diff options
| author | tb <> | 2022-07-13 06:32:15 +0000 |
|---|---|---|
| committer | tb <> | 2022-07-13 06:32:15 +0000 |
| commit | 5ea8d38a139473bb8fbd45e992820e2e6c2cc48a (patch) | |
| tree | 5531c91a8ea662fd9d7b17a8acb01ef94358e585 /src/lib/libcrypto/man/DH_generate_parameters.3 | |
| parent | 10f62c54fd5691cd09377d5cae11e191ccd1fa4d (diff) | |
| download | openbsd-5ea8d38a139473bb8fbd45e992820e2e6c2cc48a.tar.gz openbsd-5ea8d38a139473bb8fbd45e992820e2e6c2cc48a.tar.bz2 openbsd-5ea8d38a139473bb8fbd45e992820e2e6c2cc48a.zip | |
Implement the Baillie-PSW primality test
It has long been known that pure Miller-Rabin primality tests are
insufficient. "Prime and Prejudice: Primality Testing Under Adversarial
Conditions" https://eprint.iacr.org/2018/749 points out severe flaws
in many widely used libraries. In particular, they exhibited a method to
generate 2048-bit composites that bypass the default OpenSSL (and hence
LibreSSL) primality test with a probability of 1/16 (!).
As a remedy, the authors recommend switching to using BPSW wherever
possible. This possibility has always been there, but someone had to
sit down and actually implement a properly licensed piece of code.
Fortunately, espie suggested to Martin Grenouilloux to do precisely this
after asking us whether we would be interested. Of course we were!
After a good first implementation from Martin and a lot of back and
forth, we came up with the present version.
This implementation is ~50% slower than the current default Miller-Rabin
test, but that is a small price to pay given the improvements.
Thanks to Martin Grenouilloux <martin.grenouilloux () lse ! epita ! fr>
for this awesome work, to espie without whom it wouldn't have happened,
and to djm for pointing us at this problem a long time back.
ok jsing
Diffstat (limited to 'src/lib/libcrypto/man/DH_generate_parameters.3')
0 files changed, 0 insertions, 0 deletions