--- pgp/src/genprime.c	2018/04/24 16:43:55	1.1.1.7
+++ pgp/src/genprime.c	2018/04/24 16:44:53	1.1.1.8
@@ -289,6 +289,24 @@ static word16 bottom16(unitptr r)
  * Contrary to what you may have read in the literature, empirical evidence
  * shows this test weeds out a LOT more than 50% of the composite candidates
  * for each trial x.  Each test catches nearly all the composites.
+ *
+ * Some people have questioned whether four Fermat tests is sufficient.
+ * See "Finding Four Million Large Random Primes", by Ronald Rivest,
+ * in Advancess in Cryptology: Proceedings of Crypto '91.  He used a
+ * small-divisor test similar to PGP's, then a Fermat test to the base 2,
+ * and then 8 iterarions of a Miller-Rabin test.  About 718 million random
+ * 256-bit integers were generated, 43,741,404 passed the small divisor test,
+ * 4,058,000 passed the Fermat test, and all 4,058,000 passed all 8
+ * iterations of the Miller-Rabin test, proving their primality beyond most
+ * reasonable doubts.  This is strong experimental evidence that the odds
+ * of getting a non-prime are less than one in a million (10^-6).
+ *
+ * He also gives a theoretical argument that the chances of finding a
+ * 256-bit non-prime which satisfies one Fermat test to the base 2 is less
+ * than 10^-22.  The small divisor test improves this number, and if the
+ * numbers are 512 bits (as needed for a 1024-bit key) the odds of failure
+ * shrink to about 10^-44.  Thus, he concludes, for practical purposes one
+ * Fermat test to the base 2 is sufficient.
  */
 static boolean slowtest(unitptr p)
 {
@@ -308,7 +326,7 @@ static boolean slowtest(unitptr p)
 	if (testne(is_one, 1))	/* then p is not prime */
 	    return FALSE;	/* return not prime status */
 #ifdef SHOWPROGRESS
-	putchar('+');		/* let user see how we are progressing */
+	putchar('*');		/* let user see how we are progressing */
 	fflush(stdout);
 #endif				/* SHOWPROGRESS */
     }