7

Can an attacker construct a DH group, large enough to be considered secure (say, a modulus of 2048-bits), such that the group appears safe, but the attacker is able to solve the DLP in the group easily?

A lot of applications of DH either use a well known modulus, such as from RFC 3526, or generate it themselves, but I'm specifically interested in a scenario where the attacker chooses the group.

One approach is to choose $p$ such that $p-1$ has many small prime factors and then to use a small-subgroup attack. But this can be protected against by requiring $p$ to be a safe prime (so requiring $(p-1)/2$ to also be prime). By "appears safe" I therefore mean that $p$ is a 2048-bit safe prime.

I know the Special Number Field Sieve can make factorization easier for numbers of the form $r^e ± s$ (with small $r$ and $s$). From "A kilobit special number field sieve factorization" by Lenstra et al., a 1039 bit SNFS factorization would take as much computational power as factoring a "normal" 700 bit RSA modulus, which is a lot easier, but not yet trivial.

This answer suggests it is possible to choose $p$, $q$ and $g$ such that the discrete logarithm problem becomes easy, but doesn't elaborate. How could that work? Is that avoided by using safe primes?

xnyhps
  • 223
  • 1
  • 6

1 Answers1

1

DLP and factorization are very different problems (which cryptocipher gurus consider of same complexity). You can't really compare the choice of using a safe prime p in order to prevent the factorization of n=p*q (recommended for RSA) with the choice of using a prime p where (p-1)/2 has a large factor (recommended for DSA).

Since you are interested with DH and a chosen modulus, one of the tricky recipe for mayhem and chaos is to chose a pseudoprime to the tests the victim might run (e.g a strong primality test base 2). There are ways to build pseudoprimes which pass Miller-Rabin tests for many, many bases.

But if the attacker can impose its own domain parameters to the victim, it probably is in a position of a man-in-the-middle, and does not need to go thru attacks based on weak groups.

Pierre
  • 426
  • 2
  • 8