Weak DH primes and openssh

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed May 27 05:10:01 AEST 2015 

On Tue 2015-05-26 14:02:07 -0400, Hubert Kario wrote:
> On Tuesday 26 May 2015 13:43:13 Daniel Kahn Gillmor wrote:
>> On Tue 2015-05-26 12:57:05 -0400, Hubert Kario wrote:
>> > creating composites that will pass even 100000 rounds of Miller-Rabin is
>> > relatively simple....
>> > (assuming the values for M-R tests are picked randomly)
>> 
>> Can you point me to the algorithms for doing that?
>
> OEIS A014233

Hm, this is a sequence, but not an algorithm.  It looks to me like it is
not exhaustive, just a list of those integers which are known to have
the stated property ("Smallest odd number for which Miller-Rabin
primality test on bases <= n-th prime does not reveal compositeness").

Taking the final integer in that sequence (a(11)) fails even the default
25-round M-R test in gmp:

>>> k = gmpy2.mpz(3825123056546413051)
>>> gmpy2.is_prime(k)
False
>>>

Indeed, the arxiv suggests that in 2012 people were still writing proofs
about a(11) for this sequence:

  http://arxiv.org/abs/1207.0063

but i see no evidence that an algorithm for generating a(n) where n is
arbitrarily large exists.   Does such a thing exist?

> yes, using ECPP and distributing proof with the prime (or just placing it on 
> the project website) is a reasonable minimum, that still leaves out the 
> possibility of a backdoor if the initial seed value is random

it sounds like we're heading into the same territory as the ECDH curve
selection discussion -- the theory you're suggesting is that some
safe-prime moduli could themselves have a backdoor that we don't know
about.  Am i understanding you correctly?

I've been talking with several cryptographers for the last year about
finite-field DH (FFDH) and i haven't heard any suggestion that any of
them think there is likely to be such a class of backdoored moduli.

> yes, it would basically exclude the chance that the primes are backdoored, 
> there's still the chance for the values to be composites
>
> for values to be used on this many machines, I'd say we should have primality 
> proofs, not just M-R "guess"

Does anyone have a pointer to any decent free software for generating
and verifying primality proofs?

          --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150526/467bdc1f/attachment.bin>

More information about the openssh-unix-dev mailing list