that improve on naive discard repeat by
discarding only the top N bits of a candidate at each iteration, among
other innovations.
This paper assumes two things that don't appear to be true:
a) That prime generation attempts consume entropy - why? Seems fine to
me to just stir the pool and try again
On 27 May 2014 11:11, Ben Laurie b...@links.org wrote:
On 27 May 2014 09:16, Joseph Birr-Pixton jpix...@gmail.com wrote:
To restate:
Callers of RAND_pseudo_bytes are either unreliable, or equivalent to
RAND_bytes. Do not use it.
Have I missed something? What are you referring to here?
On 5/27/14 12:56 AM, Stephan Mueller wrote:
Am Dienstag, 27. Mai 2014, 17:45:48 schrieb Peter Waltenberg:
Hi Peter,
Not quite correct, the prime rands shouldn't come from a DRBG, they
should come from an NRBG (NIST terminology). There's a considerable
difference between the performance of an
Hi,
it seems that the two discussions are somehow related
the idea of generating only prime candidates not dividible by small primes is
interesting but, due to incremental search, it will not apply to next candidates
however, it may be possible to use bit counting to perform a less biased walk
On 28 May 2014 13:32, nicolas@free.fr wrote:
Hi,
it seems that the two discussions are somehow related
the idea of generating only prime candidates not dividible by small primes is
interesting but, due to incremental search, it will not apply to next
candidates
a) The incremental
deeper into details
- Mail d'origine -
De: Ben Laurie b...@links.org
À: OpenSSL development openssl-dev@openssl.org
Envoyé: Wed, 28 May 2014 14:54:00 +0200 (CEST)
Objet: Re: Re : Re: open ssl rsa key generation improvement idea Prime
generation
On 28 May 2014 13:32, nicolas@free.fr
On Tue, May 27, 2014 at 05:23:45AM +, mancha wrote:
On Mon, May 26, 2014 at 09:01:53PM +, mancha wrote:
On Mon, May 26, 2014 at 08:49:03PM +, Viktor Dukhovni wrote:
On Mon, May 26, 2014 at 08:20:43PM +, mancha wrote:
For our purposes, the operative question is
On Tue, May 27, 2014 at 08:23:29AM +0200, Otto Moerbeek wrote:
On Tue, May 27, 2014 at 05:23:45AM +, mancha wrote:
On Mon, May 26, 2014 at 09:01:53PM +, mancha wrote:
On Mon, May 26, 2014 at 08:49:03PM +, Viktor Dukhovni wrote:
On Mon, May 26, 2014 at 08:20:43PM +,
On 5/26/14 2:01 PM, mancha wrote:
On Mon, May 26, 2014 at 08:49:03PM +, Viktor Dukhovni wrote:
On Mon, May 26, 2014 at 08:20:43PM +, mancha wrote:
For our purposes, the operative question is whether the distribution
bias created can be leveraged in any way to attack factoring (RSA)
or
-owner-openssl-...@openssl.org wrote: -
To: openssl-dev@openssl.orgFrom: David Jacobson <dmjacob...@sbcglobal.net>
Sent by: owner-openssl-...@openssl.orgDate: 05/27/2014 05:16PM
Subject: Re: Prime generation
On 5/26/14 2:01 PM, mancha wrote: On Mon, May 26, 2014 at 08:49:03PM +, Viktor Du
Am Dienstag, 27. Mai 2014, 17:45:48 schrieb Peter Waltenberg:
Hi Peter,
Not quite correct, the prime rands shouldn't come from a DRBG, they
should come from an NRBG (NIST terminology). There's a considerable
difference between the performance of an entropy source and a DRBG.
Not sure where you
On 27 May 2014 08:45, Peter Waltenberg pwal...@au1.ibm.com wrote:
...
I did change the RNG sources for some of the OpenSSL code in our hacked
version to help with the performance problems using the wrong source causes,
for example RSA blinding data can safely come from a DRBG
It may have been unreliable, our version isn't. We hook the RNG callbacks and direct them into our own code. That makes some sense of why OpenSSL hasn't fixed those problems, but that probably should be done now you have decent DRBG's.
As for the prime generation, I'll try to dig up a reference
On 27 May 2014 09:16, Joseph Birr-Pixton jpix...@gmail.com wrote:
On 27 May 2014 08:45, Peter Waltenberg pwal...@au1.ibm.com wrote:
...
I did change the RNG sources for some of the OpenSSL code in our hacked
version to help with the performance problems using the wrong source causes,
for
Am 27.05.2014 12:04, schrieb Ben Laurie:
On 26 May 2014 21:15, Annie a.you...@informatik.hu-berlin.de wrote:
Am 26.05.2014 21:23, schrieb Ben Laurie:
On 26 May 2014 19:52, Viktor Dukhovni openssl-us...@dukhovni.org wrote:
On Mon, May 26, 2014 at 07:24:54PM +0100, Ben Laurie wrote:
Finally,
relative to uniformly distributed prime generation.
Mihailescu (of Catalan Conjecture fame) establishes a complexity
equivalence class to argue improved attacks against an incremental
search can be converted to attacks against uniformly distributed prime
generation with comparable runtimes [2
Viktor Dukhovni's view and use an
entropy argument to conclude little or no additional risk exists with
incremental searches relative to uniformly distributed prime generation.
Mihailescu (of Catalan Conjecture fame) establishes a complexity
equivalence class to argue improved attacks against
On Mon, May 26, 2014 at 07:24:54PM +0100, Ben Laurie wrote:
Finally, all of them have a bias: they're much more likely to pick a
prime with a long run of non-primes before it than one that hasn't (in
the case of the DH ones, the condition is slightly more subtle,
depending on parameters, but
On Mon, May 26, 2014 at 08:23:07PM +0100, Ben Laurie wrote:
Where do you see the bias?
They all work by picking a random number and then stepping upwards
from that number until a probable prime is found. Clearly, that is
more likely to find primes with a long run of non-primes before than
On Mon, May 26, 2014 at 08:23:07PM +0100, Ben Laurie wrote:
On 26 May 2014 19:52, Viktor Dukhovni openssl-us...@dukhovni.org
wrote:
On Mon, May 26, 2014 at 07:24:54PM +0100, Ben Laurie wrote:
Finally, all of them have a bias: they're much more likely to pick
a prime with a long run of
On Mon, May 26, 2014 at 08:20:43PM +, mancha wrote:
For our purposes, the operative question is whether the distribution
bias created can be leveraged in any way to attack factoring (RSA) or
dlog (DH).
The maximum gap between primes of size $n$ is conjectured to be
around $log(n)^2$. If
On Mon, May 26, 2014 at 08:49:03PM +, Viktor Dukhovni wrote:
On Mon, May 26, 2014 at 08:20:43PM +, mancha wrote:
For our purposes, the operative question is whether the distribution
bias created can be leveraged in any way to attack factoring (RSA)
or dlog (DH).
The maximum gap
On Mon, May 26, 2014 at 09:01:53PM +, mancha wrote:
On Mon, May 26, 2014 at 08:49:03PM +, Viktor Dukhovni wrote:
On Mon, May 26, 2014 at 08:20:43PM +, mancha wrote:
For our purposes, the operative question is whether the
distribution bias created can be leveraged in any way
23 matches
Mail list logo