SRP verifier strength

Tom Holroyd tomh at po.crl.go.jp
Wed Apr 4 15:17:57 EST 2001


On Tue, 3 Apr 2001, Tom Wu wrote:

> Great work on filling in those tables.  Have you investigated the impact
> of using g=2 versus other values (like g being the same size as the
> modulus)?  Are the current numbers with g=2?  Would there be any way to
> test with different math library implementations?

They all used 2 except for two of the smaller primes from the libsrp
distribution (#3 & #5 counting from 0).

+-------+-----+------+-----------------+
| prime | gen | bits | avg(wps)        |
+-------+-----+------+-----------------+
|     2 |   2 |  768 | 1382.4638397217 |
|     3 |   7 |  768 | 1379.6794891357 |
+-------+-----+------+-----------------+

Not so much difference there.

+-------+-----+------+-----------------+
| prime | gen | bits | avg(wps)        |
+-------+-----+------+-----------------+
|     4 |   2 | 1024 | 996.68488616943 |
|     5 |   5 | 1024 | 1033.7584777832 |
+-------+-----+------+-----------------+

Hmm.  5 is actually faster.  It probably depends on the structure of the
primes, too -- like the number of 1 bits, but that's a guess.

I'm sure that using g = big would slow it down, and both the protocol and
implementation support it, so I'll have a look.

I'm not going to try this with anything other than OpenSSL's libcrypto for
now.  Most of the time is spent in the modular exponentiation, of course,
so speeding that up would of course increase the crack rates.

Dr. Tom Holroyd
"I am, as I said, inspired by the biological phenomena in which
chemical forces are used in repetitious fashion to produce all
kinds of weird effects (one of which is the author)."
	-- Richard Feynman, _There's Plenty of Room at the Bottom_





More information about the openssh-unix-dev mailing list