On Tue 2015-05-26 12:57:05 -0400, Hubert Kario wrote: > creating composites that will pass even 100000 rounds of Miller-Rabin is > relatively simple.... > (assuming the values for M-R tests are picked randomly) Can you point me to the algorithms for doing that? This would suggest that we really do want primality proofs (and a good way to verify them). Do those algorithms hold for creating composites that pass M-R tests for both p and (p-1)/2 ? > I'd be against shipping any primes that are not generated from known, expected > values, like hash of "OpenSSH 1024 bit DH prime, try #1" This is trying to put some sort of NUMS-y ("Nothing Up My Sleeve") constraint on prime generation -- presumably you'd count up from the hash value until you find something that passes M-R for both p and (p-1)/2, right? I observe that the values in ./moduli all seem quite similar in that respect (i.e. the values for any given length share most of the same prefix, and differ only in the trailing bits). Wouldn't primality proofs make this NUMS-y approach less relevant? --dkg _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev