Prime and Prejudice: Primality Testing Under Adversarial Conditions

This work provides a systematic analysis of primality testing under adversarial conditions, where the numbers being tested for primality are not generated randomly, but instead provided by a possibly malicious party. Such a situation can arise in secure messaging protocols where a server supplies Diffie-Hellman parameters to the peers, or in a secure communications protocol like TLS where a developer can insert such a number to be able to later passively spy on client-server data. We study a broad range of cryptographic libraries and assess their performance in this adversarial setting. As examples of our findings, we are able to construct 2048-bit composites that are declared prime with probability (1/16) by OpenSSL's primality testing in its default configuration; the advertised performance is (2-80). We can also construct 1024-bit composites that always pass the primality testing routine in GNU GMP when configured with the recommended minimum number of rounds. And, for a number of libraries (Cryptlib, LibTomCrypt, JavaScript Big Number, WolfSSL), we can construct composites that always pass the supplied primality tests. We explore the implications of these security failures in applications, focusing on the construction of malicious Diffie-Hellman parameters. We show that, unless careful primality testing is performed, an adversary can supply parameters (p,q,g) which on the surface look secure, but where the discrete logarithm problem in the subgroup of order q generated by g is easy. We close by making recommendations for users and developers. In particular, we promote the Baillie-PSW primality test which is both efficient and conjectured to be robust even in the adversarial setting for numbers up to a few thousand bits.

[1]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[2]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[3]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[4]  Alfred Menezes,et al.  Handbook Of Applied Cryptography Crc Press , 2015 .

[5]  Vashek Matyas,et al.  The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli , 2017, CCS.

[6]  Daniel Bleichenbacher,et al.  Breaking a Cryptographic Protocol with Pseudoprimes , 2005, Public Key Cryptography.

[7]  J. Alex Halderman,et al.  Measuring small subgroup attacks against Diffie-Hellman , 2017, NDSS.

[8]  Hovav Shacham,et al.  A Systematic Analysis of the Juniper Dual EC Incident , 2016, IACR Cryptol. ePrint Arch..

[9]  Carl Pomerance,et al.  The pseudoprimes to 25⋅10⁹ , 1980 .

[10]  David Corwin,et al.  Improving the Speed and Accuracy of the Miller-Rabin Primality Test , 2015 .

[11]  Louis Monier,et al.  Evaluation and Comparison of Two Efficient Probabilistic Primality Testing Algorithms , 1980, Theor. Comput. Sci..

[12]  Nadia Heninger,et al.  A Kilobit Hidden SNFS Discrete Logarithm Computation , 2017, EUROCRYPT.

[13]  Brian W. Kernighan,et al.  The Go Programming Language , 2015 .

[14]  M. Rabin Probabilistic algorithm for testing primality , 1980 .

[15]  Gary L. Miller Riemann's Hypothesis and Tests for Primality , 1976, J. Comput. Syst. Sci..

[16]  David Wong,et al.  How to Backdoor Diffie-Hellman , 2016, IACR Cryptol. ePrint Arch..

[17]  Daniel Kahn Gillmor,et al.  Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) , 2016, RFC.

[18]  Marc Joye,et al.  Efficient Generation of Prime Numbers , 2000, CHES.

[19]  I. Damgård,et al.  Average case error estimates for the strong probable prime test , 1993 .

[20]  Marc Joye,et al.  Fast Generation of Prime Numbers on Portable Devices: An Update , 2006, CHES.

[21]  G. Jaeschke On strong pseudoprimes to several bases , 1993 .

[22]  C. Pomerance,et al.  Prime Numbers: A Computational Perspective , 2002 .

[23]  François Arnault Constructing Carmichael Numbers which are Strong Pseudoprimes to Several Bases , 1995, J. Symb. Comput..

[24]  Falko Strenzke An Analysis of OpenSSL's Random Number Generator , 2016, EUROCRYPT.

[25]  A. Atkin,et al.  ELLIPTIC CURVES AND PRIMALITY PROVING , 1993 .

[26]  Manindra Agrawal,et al.  PRIMES is in P , 2004 .

[27]  Torbjrn Granlund,et al.  GNU MP 6.0 Multiple Precision Arithmetic Library , 2015 .

[28]  Stephen T. Kent,et al.  Additional Diffie-Hellman Groups for Use with IETF Standards , 2008, RFC.

[29]  François Arnault The Rabin-Monier theorem for Lucas pseudoprimes , 1997, Math. Comput..

[30]  Tanja Lange,et al.  On the Practical Exploitability of Dual EC in TLS Implementations , 2014, USENIX Security Symposium.