Re: [Cfrg] Recommended Miller-Rabin iterations?
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Mon, 18 October 2010 16:36 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 39CBB3A6D8A for <cfrg@core3.amsl.com>; Mon, 18 Oct 2010 09:36:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.999
X-Spam-Level:
X-Spam-Status: No, score=-9.999 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CW0wNw9orI7Q for <cfrg@core3.amsl.com>; Mon, 18 Oct 2010 09:36:50 -0700 (PDT)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 16BCC3A6A2D for <cfrg@irtf.org>; Mon, 18 Oct 2010 09:36:50 -0700 (PDT)
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAMYUvEyrR7Hu/2dsb2JhbAChLHGjGZw/hUkEhFSJAQ
X-IronPort-AV: E=Sophos;i="4.57,345,1283731200"; d="scan'208";a="271243208"
Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-5.cisco.com with ESMTP; 18 Oct 2010 16:38:18 +0000
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id o9IGcIJw007261; Mon, 18 Oct 2010 16:38:18 GMT
Received: from xmb-sjc-23e.amer.cisco.com ([128.107.191.15]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 18 Oct 2010 09:38:18 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 18 Oct 2010 09:38:16 -0700
Message-ID: <EE0C2F9E065E634B84FC3BE36CF8A4B205096A41@xmb-sjc-23e.amer.cisco.com>
In-Reply-To: <8762x3oll7.fsf@mocca.josefsson.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Cfrg] Recommended Miller-Rabin iterations?
Thread-Index: ActsSr1OvTtbyXpORaOoy3h7Vx96KgClRd1w
References: <8762x3oll7.fsf@mocca.josefsson.org>
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Simon Josefsson <simon@josefsson.org>, cfrg@irtf.org
X-OriginalArrivalTime: 18 Oct 2010 16:38:18.0713 (UTC) FILETIME=[DEA3C490:01CB6EE2]
Subject: Re: [Cfrg] Recommended Miller-Rabin iterations?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2010 16:36:51 -0000
Hmmmm, you're thinking about generating DH modulii on the fly? I'm not sure if that's the best idea. With DH using a modulus p, the security of the system depends rather critically on the factorization of p-1 (and whether p-1 happens to have any large prime factors). Now, if you pick a random prime p, well, it's probable that p-1 will happen to have at least one large factor, but I don't know if I'd be comfortable on a system that is probably secure. (In addition to p-1 having a large prime factor q, the group generated by g needs to have a subblock of order q. That turns out to be extremely probable (probability (q-1)/q if g was selected randomly), and so I wouldn't worry about that). Now, it's certainly possible to efficiently generate a modulus p with p-1 having a large prime factor (say, Lim-Lee primes), but unless you're going to go through that effort, I'd recommend you use a fixed known-good prime of the appropriate size (the groups that IKE uses are quite good for this purpose). > -----Original Message----- > From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of > Simon Josefsson > Sent: Friday, October 15, 2010 5:24 AM > To: cfrg@irtf.org > Subject: [Cfrg] Recommended Miller-Rabin iterations? > > Are there any established recommendations on the number of MR > iterations > that crypto software should perform when generating primes? My context > is DH parameters for TLS DHE, but pointers to recommendations that > apply > to RSA prime generation would be appreciated too. RFC 5246 and RFC > 3447 > are rather silent on this topic, or I missed it. > > /Simon > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Recommended Miller-Rabin iterations? Simon Josefsson
- Re: [Cfrg] Recommended Miller-Rabin iterations? Santosh Chokhani
- Re: [Cfrg] Recommended Miller-Rabin iterations? Scott Fluhrer (sfluhrer)