"William Allen Simpson" writes:
Folks, I was somewhat disappointed in the response to our previous requests for verification of the strength of the prime moduli.
Recently, someone asked for a smaller prime of only 512-bits for speed. This is more than enough for the strength of keys needed for DES, 3DES, MD5 and SHA. Perhaps this would be easier to have more complete and robust verification as well.
I think that this is a very large mistake. Allow me to explain why. La Macchia (sp?) and Odlyzko (sp?) have a very nice result which shows that once you've done enough precalculation on a particular modulus, you can break any subsequent Diffie-Hellman operation performed on that modulus with (for our purposes) no effort. 512 bits is, from what I can tell, not far out of the realm of possibility for what someone could try to crack with current machines given enough effort. [Sorry about the spelling. I'm tired, and don't have time to look up your names. I know that Brian at least reads this list and I'm sorry about likely misspelling your name.] Perry