[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Pure crypto geekery

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Pure crypto geekery
From: Adam Langley <alangley@xxxxxxxxx>
Date: Fri, 10 Jun 2005 17:09:26 +0100
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Fri, 10 Jun 2005 12:06:04 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sIdKI86bWR9I1hBQ68YplApvcMrFXD8qPVu67/aFyQtEZtdg5R1HDsoIzzajqGhAtDltF1oPAJwpcefEJRYrMPHwe1Z8I06JRv4lVVXPMEpi1eC8iqla0eDdg6+FXqukKoOm9Wnd5w53d39BKjdDNm6t9003cFlTfkfxBReVMwU=
In-reply-to: <20050610150625.GK30357@conuropsis.org>
References: <396556a2050610071412c5bd13@mail.gmail.com> <20050610150625.GK30357@conuropsis.org>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On 6/10/05, Laurent Fousse <laurent@xxxxxxxxxx> wrote:
> > The DH prime used in Tor is taken from rfc2049, section 6.2 and is
or, rather, rfc2409 - opps.

> I don't understand how your script would show that this prime does not
> have "nasty properties". It merely compute the expression and compares
> it with a reference.

The prime "2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }" is
used all over the place, and any maths work on it will have been done
on it in that form. (I would cite some papers on it, but it's a real
pain to search for numbers). So it's possible that the NSA (as token
bad guy) has fooled everyone about that number - in which case we're
screwed.

But, more likely, they could replace the hex version (which is what
everyone uses) with something different - thus the need to check that
it's actually the right number.

I don't pretend to understand the maths behind some of the weaknesses
of using certain primes but you can see[1] that that number is both
prime and a safe prime with very high probability (but not a Sophie
Germain prime).

[1] http://www.imperialviolet.org/binary/prime_testing.cc
(don't forget to build with -lgmp)

AGL

-- 
Adam Langley                                      agl@xxxxxxxxxxxxxxxxxx
http://www.imperialviolet.org                       (+44) (0)7906 332512
PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60

References:
- Pure crypto geekery
  - From: Adam Langley
- Re: Pure crypto geekery
  - From: Laurent Fousse

Prev by Author: Pure crypto geekery
Next by Author: Re: Tor Hardware Router (Tor in a box)
Previous by thread: Re: Pure crypto geekery
Next by thread: New Log Warnings - cvs 0.1.1.0-alpha
Index(es):
- Author
- Thread