Re: [Cfrg] Security proofs v DH backdoors

Dan Brown <> Thu, 27 October 2016 14:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6CC14129527 for <>; Thu, 27 Oct 2016 07:40:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.032
X-Spam-Status: No, score=-3.032 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1QriE4PWoaxV for <>; Thu, 27 Oct 2016 07:40:10 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5E42112951E for <>; Thu, 27 Oct 2016 07:40:05 -0700 (PDT)
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 27 Oct 2016 10:39:54 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 27 Oct 2016 10:40:04 -0400
Received: from ([fe80::45d:f4fe:6277:5d1b]) by ([::1]) with mapi id 14.03.0319.002; Thu, 27 Oct 2016 10:40:03 -0400
From: Dan Brown <>
To: John Mattsson <>, Hanno Böck <>
Thread-Topic: [Cfrg] Security proofs v DH backdoors
Thread-Index: AQHSMEAQuWL6R/D+Y0inm5FYvJhDPaC8eXeA///aDcA=
Date: Thu, 27 Oct 2016 14:40:03 +0000
Message-ID: <>
References: <> <> <> <> <> <20161027125120.4d260334@pc1> <>
In-Reply-To: <>
Accept-Language: en-US, en-CA
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Cc: CFRG <>, Peter Gutmann <>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 27 Oct 2016 14:40:14 -0000

Yes, ECC is the best, and should be a MUST whenever public key agreement is needed.

But there's still good in DH (classic prime field DH).  Generally, older is better (which is fun to call aegis = age * eyes).

Long term, strongest link crypto should be under consideration; over time, it should become affordable.  (Between two individual end users, what's a few extra milliseconds?)  E.g. ECDH && QRC && RSA && FFDH for key agreement.  (Of course, ECDH || QRC || ... is weakest link, which should be phased out.)

It's really baffling to me that DH, which is so simple mathematically, still has implementation security issues, such as invalid public keys and small subgroups.

But the latest incarnations of Gordon's hidden SNFS-DL issue seems to be a more fundamental problem with DH.

Suppose I need to trust somebody else's DH parameters (maybe an some authority's recommendation, e.g. CFRG's).  

Is there a way to prove that SNFS-DL does not apply?  I presume that there are heuristic ways to certify DH parameters as likely to be immune: are these standardizable?  Surely, somebody has done this for the IKE groups, or other named DH groups.

If not, then shouldn't I just assume SNFS-DL applies, and insist on an appropriate adjustment of key size.  (Maybe double what I take for GNFS-DL, so 6144 for full-out 128-bit security?)

If I generate my own DH parameters, say randomly, is there way to a formally prove SNFS is at least unlikely to apply?  I presume that this is well-understood, at least heuristically, because it is the same reason why SNFS is indeed special.  

More generally, what are the probabilities versus speed-ups in hidden SNFS-DL?  Suppose that I estimate that an authoritative DH prime was be drawn from a set of at most 1 million of DH primes.  When can I reasonably that those 1 million candidates are about as vulnerable to SNFS-DL as random DH primes?  In that case, how much of a speed-up in SNFS-DL can I expect for a 1-in-a-million most greatest speed-up? 

In ECC, the situation seems clearer.  The known special case non-generic attacks on ECC (the attacks MOV and SASS) are easily detectable.  It seems SNFS-DL is not in the same situation.  On the more generic-group attack front, such as invalid-keys (super-group keys) and Pohlig-Hellman, ECC usually specifies the cofactor, (and I still don't know why DH sometimes does not), and there's a bunch of other mitigations (in the standards I am familiar with). 

As for randomization/rigidity in ECC, its main purpose is to thwart secret attacks, not known attacks.  These are tenuous mitigations against tenuous attacks.  I find it a little awkward to thwart a known real-world attack (SNFS-DL) using randomization/rigidity techniques.  

Best regards,


-----Original Message-----
From: John Mattsson [] 
Sent: Thursday, October 27, 2016 8:13 AM
To: Hanno Böck <>; Dan Brown <>
Cc: CFRG <>; Peter Gutmann <>
Subject: Re: [Cfrg] Security proofs v DH backdoors

Very much agree with you Hanno, the ONLY reason I can see to still support DH at all, is to have a fallback if someone comes up with a way of solving ECDLP faster that O(q^1/2).


On 27/10/16 12:51, "Cfrg on behalf of Hanno Böck" < on behalf of> wrote:

>On Thu, 27 Oct 2016 10:32:17 +0000
>Dan Brown <> wrote:
>> For q=(p-1)/2, literally computing c^q for client public key is very 
>> slow.
>> Why not use a faster alternative, such as checking Legendre symbol 
>> (c/p), use cofactor DH,‎ or use even private keys?
>This line of debate and all the recently released papers show one very 
>concerning thing: We haven't learned how to use Diffie Hellman properly
>- although it's an algorithm at the end of its life.
>I think when I read the logjam paper I became aware of how tricky of an 
>issue this is and how many things can go wrong with DH. It was also the 
>time when I concluded that the best is probably to just move beyond DH.
>Sure, there is probably a way to use DH in a way that reflects all 
>security concerns, is still reasonably performant etc. But why should 
>we have this discussion when we already know DH is on its way out?
>Chrome already decided to disable it, others will follow.
>Is there a good reason to keep DH around? One I'm aware of is that some 
>people think due to its larger size it's more resistant against quantum 
>computers. But I have heard multiple people familiar with QC and 
>pqcrypto that they don't buy that argument.
>I'm not arguing that ECC is simpler, but I'm arguing that we have 
>solved a lot of these issues facing DH already in a better way for ECC:
>By simply not using random parameters which whoever decides, but by 
>using one or two good curves that have all desired properties. We 
>probably could do the same for DH, but we don't have to if DH is 
>deprecated anyway.
>Hanno Böck
>GPG: FE73757FA60E4E21B937579FA5880072BBB51E42