[Cryptography] Zoom publishes draft cryptographic design for end-to-end encryption

Florian Weimer fw at deneb.enyo.de
Thu Jun 4 12:52:18 EDT 2020

* Peter Gutmann:

> I would avoid widely-used parameter sets for an entirely different reason,
> namely the "don't be a target" defense strategy, one of the most effective
> types of defence there is.  If you use the same parameters as any widely-used
> protocol, IPsec's DH parameters [1] or the Bitcoin parameters, you make
> yourself collateral damage to any attacker willing to commit the resources to
> break IPsec or help themselves to BTC.

It's hard to draw the line between parameters and algorithms in some

My understanding this kind of security by obscurity still has a bad
reputation when it comes to algorithms, although I suspect that it
works there as well.

> [1] I've never understood why IPsec and the cargo-cult protocols that reused
>     the parameters from it fixed on a single set of DH parameters.  IPsec is
>     possibly one of the most unnecessarily flexible protocols in the world
>     where absolutely everything is up for negotiation, but there's one single
>     set of parameters that every single user has to share to create a single
>     point of failure for attackers to exploit.

It assumes that choosing suitable parameters is easy.  There must have
been a time when people were unsure about this when it came to DH
parameters.  It also does not help that parameter generation is very,
very slow, at least in common implementations.

I'm pretty sure there used to be a widespread design constraint in
early mass-market cryptography, with an assumption that non-hostile
users would use hostile implementations.  This discouraged any use of
randomness that can be observed publicly.

Beside DH parameters, the other rather astonishing example is the
public RSA exponent.  You cannot even use a random value there anymore
because some implementations do not allow an arbitrary-precision
integer for it:

| type PublicKey struct {
|     N *big.Int // modulus
|     E int      // public exponent
| }


More information about the cryptography mailing list