Field separators

Paul Crowley paul at ciphergoth.org
Mon Jun 6 12:41:08 PDT 2005


Brad Fitzpatrick wrote:
>>We could do without but it's warm fuzzies for the cryptographer at
>>little cost here...
> 
> your call, security dictator.

Just looked at the javax.crypto definitions, and they don't have 
anything for DH over Schnorr groups, only plain DH.  Same for Perl 
implementations, and what I could find of Python ones, and SSH and 
openSSL.  And SSH, at least, uses moduli of the form p = 2q + 1, which 
also helps resist the sorts of attack I'm worried about, so long as you 
don't accept values of 1 or p-1 for gx or gy.  Given all that, it's not 
worth being different here.

PKCS #3 (ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-3.asc) recommends 
that the group parameters be chosen by a central authority, though, and 
that's my inclination if it wouldn't offend anyone too much.  We'll just 
use some group parameters that SSH also uses.  The first line in my SSH 
moduli file looks like it would be fine.
-- 
   __
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/


More information about the yadis mailing list