Well, since we already require 56-bit DES in ESP in the interests of promoting basic interoperability, wouldn't a 512-bit prime be similarly sufficient?
*NO*, because you have to break the 56-bit DES separately every time, whereas doing the precomputation for the 512 bit prime is a one-time job. Once anyone has done the precomputation, *all* communications will be open to whoever is in possession of the database. I think there is good reason to believe that if the 512 bit prime is allowed, it will be widely used, and even if it is found breakable, it will not be easily changed (just think about the experience with Sun's "secure" rpc, and how quickly their primes have been changed - and it still has much narrower deployment than what is hoped for ipsec). Let me include below a message I sent to Bill Simpson.
If it is kept, the commercial vendors will probably start using it as default because it is faster than the others, and the state department will pressure them to do so. Then we are again left with too weak aprotections (in other words, pseudo-security which makes people believe they have protection, when they actually don't). After the precomputation, it is apparently cheap enough to crack the exchange that it can be done on a mass scale to all exchanges between a very large number of hosts. I find this very harmful, as it again provides no protection against mass surveillance. We are already too close to an Orwellian society.
The remarks there apply equally well to organized criminals, large corporations, and hostile governments. Or, suppose some group manages to get access to enough idle time, computes the database, and posts it on the Internet. I for one would be willing to contribute CPU time on machines where I have access to help such a group, because I think it is better that it is widely known and publicized when there is little security and privacy. Including the provision for the 512 bit prime is *HARMFUL* and *DANGEROUS*. Export control is not really an issue here, because if companies in the United States cannot provide secure networking, there are other companies in the world that can. Tatu Ylonen <ylo@cs.hut.fi>