Could this project be used to expose Diffie-Hellman groups that are booby trapped?

log in

Advanced search

Message boards : NFS Discussion : Could this project be used to expose Diffie-Hellman groups that are booby trapped?

Author Message
Jesse Viviano
Send message
Joined: 1 Jan 15
Posts: 9
Credit: 1,494,798
RAC: 3,852
Message 1714 - Posted: 13 Oct 2016, 21:18:29 UTC

Please see http://arstechnica.com/security/2016/10/how-the-nsa-could-put-undetectable-trapdoors-in-millions-of-crypto-keys/ and http://eprint.iacr.org/2016/961 for a background. I do not understand the math behind the research paper that I cited with the second link, but I noticed that the paper mentions the terms GNFS and SNFS, which I have seen that this project executes. Could someone who understands the math better see if this project could be used to expose bad Diffie-Hellman groups to see if they are secret back doors? See https://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-10 and https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-8 for lists of Diffie-Hellman and other groups used in IPsec, IKE, and other standards. The research paper mentions standard numbers generated by various government standards bodies as possibly suspect. If one or more of these numbers are proven to be back doors, you could possibly contact the Internet Research Task Force's Crypto Forum Research Group's mailing list at https://www.irtf.org/mailman/listinfo/cfrg to let it know of your results so that future standards can prohibit the use of groups that are back doors.

Jesse Viviano
Send message
Joined: 1 Jan 15
Posts: 9
Credit: 1,494,798
RAC: 3,852
Message 1718 - Posted: 16 Oct 2016, 17:37:10 UTC

Another mailing list to discuss Diffie-Hellman groups is at https://www.ietf.org/mailman/listinfo/saag. I had mistakenly omitted it in my earlier post.

jasonp
Send message
Joined: 5 Nov 13
Posts: 10
Credit: 368,336
RAC: 0
Message 1719 - Posted: 19 Oct 2016, 0:09:16 UTC

The booby trap requires a discrete logarithm computation and not a big factorization. The only software that's publicly available and has any hope of performing a really big discrete log job is CADO-NFS, which NFS@Home does not use.

Jesse Viviano
Send message
Joined: 1 Jan 15
Posts: 9
Credit: 1,494,798
RAC: 3,852
Message 1720 - Posted: 25 Oct 2016, 17:53:53 UTC - in response to Message 1719.

Thank you for this information. I guess that this could be a good idea for the future to kill off any possible kleptography which is basically backdoored cryptography.

Message boards : NFS Discussion : Could this project be used to expose Diffie-Hellman groups that are booby trapped?


Home | My Account | Message Boards