Re: [Cfrg] Weak Diffie-Hellman Primes

Mike Hamburg <mike@shiftleft.org> Fri, 16 October 2020 13:07 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B44AC3A0F27 for <cfrg@ietfa.amsl.com>; Fri, 16 Oct 2020 06:07:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.306
X-Spam-Level:
X-Spam-Status: No, score=-1.306 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jkpIWCjKhEOD for <cfrg@ietfa.amsl.com>; Fri, 16 Oct 2020 06:07:37 -0700 (PDT)
Received: from astral.shiftleft.org (unknown [54.219.126.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CFDE3A0F22 for <cfrg@irtf.org>; Fri, 16 Oct 2020 06:07:36 -0700 (PDT)
Received: from [192.168.1.2] (51-171-110-134-dynamic.agg2.kny.prp-wtd.eircom.net [51.171.110.134]) (Authenticated sender: mike) by astral.shiftleft.org (Postfix) with ESMTPSA id 0AB4BBB8F0; Fri, 16 Oct 2020 13:07:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1602853655; bh=b1vvm6wCmbnq/2BY+qCfMuGMClz+puA+HA9abd+H5Qs=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=R+iZlBT0ee3//CUyT0cEq7xscr+KKJU6agKu4xtldnxUseMqqW3dKDZtJ9600kiNM FIZ2YOkHw8wZxkGnOGzhcH2SdawV5U6q8o0lVJb2YnTBaZcMyR47dzTgYtfCo3Tu+N rnDpdQQwaJ4rjUO+pj0oHL/mnJdWqk4kSXIrdoEU=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Mike Hamburg <mike@shiftleft.org>
In-Reply-To: <19672d78-77de-4744-b9d8-470a18dc3ac0@www.fastmail.com>
Date: Fri, 16 Oct 2020 14:07:32 +0100
Cc: Anna Johnston <jannaston@gmail.com>, cfrg@irtf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <770E332F-B404-45C8-898B-BAD69A9B75A0@shiftleft.org>
References: <07090aa6-1bd1-4a37-810d-6cd95a6f1e7c@www.fastmail.com> <ACF3D521-99D7-4A46-A3E6-2865FE53A816@gmail.com> <19672d78-77de-4744-b9d8-470a18dc3ac0@www.fastmail.com>
To: Michael D'Errico <mike-list@pobox.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/7xzZu-uUxrl2DsZyREpYG4chtfw>
Subject: Re: [Cfrg] Weak Diffie-Hellman Primes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2020 13:07:40 -0000

Hello Mike,



The limiting factor for DH security (and also RSA security) is a very complex
attack algorithm called the Number Field Sieve.  So attacks on 2048-bit DH
safe prime would take time:

* ~ 2^2048 using straightforward brute force
* ~ 2^1024 using collision-based brute force such as Pollard’s Rho
* ~ 2^112 using NFS.

For DSA and sometimes for DH, people use primes p with a generator g
of smaller prime order q, eg q ~ 2^256 here.  This speeds up the operation
at the cost of lower brute-force resistance.  This would reduce the brute
force costs to

* ~ 2^256 using straightforward brute force
* ~ 2^128 using collision-based brute force
* but still ~ 2^112 using NFS

This is generally seen as acceptable, because the cost estimates for rho
attacks are much more certain than for NFS, and are still at an acceptable
level.  Since the security is determined mainly by the best attack, this
doesn’t lower the security.  (Unless NFS at that scale is harder than
projected, but in that case the security is still fine.)

Likewise, your attack slightly speeds up straightforward brute force, but
not (as far as you’ve shown) collision-based brute force or NFS.  So it
doesn’t affect the overall security of DH / DSA.



However, primes of a special form *can* reduce security against the NFS.
But these aren’t primes that specifically begin or end with a lot of 1s, but
rather primes that can be expressed as a low or medium-degree polynomial
with small coefficients.  For example, p = 2^2048 - 1557 would be a poor
choice, because it can be written as a small polynomial, eg

p = x^32 - 1557 with x = 2^64.

I’m not an expert on NFS, so I’m not sure exactly how much security this
knocks off.  Asymptotically you lose about 20% of the bits, (eg 2^112 ->
2^89, which is still out of reach of academics but maybe not large / govt
organizations, especially because most of the work can be amortized
across many discrete logs) but concretely this might be quite different.



Cheers,
— Another Mike

> On Oct 16, 2020, at 3:22 AM, Michael D'Errico <mike-list@pobox.com> wrote:
> 
> Hello,
> 
> Thank you for your message!
> 
> The algorithm I showed should run about 32 times faster
> than brute force, even though it's doing a brute force
> search.
> 
> According to Wikipedia, a 2048-bit Diffie-Hellman prime
> is equivalent to 112 bits for a symmetric key, so perhaps
> the special structure of both 2048-bit published primes
> makes them equivalent to only 107 bits.
> 
> Mike
> 
> 
> On Thu, Oct 15, 2020, at 16:00, Anna Johnston wrote:
>> Hi Michael,
>>  The attack you mentioned is logical. If I am not mistaken, the attack 
>> is recovering, bit by bit, the quotient (v) in the equation: 2^X = vP + 
>> r, where r = 2^X mod P. The fly in the attack is size. 
>> (1) The smallest P in this list is over 700 bits: P > 2^{700}.
>> (2) X is on the order of P, as 2 has order q where P=2q+1.
>> (3) so, 2^X, in its unreduced form, is greater than 2^{2^{700}}
>> (4) That means that v (the quotient) is greater than 
>> 2^{2^{700}}/2^{700}=2^{2^{700}-700} which is still about 2^{2^{700}}, 
>> or 2^{700} bits long. 
>> 
>> This size means that only a minuscule fraction of the quotient bits 
>> could be computed/stored (not enough seconds in time or atoms in the 
>> known universe).
>> 
>> Hope this helps,
>> 
>> Anna
>> 
>>> On Oct 15, 2020, at 09:15, Michael D'Errico <mike-list@pobox.com> wrote:
>>> 
>>> Hi,
>>> 
>>> I've figured out just a bit more.  I'm actually trying
>>> not to work on this problem, but my brain keeps
>>> thinking about it anyway.  The special format of
>>> the prime numbers in RFC's 2409, 3526, and
>>> 7919 allow you to create an interesting device to
>>> calculate the private value from a Diffie-Hellman
>>> public value using on the order of N bits (size of
>>> prime P).
>>> 
>>> The lowest 64 bits of the Diffie-Hellman public
>>> value Y = (2^X mod P) contain a record of when
>>> the mod operation performed a subtraction of a
>>> shifted version of P (see my original message
>>> quoted below).  You can reconstruct a larger value
>>> the modulo operation was working on by adding
>>> back:
>>> 
>>>   uint64 y = Y;    // low 64 bits of public value
>>> 
>>>   Y += y * P;    // mod P touched this number
>>> 
>>> This updated version of Y contains the number
>>> that the mod P operation was working on 64 steps
>>> prior to finishing.  But since the generator was 2
>>> (and 2^X is a solitary 1 followed by a huge string
>>> of zeros), this new larger value of Y will have 64
>>> zeros at the end which can be removed:
>>> 
>>>   Y >>= 64;    // remove 64 zero bits
>>> 
>>> This process can now repeat using the lowest 64
>>> bits of Y again:
>>> 
>>> repeat {
>>> 
>>>   uint64 y = Y;
>>> 
>>>   Y += y * P;
>>> 
>>>   Y >>= 64;
>>> 
>>> } until (???);
>>> 
>>> This process unwinds the modulo P operation all
>>> the way back to 2^X in steps of size 64.  The only
>>> thing missing is the terminating condition, which
>>> I'm pretty sure would be: Y contains a single bit
>>> with value 1 (somewhere in the top 64 bits).  If
>>> so, then the value of y would be zero a few times
>>> in a row and then contain a single one bit.
>>> 
>>> If you can reliably determine when the algorithm
>>> has finished, you could build a device which
>>> computes X from Y using roughly N bits.  It would
>>> be really slow, but it would be guaranteed to find
>>> the answer (32 times faster than brute force
>>> reversing the mod P operation one bit at a time
>>> on average?).
>>> 
>>> Perhaps there is a way to make this algorithm
>>> (much) faster?
>>> 
>>> Even if there isn't, it is very interesting to me that
>>> these primes exhibit such a strange feature.
>>> 
>>> Mike
>>> 
>>> 
>>>> From: Michael D'Errico <mike-list@pobox.com>
>>>> Sent: *Oct 10, 2020 6:01 PM
>>>> To: cfrg@irtf.org
>>>> Subject: [Cfrg] Weak Diffie-Hellman Primes
>>>> 
>>>> Hi,
>>>> 
>>>> I'm not a member of this list, but was encouraged to
>>>> start a discussion here about a discovery I made
>>>> w.r.t. the published Diffie-Hellman prime numbers in
>>>> RFC's 2409, 3526, and 7919.  These primes all have
>>>> a very interesting property where you get 64 or more
>>>> bits (the least significant bits of 2^X mod P for some
>>>> secret X and prime P) detailing how the modulo
>>>> operation was done.  These 64 bits probably reduce
>>>> the security of Diffie-Hellman key exchanges though
>>>> I have not tried to figure out how.
>>>> 
>>>> The number 2^X is going to be a single bit with value
>>>> 1 followed by a lot of zeros.  All of the primes in the
>>>> above mentioned RFC's have 64 bits of 1 in the most
>>>> and least significant positions.  The 2's complement
>>>> of these primes will have a one in the least significant
>>>> bit and at least 63 zeros to the left.
>>>> 
>>>> When you think about how a modulo operation is done
>>>> manually, you compare a shifted version of P against
>>>> the current value of the operand (which is initially 2^X)
>>>> and if it's larger than the (shifted) P, you subtract P at
>>>> that position and shift P to the right, or if the operand
>>>> is smaller than (the shifted) P, you just shift P to the
>>>> right without subtracting.
>>>> 
>>>> Instead of subtracting, you can add the 2's complement
>>>> I mentioned above.  Because of the fact that there are
>>>> 63 zeros followed by a 1 in the lowest position, you will
>>>> see a record of when the modulo operation performed
>>>> a subtraction (there's a one) and when it didn't (there's
>>>> a zero).
>>>> 
>>>> You can use the value of the result you were given by
>>>> your peer (which is 2^X mod P) and then add back the
>>>> various 2^j * P's detailed wherever the lowest 64 bits
>>>> had a value of 1 to find the state of the mod  P operation
>>>> when it wasn't yet finished.  This intermediate result is
>>>> likely going to make it easier to determine X than just a
>>>> brute force search.
>>>> 
>>>> I don't plan to join this list, though I am flattered to have
>>>> been asked to do so.  I'm not a cryptographer.
>>>> 
>>>> Mike
>>> 
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> https://www.irtf.org/mailman/listinfo/cfrg
>> 
>> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg