Re: [Cfrg] Security proofs v DH backdoors

Peter Gutmann <> Fri, 28 October 2016 09:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 75F5B1298C4 for <>; Fri, 28 Oct 2016 02:36:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.631
X-Spam-Status: No, score=-4.631 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XrW5zczn9BQe for <>; Fri, 28 Oct 2016 02:36:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F2F3A12943B for <>; Fri, 28 Oct 2016 02:36:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1477647370; x=1509183370; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=tvMIc7L9P1OGdQrzvf3fgPG/8T5ui40fJgg3/sEqt8A=; b=X+hsY0oKzNV5KVKZpUmSP2WMUS+TaPubac0VLMd4DXrw6n6J2gYv3Z1C yDhAe1bvXK5TC2/KAA/JCrpYVL47Z7EPu/jBzGbGgwVyDPn2syvqn9vL7 S+KuzSXBfkELSpSWjR6U1XedlS0q5zpa74CB/briCgSHJEPGIIe7V0NKr pDR/OoyqvEN1i4bCfbOM0cjZlbfH9P6AIVtsee/HuaNMR6q2KFqvejNXc BUe+rmVNtD2tn8FMfGhoQ39uao2pItrqTon1TYn9p2hlfPZzIUTv+23JB ZWnwH1sIYe5YRggdVz9YQqt1oJPVCXoK2vj1Gbo0AVLYV6uDxgcUD0FZ9 Q==;
X-IronPort-AV: E=Sophos;i="5.31,557,1473076800"; d="scan'208";a="112466174"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 28 Oct 2016 22:36:07 +1300
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 28 Oct 2016 22:36:07 +1300
Received: from ([]) by ([]) with mapi id 15.00.1178.000; Fri, 28 Oct 2016 22:36:07 +1300
From: Peter Gutmann <>
To: Hanno Böck <>, Dan Brown <>
Thread-Topic: [Cfrg] Security proofs v DH backdoors
Thread-Index: AQHSMEAWZy2e+SPalEyp/G+CJ2BAv6C9nFXG
Date: Fri, 28 Oct 2016 09:36:07 +0000
Message-ID: <>
References: <> <> <> <> <>, <20161027125120.4d260334@pc1>
In-Reply-To: <20161027125120.4d260334@pc1>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: CFRG <>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Oct 2016 09:36:12 -0000

Hanno Böck <> writes:

>This line of debate and all the recently released papers show one very
>concerning thing: We haven't learned how to use Diffie Hellman properly

Well, we have, what it really shows is that there are still implementations
around that use it badly.  As there are for almost everything.

>But why should we have this discussion when we already know DH is on its way

It's going to be around for a long, long time, if not forever, for three
reasons.  Firstly, your assumption, which I've heard from others as well,
seems to be based on the browser/web server worldview where you can roll out
an update any time you like to make the server/client do whatever you want it
to.  However, if you look at real-world surveys of TLS traffic, the most
common TLS mode is still 1.0, dating from 1999.  This means that for general
web traffic, not just what Chrome, Firefox, and Edge do, there's at least a
15-year latency for deployment.  In terms of industry bodies, groups like the
PCI council are planning to move to TLS 1.1, from ten years ago, by 2018.
There's no indication of when they'll start looking at TLS 1.2.  Other
industry bodies in the SCADA/embedded space are roughly the same, there's a
gradual move from TLS 1.0 to TLS 1.1 with some mutterings about 1.2 in some

Secondly, DH's replacement, the ECC algorithms, are an absolute non-starter in
any kind of harsh environment.  They're the most brittle crypto you can
possibly deploy, any fault of any kind inevitably ends up leaking the private
key.  I know several industries who, despite its great trendiness, won't touch
the ECC stuff because it's just too brittle to safely use.

Finally, specifically for the Bernstein protocol suite [0] if that's what
you're thinking of for supplanting DH, it's easy enough for someone like
Google to decree that from now on we all have to use X, but many industries
are heavily constrained and regulated and can't just adopt whatever new
algorithm comes along.  Also, hardware support for crypto is almost
universally AES, SHA-1, SHA-2, and sometimes (rarely) some bignum stuff.
You're not going to see any move to TLS 1.3/2.0/whatever-it'll-be-called
outside the web server/client space any time soon there, if ever.

>Chrome already decided to disable it, others will follow. 

That's because Google can decree that from now on we're all going do be doing
what Google wants.  That doesn't work in other industries.


[0] No disrespect to Dan et al intended, I'm just using it as a collective
    noun for 25519, 448, ChaCha, Poly1305, etc because I don't know of any
    other collective term for them.