back to article Crypto needs more transparency, researchers warn

Researchers with at the French Institute for Research in Computer Science and Automation (INRIA) and the University of Pennsylvania have called for security standards-setters to publish the seeds for the prime numbers on which their standards rely. The boffins also demonstrated again that 1,024-bit primes can no longer be …

  1. Tomato42 Silver badge
    Boffin

    I guess that means that any published and widely used prime should have https://en.wikipedia.org/wiki/Elliptic_curve_primality proof attached...

  2. a_yank_lurker Silver badge

    Cyphers and Codes

    I am not surprised that the implementation of a cypher is flawed. And depending on the implementation I am not surprised if a cypher can not be cracked by brute force attack in a reasonably short period of time. Also, I am not surprised that cypher systems are found to be flawed mathematically. Too many cypher systems were thought to be unbreakable and turned out to be very breakable with improved technology or mathematical analysis.

  3. Anonymous Coward
    Anonymous Coward

    400 core years is completely within reach here and far less than a year to go. Chewing big, hairy numbers is most of what I do.

  4. Rob Moss

    400 core years

    That's not really very much. You can do that in less than an hour on AWS for around $200,000. There are more cost-effective ways to do it, but if your target is worth that much to you then it's pretty easily done.

  5. Nigel Smart
    Holmes

    Bug in article

    The Reg article says " it would be hard to spot by looking at the numbers, but factorisation would be feasible". Primes cannot be factored, since they are prime.

    The attack is against a discrete log system and not a factoring based system. The Reg Hack might have been getting confused between RSA type systems in which big primes are multiplied together to form a public key. The schemes in this paper are different. Nothing is ever factored.

    The aspect the researchers exploit is to write the prime in a "special way". Not all primes can be written in such a way, and the chances are quite small. Thus they call for primes to be generated verifiably at random.

  6. Adam 1 Silver badge

    One issue/feature/fact of life about DH is that whilst on paper it takes however many gazzillion years to reverse, if they are created using the same base seed then the first four phases of the algorithm can be precomputed leaving just a minute or two of actual computations needed on the specific key used.

    Now consider some of those bullet points. A small handful of precomputed keys gets you practical computational access to most of the VPNs in use. Don't get me wrong, precomputing the seed is not cheap, but we live in a time where large CDNs can be overwhelmed by IoT video devices, so the "it would cost too much" argument only holds water if Mallory is paying the bill.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019