Safety in Numbers: On the Need for Robust Diffie-Hellman Parameter Validation

We consider the problem of constructing Diffie-Hellman (DH) parameters which pass standard approaches to parameter validation but for which the Discrete Logarithm Problem (DLP) is relatively easy to solve. We consider both the finite field setting and the elliptic curve setting.

[1]  J. Alex Halderman,et al.  Measuring small subgroup attacks against Diffie-Hellman , 2017, NDSS.

[2]  François Arnault Constructing Carmichael Numbers which are Strong Pseudoprimes to Several Bases , 1995, J. Symb. Comput..

[3]  David Corwin,et al.  Improving the Speed and Accuracy of the Miller-Rabin Primality Test , 2015 .

[4]  Carl Pomerance,et al.  Two contradictory conjectures concerning Carmichael numbers , 2002, Math. Comput..

[5]  Richard G. E. Pinch The Carmichael Numbers up to 10 15 , 1993 .

[6]  Yevgeniy Dodis,et al.  A Formal Treatment of Backdoored Pseudorandom Generators , 2015, EUROCRYPT.

[7]  David Taylor,et al.  Using the Secure Remote Password (SRP) Protocol for TLS Authentication , 2007, RFC.

[8]  Louis Monier,et al.  Evaluation and Comparison of Two Efficient Probabilistic Primality Testing Algorithms , 1980, Theor. Comput. Sci..

[9]  Hovav Shacham,et al.  A Systematic Analysis of the Juniper Dual EC Incident , 2016, IACR Cryptol. ePrint Arch..

[10]  Nadia Heninger,et al.  A Kilobit Hidden SNFS Discrete Logarithm Computation , 2017, EUROCRYPT.

[11]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[12]  Kenneth G. Paterson,et al.  Prime and Prejudice: Primality Testing Under Adversarial Conditions , 2018, IACR Cryptol. ePrint Arch..

[13]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption against Mass Surveillance , 2014, IACR Cryptol. ePrint Arch..

[14]  Feng Hao J-PAKE: Password-Authenticated Key Exchange by Juggling , 2017, RFC.

[15]  Tanja Lange,et al.  On the Practical Exploitability of Dual EC in TLS Implementations , 2014, USENIX Security Symposium.

[16]  David Wong,et al.  How to Backdoor Diffie-Hellman , 2016, IACR Cryptol. ePrint Arch..

[17]  Daniel Kahn Gillmor,et al.  Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) , 2016, RFC.

[18]  R. Pinch The Carmichael Numbers up to 10 15 , 1993, math/0604376.

[19]  P. Stevenhagen,et al.  Constructing elliptic curves in almost polynomial time , 2005, math/0511729.

[20]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[21]  Daniel M. Gordon,et al.  Designing and Detecting Trapdoors for Discrete Log Cryptosystems , 1992, CRYPTO.

[22]  Moti Yung,et al.  Kleptography: Using Cryptography Against Cryptography , 1997, EUROCRYPT.

[23]  Bodo Möller,et al.  Network Working Group Elliptic Curve Cryptography (ecc) Cipher Suites for Transport Layer Security (tls) , 2006 .

[24]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[25]  Craig Costello,et al.  Selecting elliptic curves for cryptography: an efficiency and security analysis , 2016, Journal of Cryptographic Engineering.

[26]  Marc Joye,et al.  Fast Generation of Prime Numbers on Portable Devices: An Update , 2006, CHES.

[27]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[28]  Daniel Bleichenbacher,et al.  Breaking a Cryptographic Protocol with Pseudoprimes , 2005, Public Key Cryptography.

[29]  Marc Joye,et al.  Efficient Generation of Prime Numbers , 2000, CHES.

[30]  Tanja Lange,et al.  Faster Addition and Doubling on Elliptic Curves , 2007, ASIACRYPT.

[31]  M. Rabin Probabilistic algorithm for testing primality , 1980 .

[32]  I. Damgård,et al.  Average case error estimates for the strong probable prime test , 1993 .

[33]  Kenneth G. Paterson,et al.  Backdoors in Pseudorandom Number Generators: Possibility and Impossibility Results , 2016, CRYPTO.

[34]  Thomas Wu,et al.  The SRP Authentication and Key Exchange System , 2000, RFC.

[35]  Emily Riemer Pseudoprimes and Carmichael Numbers , 2016 .

[36]  Daniel J. Bernstein,et al.  How to manipulate curve standards: a white paper for the black hat , 2014, IACR Cryptol. ePrint Arch..