Weak DH primes and openssh

Damien Miller djm at mindrot.org
Sat May 23 20:16:04 AEST 2015

On Fri, 22 May 2015, Daniel Kahn Gillmor wrote:

> PS Darren, has there been any attempt at generating primality proofs for
>    the values in ./moduli, as opposed to 100 rounds of Miller-Rabin?  It
>    would be a shame for a pseudoprime to slip in, however unlikely that
>    would be.

I looked at it a few years ago, but couldn't figure out a way to
generate provable safe primes. I'd love someone to get this working.

AFAIK the number of Miller-Rabin tests we do is many times more than
OpenSSL's baseline BN_is_prime() false positive rate of 2^-80.


More information about the openssh-unix-dev mailing list