Important Notice: Our web hosting provider recently started charging us for additional visits, which was unexpected. In response, we're seeking donations. Depending on the situation, we may explore different monetization options for our Community and Expert Contributors. It's crucial to provide more returns for their expertise and offer more Expert Validated Answers or AI Validated Answers. Learn more about our hosting issue here.

Why does PGP use precomputed primes for DSS/DH?!?

DH DSS PGP precomputed primes
0
Posted

Why does PGP use precomputed primes for DSS/DH?!?

0 CommentsAdd a Comment

1 Answer

0

One worry when PGP v5 was first released was the use of precomputed or “canned” values of the finite field and the generator of this field (p & g respectively) in DH, and p & q for DSS. It is quite acceptable to use public, precomputed values for these values [Sch96a], [FIPS186-1], [MOV96], [Kob94], [Sti95]. I would also recommend that the concerned user reads [Sch97a]. The concerned user can choose to switch off the “Faster key generation” if desired (and be prepared to wait far longer for the production of keys). The problem with using canned primes is that a table of p values needs only to be computed once for the field. Breaking individual keys in this field is then a relatively fast operation. Of course, computing a database of factor base logarithms for reasonable parameters is still impossible, but it would seem prudent from a security perspective to not use canned primes for long term keys [MOV96]. Or in plain English (from [BB99]): “With ElGamal, for example, the expensive key

0 CommentsAdd a Comment

Related Questions

What is your question?

*Sadly, we had to bring back ads too. Hopefully more targeted.

Experts123