2

I am struggling with a Diffie Hellman crypto challenge based on a client that uses a static private key. My goal is to trick the client into revealing enough information to reconstruct the private key (2048 bits) of this client.

Let's call the vulnerable client Bob, while I am acting as a malicious Alice. This means that I act as a normal client and I can send arbitrary parameters ($A$, $g$, $p$) to Bob during the handshake. No matter what parameters I use, Bob will always use the same private key $b$ to calculate his public key $B$, which he sends to me.

$B$ is calculated by Bob as follows: $B = g^b \mod p$

My first approach was setting $g = 2$ and $p = 2 ^ {2 ^ {2048}}$, so that mod $p$ doesn't effect the result and I can calculate $\log_2(B)$ to get $b$. Unfortunately this crashes the client and it looks like $p$ cannot be larger than $2^{2048}$.

Next I studied small subgroup confinement attacks, because I am able to set arbitrary values for p and therefore choose it in a way that it allows for small subgroups. But while this allows me to gain some information about the private key, I wasn't able to craft a scheme that allows me to reconstruct the full private key.

I am currently investigating whether I can use the Chinese Remainder Theorem (CRT) to reconstruct the private key with a reasonable amount of data. In theory, I could gather the values $B$ for $2^b \mod p$, iterating $p$ over the prime numbers up to $2^{2048}$, apply CRT, and I will get the correct result, but that's of course not feasible. It would look something like this:

$2^b \equiv 0 \pmod 2$

$2^b \equiv 1 \pmod 3$

$2^b \equiv 4 \pmod 5$

$2^b \equiv 1 \pmod 7$

...

Maybe there is a helpful shortcut because $x = 2^b$, which is usually not the case in the basic CRT. In fact, I can set $g$ to an arbitrary integer, so if any other base than 2 is helpful, I can use it as well. Running CRT with a subset of primes (e.g. from 2 to 9973) shows, that the preliminary result for $b$ isn't an integer, because I don't know how to force CRT to only consider results of the form $2^b$.

So, my specific question is, how I can utilize the fact that $x$ for the CRT is of the form $2^b$? And my more generic question is, whether I am on the right track with CRT or if anyone can point me to another type of attack that I can experiment with in this scenario.

Demento
  • 121
  • 2
  • Intentionally slightly cryptic hint: what if you use $p$ in A005385? [reference fixed within the 5mn allowance] – fgrieu Feb 01 '21 at 11:42
  • Rather less subtle hint: small group confinement attacks are the way to go; they allow you do deduce $b \bmod q$ for any small prime $q$; is this enough of a hint? – poncho Feb 01 '21 at 13:58
  • @poncho's small group confinement attack can use a single large $p$ with smooth $p-1=\prod q_i$. The attack I was thinking of uses multiple smaller $p_i=2q_i+1$. Both work in the circumstance, I believe. But small group confinement attack has the advantage that it works if the target enforces a range for $p$ – fgrieu Feb 01 '21 at 14:51
  • Thank you both for your hints, @fgrieu and @poncho! I have implemented a solution with a single large $p$ that's basically working. Now I only need a prime $p$ of the right size (large enough for the private key and small enough to not crash the demo application. The only suitable pre-calculated primes I found for this are primorial primes. Unfortunately 1021# is too small and 2657# is too large. Is there an algorithm to construct a suitable prime number p where $p - 1$ is smooth? – Demento Feb 02 '21 at 23:49
  • 1
    When one computes $r\gets\displaystyle\prod_{0<i<k}p_i$ with the $p_i$ moderate distinct consecutive primes, and explore $p\gets2,p_0,r+1$ for successive primes $p_0\ne p_i$, we expect to find a prime $p$ after about $\displaystyle\sum_{0\le i<k}\log p_i$ attempts, which is feasibly many. There remains to select the range for $p_0$ and the other $p_i$. Independently: my method with A005385 has the advantage that all primes involved remain small, and easily found; it's drawback is making multiple queries. – fgrieu Feb 03 '21 at 06:45

0 Answers0