On Thu, 01 Sep 2005 15:04:43 +0200, Simon Josefsson said:
If you control the random number generator, you control which
Miller-Rabin bases that are used too.
Oh well, if you are able to do this you have far easier ways of
compromising the security. Tricking the RNG to issue the same number
On Thu, 01 Sep 2005 15:04:43 +0200, Simon Josefsson said:
If you control the random number generator, you control which
Miller-Rabin bases that are used too.
Oh well, if you are able to do this you have far easier ways of
compromising the security. Tricking the RNG to issue the same number
to
Simon Josefsson wrote:
Btw, could you describe the threat scenario where you believe this
test would be useful?
Well, that's an interesting question. I have to admit that I am no
longer sure there is any point. If people do an appropriate number of
rounds of Miller-Rabin whenever they're
Werner Koch [EMAIL PROTECTED] writes:
On Mon, 29 Aug 2005 17:32:47 +0200, Simon Josefsson said:
which are Fermat pseudoprime in every base. Some applications,
e.g. Libgcrypt used by GnuPG, use Fermat tests, so if you have control
of the random number generator, I believe you could make
Ben Laurie [EMAIL PROTECTED] writes:
Simon Josefsson wrote:
No, the certificate is verifiable in deterministic polynomial time.
The test is probabilistic, though, but as long as it works, I don't
see why that matters. However, I suspect the ANSI X9.80 or ISO 18032
paths are more promising.
On Mon, 29 Aug 2005 17:32:47 +0200, Simon Josefsson said:
which are Fermat pseudoprime in every base. Some applications,
e.g. Libgcrypt used by GnuPG, use Fermat tests, so if you have control
of the random number generator, I believe you could make GnuPG believe
it has found a prime when it
Simon Josefsson wrote:
No, the certificate is verifiable in deterministic polynomial time.
The test is probabilistic, though, but as long as it works, I don't
see why that matters. However, I suspect the ANSI X9.80 or ISO 18032
paths are more promising. I was just tossing out URLs.
Surely
Ben Laurie [EMAIL PROTECTED] writes:
Simon Josefsson wrote:
Ben Laurie [EMAIL PROTECTED] writes:
[EMAIL PROTECTED] wrote:
So Miller-Rabin is good for testing random candidates, but it is easy to
maliciously construct an n that passes several rounds of
Miller-Rabin.
Interesting! So how
Ben Laurie [EMAIL PROTECTED] writes:
[EMAIL PROTECTED] wrote:
So Miller-Rabin is good for testing random candidates, but it is easy to
maliciously construct an n that passes several rounds of
Miller-Rabin.
Interesting! So how does one go about constructing such an n?
I wonder if the
Dont be concerned about secrecy of prime generated with Maurers
method,
the method generates primes that are almost uniformly distributed over
the
set of all numbers (this is different from another algorithm called
Shawe-Taylor, which is similar in functioning but only reaches 10% of
all
One algorithm that results in a polynomially verifiable witness is:
Almost All Primes Can be Quickly Certified
http://theory.lcs.mit.edu/~cis/pubs/shafi/1986-stoc-gk.pdf
That's a very old algorithm. It was an intersting result at the time
(1986) because it is a primality proving algorithm
[EMAIL PROTECTED] wrote:
So Miller-Rabin is good for testing random candidates, but it is easy to
maliciously construct an n that passes several rounds of Miller-Rabin.
Interesting! So how does one go about constructing such an n?
Maurer’s method doesn’t pick and test random candidates,
Some info on primality testing.
Miller-Rabin probabilistic primality tests work really well when you are
searching for a prime and picking candidates from a uniform random
distribution, also works well if you pick an initial candidate from a
uniform random distribution and then increment on that
Jerrold Leichter wrote:
| Apologies, slightly at cross-purposes here. For a start, Sophie Germain primes
| are needed for D-H (or rather, safe primes), and secondly, I was talking about
| proving arbitrary primes, rather than constructing provable primes.
Isn't *proving* primality rather
Ben Laurie writes:
Apologies, slightly at cross-purposes here. For a start, Sophie Germain
primes are needed for D-H (or rather, safe primes), and secondly, I was
talking about proving arbitrary primes, rather than constructing
provable primes.
Dan Bernstein has lots of good information on
Ben Laurie writes:
Related to this is a project I keep considering and never quite getting
around to is to include a prime proof verifier in OpenSSL. It would be
pretty cool to have modes which only work when all relevant primes come
with proofs.
I've looked into this a few times, but
Hal Finney wrote:
Ben Laurie writes:
Related to this is a project I keep considering and never quite getting
around to is to include a prime proof verifier in OpenSSL. It would be
pretty cool to have modes which only work when all relevant primes come
with proofs.
I've looked into this a
Hal Finney wrote:
I was just at Crypto yesterday and Hugo Krawczyk in his talk emphasized
the difficulty of securely designing key exchange protocols. He was
talking about implicit authorization protocols where the exponentiation
involves the long term public key(s). This protocol is different
- Forwarded message from Roger Dingledine [EMAIL PROTECTED] -
In Tor, clients negotiate a separate ephemeral DH handshake with each
server in the circuit, such that no single server (Bob) in the circuit
can know both the client (Alice) and her destinations. The DH handshake
is as
- Forwarded message from Roger Dingledine [EMAIL PROTECTED] -
From: Roger Dingledine [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Thu, 11 Aug 2005 21:31:32 -0400
Subject: Tor security advisory: DH handshake flaw
Versions affected: stable versions up through 0.1.0.13 and experimental
20 matches
Mail list logo