4

I know that it's possible to generate DH parameters that lead to it being easy to attack (e.g. trivial composite numbers), but is it possible to create a malicious parameter that is not a composite number (and thus passes an arbitrary number of Miller-Rabin tests) but still makes attacking the DH group easy? It should be trivial to detect if the parameters have been generated to intentionally fall victim to the small subgroup attack, and the SNFV becomes impractical with realistic key sizes.

Questions similar to this have been asked before, but they seem to focus on composite numbers.

forest
  • 15,253
  • 2
  • 48
  • 103
  • 1
    The list of weaknesses in poncho's answer to that other question is pretty exhaustive from what is known. – SEJPM Feb 25 '18 at 10:57

1 Answers1

4

[Update: See this answer to another question for an example of a back door that can't be detected, but can probably be excluded by demanding a rigid process like RFC 2412 as was used for all the RFC 3526 groups.]

If there were a known way to put a back door into Diffie–Hellman parameters, it would be excluded by standard criteria for selecting them. poncho's answer to the question you cited provides some examples of criteria we normally use and how to test them and what goes wrong if you don't; there are a couple more references in an answer I wrote.

For finite-field DH, there's little reason to use anything other than the RFC 3526 groups, which use a modulus of the form $$2^n - 2^{n - 64} - 1 + 2^{64} (\lfloor 2^{n - 130} \pi \rfloor + c)$$ where $c$ is the smallest nonnegative integer making this number a safe prime congruent to 7 modulo 8.

For elliptic-curve DH, there's little reason to use anything other than X25519 or X448 except perhaps in exotic applications where essentially the same security criteria might be applied to maximize other performance objectives.

Community
  • 1
Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223