At 06:29 PM 9/12/96 +0000, paul@fatmans.demon.co.uk wrote:
Stewart> I think they chose a strong prime (form p = 2q+1, q prime), ... Strong primes are no longer of any benefit for cryptographic applications.
You're probably right, for today's factoring techniques. For a key you're only planning to use for the next couple of years, you can pretty much ignore strong primes, unless you're stuck with 512-bit keys, in which case you need to glean any crumbs you can. But for a value that needs to last a long time, such as a Diffie-Hellman modulus that's going to be a default value in a standard, and which you're only going to generate once anyway, it makes sense to generate a strong prime in case factoring methods that are affected by it become popular again in the future. It also makes sense to turn loose a bunch of people using different primality tests just in case somebody gets lucky (e.g. crank the test long enough that the probability of non-primality is 10**-9 or 10**-12 instead of just 10**-6.
Implementing strong primes won`t make your code any less secure, it will just take longer to create the keys and won`t gain you any security, all the big boys are using elliptic curve factoring methods now so you really have nothing to gain.
Do Generalized Number Field Sieve and its friends count as elliptic curve methods? # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # <A HREF="http://idiom.com/~wcs"> # You can get PGP software outside the US at ftp.ox.ac.uk/pub/crypto