I guess that means that any published and widely used prime should have https://en.wikipedia.org/wiki/Elliptic_curve_primality proof attached...
Crypto needs more transparency, researchers warn
Researchers with at the French Institute for Research in Computer Science and Automation (INRIA) and the University of Pennsylvania have called for security standards-setters to publish the seeds for the prime numbers on which their standards rely. The boffins also demonstrated again that 1,024-bit primes can no longer be …
COMMENTS
-
Sunday 9th October 2016 23:39 GMT a_yank_lurker
Cyphers and Codes
I am not surprised that the implementation of a cypher is flawed. And depending on the implementation I am not surprised if a cypher can not be cracked by brute force attack in a reasonably short period of time. Also, I am not surprised that cypher systems are found to be flawed mathematically. Too many cypher systems were thought to be unbreakable and turned out to be very breakable with improved technology or mathematical analysis.
-
-
Monday 10th October 2016 16:43 GMT Nigel Smart
Bug in article
The Reg article says " it would be hard to spot by looking at the numbers, but factorisation would be feasible". Primes cannot be factored, since they are prime.
The attack is against a discrete log system and not a factoring based system. The Reg Hack might have been getting confused between RSA type systems in which big primes are multiplied together to form a public key. The schemes in this paper are different. Nothing is ever factored.
The aspect the researchers exploit is to write the prime in a "special way". Not all primes can be written in such a way, and the chances are quite small. Thus they call for primes to be generated verifiably at random.
-
Monday 10th October 2016 21:50 GMT Adam 1
One issue/feature/fact of life about DH is that whilst on paper it takes however many gazzillion years to reverse, if they are created using the same base seed then the first four phases of the algorithm can be precomputed leaving just a minute or two of actual computations needed on the specific key used.
Now consider some of those bullet points. A small handful of precomputed keys gets you practical computational access to most of the VPNs in use. Don't get me wrong, precomputing the seed is not cheap, but we live in a time where large CDNs can be overwhelmed by IoT video devices, so the "it would cost too much" argument only holds water if Mallory is paying the bill.