[Cryptography] Other obvious issues being ignored?
Watson Ladd
watsonbladd at gmail.com
Mon Oct 19 19:47:14 EDT 2015
On Mon, Oct 19, 2015 at 6:05 PM, Joshua Hill <josh-crypto at untruth.org> wrote:
> On Mon, Oct 19, 2015 at 01:10:30PM +0000, Thierry Moreau wrote:
>> The recent realization that public key cryptosystems having common
>> parameters (DH) may be vulnerable from the very fact that they rely on
>> common parameters is puzzling to me.
>
> These aren't unknown; if you read through papers that present the
> sieving-based discrete log algorithms, this sort of thing is commonly
> parenthetically mentioned. The "Imperfect forward security" paper did us
> the service of putting tab A in to slot B, and then actually highlighting
> reach of the result.
>
> I'd suggest (after going through the painful exercise of chasing down
> the specifics of exactly which DH parameters were in common use about a
> year ago) that it's a case of the people who know about these algorithm
> characteristics not really being that interested in the (often poorly
> documented or completely un-documented) implementation details, and
> those doing the implementation not knowing.
There were plenty of guidelines from NIST and others that said that
1024 bit DH should not be expected to provide any security after 2014.
One example is from 2007. You even had Suite B guidelines pointing out
ECC was much more efficient with higher security.
(one example: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf)
>
> To help with this, I suggest the following: if you implement a system
> that uses cryptographic constants, document what constants you use,
> how you arrived at these constants, and why you decided to use them.
>
>> What other "obvious" questions are we ignoring?
>
> I realize that this is intended as a rhetorical question, but I'll
> mention one thing that falls into the same category.
>
> If you know the factorization of the order of the group, you can apply
> Pohlig-Hellman to decompose the discrete log problem on a large group
> into several discrete log problems on (perhaps much!) smaller groups. This
> was traditionally coupled with the Pollard-rho algorithm or brute force,
> but in cases where more modern discrete log algorithms work, you can
> just as well use these more advanced algorithms to solve the subproblems.
This is not true. The size of the numbers that need to be smooth
depends on the modulus, which Pohlig-Hellman doesn't reduce.
More information about the cryptography
mailing list