Prime, Order Please! Revisiting Small Subgroup and Invalid Curve Attacks on Protocols using Diffie-Hellman

Diffie-Hellman groups are a widely used component in cryptographic protocols in which a shared secret is needed. These protocols are typically proven to be secure under the assumption they are implemented with prime order Diffie Hellman groups. However, in practice, many implementations either choose to use non-prime order groups for reasons of efficiency, or can be manipulated into operating in non-prime order groups. This leaves a gap between the proofs of protocol security, which assume prime order groups, and the real world implementations. This is not merely a theoretical possibility: many attacks exploiting small subgroups or invalid curve points have been found in the real world. While many advances have been made in automated protocol analysis, modern tools such as Tamarin and ProVerif represent DH groups using an abstraction of prime order groups. This means they, like many cryptographic proofs, may miss practical attacks on real world protocols. In this work we develop a novel extension of the symbolic model of Diffie-Hellman groups. By more accurately modelling internal group structure, our approach captures many more differences between prime order groups and their actual implementations. The additional behaviours that our models capture are surprisingly diverse, and include not only attacks using small subgroups and invalid curve points, but also a range of proposed mitigation techniques, such as excluding low order elements, single coordinate ladders, and checking the elliptic curve equation. Our models thereby capture a large family of attacks that were previously outside the symbolic model. We implement our improved models in the Tamarin Prover. We find a new attack on the Secure Scuttlebutt Gossip protocol, independently discover a recent attack on the Tendermint protocol, and show how our analysis finds previous Bluetooth attacks and evaluate the effectiveness of the proposed countermeasures.

[1]  Ralf Küsters,et al.  Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[2]  Tibor Jager,et al.  Practical Invalid Curve Attacks on TLS-ECDH , 2015, ESORICS.

[3]  Benedikt Schmidt,et al.  Formal analysis of key exchange protocols and physical protocols , 2012 .

[4]  Vitaly Shmatikov,et al.  Formal Analysis of Authentication in Bluetooth Device Pairing , 2007 .

[5]  Ralf Sasse,et al.  Seems Legit: Automated Analysis of Subtle Attacks on Protocols that Use Signatures , 2019, IACR Cryptol. ePrint Arch..

[6]  Adam Langley,et al.  Elliptic Curves for Security , 2016, RFC.

[7]  Alfred Menezes,et al.  Validation of Elliptic Curve Public Keys , 2003, Public Key Cryptography.

[8]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[9]  Ben Smyth,et al.  Automatically Checking Commitment Protocols in ProVerif without False Attacks , 2015, POST.

[10]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[11]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[12]  Toshinobu Kaneko,et al.  Formal Verification of Improved Numeric Comparison Protocol for Secure Simple Paring in Bluetooth Using ProVerif , 2014 .

[13]  Benjamin Canals,et al.  Introduction to group theory , 2012 .

[14]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[15]  Michael Hamburg,et al.  Decaf: Eliminating Cofactors Through Point Compression , 2015, CRYPTO.

[16]  Alfred Menezes,et al.  Another look at HMQV , 2007, J. Math. Cryptol..

[17]  Dominic Tarr Designing a Secret Handshake : Authenticated Key Exchange as a Capability System , 2015 .

[18]  F J Thayer,et al.  Formal Modeling of Diffie-Hellman Derivability for Exploratory Automated Analysis , 2013 .

[19]  Denis Réal,et al.  Fault Attack on Elliptic Curve Montgomery Ladder Implementation , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[20]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[21]  Karthikeyan Bhargavan,et al.  HACL*: A Verified Modern Cryptographic Library , 2017, CCS.

[22]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[23]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[24]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[25]  Eli Biham,et al.  Breaking the Bluetooth Pairing - The Fixed Coordinate Invalid Curve Attack , 2019, IACR Cryptol. ePrint Arch..

[26]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[27]  Alfredo Pironti,et al.  Verified Contributive Channel Bindings for Compound Authentication , 2015, NDSS.

[28]  Marc Joye,et al.  Weierstraß Elliptic Curves and Side-Channel Attacks , 2002, Public Key Cryptography.

[29]  Karthikeyan Bhargavan,et al.  Noise Explorer: Fully Automated Modeling and Verification for Arbitrary Noise Protocols , 2019, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[30]  Craig Costello,et al.  A brief discussion on selecting new elliptic curves , 2015 .

[31]  Mehdi Tibouchi,et al.  Degenerate Curve Attacks - Extending Invalid Curve Attacks to Edwards Curves and Other Models , 2016, Public Key Cryptography.

[32]  Alfred Menezes,et al.  On reusing ephemeral keys in Diffie-Hellman key agreement protocols , 2010, Int. J. Appl. Cryptogr..

[33]  J. Alex Halderman,et al.  Measuring small subgroup attacks against Diffie-Hellman , 2017, NDSS.

[34]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[35]  Elaine B. Barker,et al.  SP 800-56A. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) , 2007 .