Secure RPC
based on the idiotic decision by someone at Sun to standardise the
modulus used. It is basically a matter of precomputing a lot of data
based on the numbers which allows you to break any particular discrete
log in that field on the fly. The suggestion by Mr. Cain to use a
single generator and modulus for all traffic is astonishingly naive.

Perry