> Much of the discussion on the net > about prime safety for DH has been about whether safe primes > are necessary or not worth the bother, and at least with the > current methods for factoring, it's believed they aren't needed. > (One catch, of course, is that the best factoring method > 10 or 50 years from now may be affected by safe vs. unsafe primes.) At > least in the initial Photuris versions, there were some > standard choices of primes that everybody used, > so it made sense to pick Sophie-Germain primes anyway.
For RSA, Silverman and Rivest have a paper arguing that *strong* primes are not currently beleived to be needed (see the paper for the def of strong prime). In DH key exchange, when you work in a group (mod a prime) you want to make sure that there are no little subgroups that an attacker can exploit (choosing a *safe* prime (p = 2q + 1, q and p prime, or p = Rq + 1, with p and q sufficiently large), and working in the subgroup of order q guarantees you this, so it usefull to have these kind of primes for DH. Cheers, --Anton --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
