1995-11-05 - Re: Photuris Primality verification needed

Header Data

From: “Perry E. Metzger” <perry@piermont.com>
To: “William Allen Simpson” <bsimpson@morningstar.com>
Message Hash: 53bd96e5fb4040037519d0e6c982ab765ae42c0b3c8039cf08566e88cad5fc13
Message ID: <199511051607.LAA08575@jekyll.piermont.com>
Reply To: <1973.bsimpson@morningstar.com>
UTC Datetime: 1995-11-05 16:14:44 UTC
Raw Date: Mon, 6 Nov 1995 00:14:44 +0800

Raw message

From: "Perry E. Metzger" <perry@piermont.com>
Date: Mon, 6 Nov 1995 00:14:44 +0800
To: "William Allen Simpson" <bsimpson@morningstar.com>
Subject: Re: Photuris Primality verification needed
In-Reply-To: <1973.bsimpson@morningstar.com>
Message-ID: <199511051607.LAA08575@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



"William Allen Simpson" writes:
> Folks, I was somewhat disappointed in the response to our previous
> requests for verification of the strength of the prime moduli.
> 
> Recently, someone asked for a smaller prime of only 512-bits for speed.
> This is more than enough for the strength of keys needed for DES, 3DES,
> MD5 and SHA.  Perhaps this would be easier to have more complete and
> robust verification as well.

I think that this is a very large mistake. Allow me to explain why.

La Macchia (sp?) and Odlyzko (sp?) have a very nice result which shows
that once you've done enough precalculation on a particular modulus,
you can break any subsequent Diffie-Hellman operation performed on
that modulus with (for our purposes) no effort. 512 bits is, from what
I can tell, not far out of the realm of possibility for what someone
could try to crack with current machines given enough effort.

[Sorry about the spelling. I'm tired, and don't have time to look up
your names. I know that Brian at least reads this list and I'm sorry
about likely misspelling your name.]

Perry





Thread