On Thu, 28 May 2015, Hubert Kario wrote: > > If this is the only attack you're trying to address, and you've > > already limited yourself to safe primes, then NUMS properties don't > > really add anything. The NUMS approach is there are to try to avoid > > the possibility of other, unknown cryptanalytic attacks against some > > infrequent type of group, so that the entity who defines the group > > can't force you into this secret corner case if they have special > > knowledge. > > that being said, how using NUMS seeds to generate safe prime would > hurt? If you're concerned about precomputation, then it effectively gives the attackers a list of what you're going to use in the future. > also, doesn't that require us to provide primality certificates for q > rather than p? IMO you'd want both to prove a safe prime -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
