[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Pure crypto geekery



On 6/10/05, Laurent Fousse <laurent@xxxxxxxxxx> wrote:
> > The DH prime used in Tor is taken from rfc2049, section 6.2 and is
or, rather, rfc2409 - opps.

> I don't understand how your script would show that this prime does not
> have "nasty properties". It merely compute the expression and compares
> it with a reference.

The prime "2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }" is
used all over the place, and any maths work on it will have been done
on it in that form. (I would cite some papers on it, but it's a real
pain to search for numbers). So it's possible that the NSA (as token
bad guy) has fooled everyone about that number - in which case we're
screwed.

But, more likely, they could replace the hex version (which is what
everyone uses) with something different - thus the need to check that
it's actually the right number.

I don't pretend to understand the maths behind some of the weaknesses
of using certain primes but you can see[1] that that number is both
prime and a safe prime with very high probability (but not a Sophie
Germain prime).


[1] http://www.imperialviolet.org/binary/prime_testing.cc
(don't forget to build with -lgmp)


AGL

-- 
Adam Langley                                      agl@xxxxxxxxxxxxxxxxxx
http://www.imperialviolet.org                       (+44) (0)7906 332512
PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60