WTF. Accepting a prime as untrusted input should require a primality certificate from the party providing it.https://twitter.com/IACR_News/status/1030419487995117568 …
-
Show this thread
-
Anything less (eg just more rounds of tests) risks vulnerabilities in the test via clever construction of the fake prime. Not sure if any such attacks exist but seems theoretically plausible.
2 replies 0 retweets 1 likeShow this thread -
Replying to @RichFelker
Abstract seems to suggest a dud prime in D-H exchange can create a backdoor via subgroup discrete log. /me downloading ...
1 reply 0 retweets 1 like -
Replying to @n1vux
I'm talking about vulns against heuristic prime tests themselves, not against software performing inadequate or no tests.
2 replies 0 retweets 0 likes -
Replying to @RichFelker
They claim 1/16 success against one suite, that sounds heuristic.
1 reply 0 retweets 0 likes
It would be more like 1/2^80 if adequate number of rounds were used for non-random input, under known attacks. But in theory worse attacks may exist.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.