Re: Weak DH primes and openssh

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, May 26, 2015 at 03:10:01PM -0400, Daniel Kahn Gillmor wrote:
> Does anyone have a pointer to any decent free software for generating
> and verifying primality proofs?
> 
>           --dkg

OpenSSH generates strong pseudoprimes to k random bases (that if prime
would be "safe primes"). I think Darren uses k=100 (confirmation?) so
the way the math works out, each number he generates has at most a
1/(4^100) probability of being composite.  

In comparison, it's estimated the odds of getting crushed to death by a
vending machine are 1 in 112 million.

Death-by-chocolate-bar is about
14,347,661,109,455,270,317,338,947,253,046,094,665,376,812,444,489,221
more likely to happen to you than having a given "Darren-prime" turn out
to be composite.

The take-away, of course, is to always snack responsibly.

Nonetheless, the most we can currently say is the numbers are almost
surely prime. Certainty would be nice.

ECPP is the fastest prime proving algorithm that also provides
certificates (I think) and PRIMO is the king-of-the-hill implementation
(others exist but are significantly slower with bigger numbers).

Though as you mentioned PRIMO's not libre (just free), the math in the
certificates is open-source and that's really the critical part here.

The proofs themselves are sequences of steps that at each step (except
the last) prove a number N is prime if a smaller number R is prime.
Every subsequent step takes its N from the previous step's R and this
continues until we arrive at an R < 34*10^13 because such an R can be
proven prime if it is a strong pseudoprime to the base of the 7 primes
smaller than 19 (i.e. 2, 3, 5, 7, 11, 13, 17)

TL;DR

With PRIMO's help, I've proved the first 200 strong pseudoprimes in
the latest v1.12 moduli file are indeed prime. Darren, so far you're
batting a thousand!

I've uploaded my proofs to factordb.com for independent verification
and complementary confirmation proofs.

For example, check out the 4th prime in Darren's new moduli file: 

https://tinyurl.com/pg66aq5

As I write this I've checked through #209. Those with spare CPU cycles
on 64-bit Linux can help with the 65 strong pseudoprimes remaining
(#210 to #274). 

Those who wish to help should get PRIMO [1] and grab the full set of
input files I made:

http://sf.net/projects/mancha/files/misc/openssh-moduli-20150522_primo.tar.bz2

The 7680-bit moduli (#225 - #248) and 8192-bit moduli (#249 - #274) are
up for grabs. Probably best if you claim your range to avoid effort
duplication.

--mancha

PS In addition to factordb.com, ecpp-dj [2] can verify PRIMO certs.
ecpp-dj also proves primality but it is slower than PRIMO and more
importantly its cert format can't be independently verified.

------

[1] http://www.ellipsa.eu/public/primo/files/primo-411-lx64.7z
[2] http://sti15.com/nt/ecpp-dj-1.04.tar.gz

Attachment: pgprgfdu1fXGz.pgp
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux