I have not written any code, but have just been thinking about what is going on and I am pretty sure that the bottom 64 bits of 2^X mod P tell you information which can help you determine X. The top bits are also suspect but I haven't worried about those yet. My original message below explains which primes I'm talking about.
They all have a solid block of 64 bits with value one in both the uppermost and bottom-most bit positions. This construction seems to make the primes a very bad choice for use with a Diffie-Hellman key exchange. If you think about how a modulo operation takes place (the long way, one bit position at a time), you compare the operand to (a shifted version of) P and if it's bigger you subtract P and shift P one bit to the right. If the operand is not bigger than P, you just shift P one bit to the right without doing a subtraction. Due to the construction of all of the primes in the RFCs cited below, you will get a trace of this in the bottom 64 bits. There will be a one whenever a subtraction occurred and a zero otherwise. This is because if you calculate the two's complement of the prime (followed by a bunch of zeros), there will be a lone 1 preceded by at least 63 zeros. Instead of subtracting, you can add this two's complement number, so a 1 will be placed wherever a subtraction happened or a 0 if there was no subtraction. I've not worked out how to use these 64 bits to then reconstruct X, but this seems like it was purposeful so I'm fairly certain it reduces the complexity of determining X from 2^X mod P. (In fact, there may be a use for more than just 64 of the bottom bits.) A private discussion I had seems to indicate that these particular primes would be bad even with a different generator (because number theory). I am hopeful that it's possible to construct better primes which are more secure than these (even using a generator of 2) for use with Diffie-Hellman. Mike On Thu, Oct 8, 2020, at 13:54, I wrote: > Using finite-field Diffie-Hellman with a generator > of 2 is probably not the best choice. Unfortunately > all of the published primes (RFCs 2409, 3526, and > 7919) use 2 for the generator. Any other generator > would likely be (not sure how much?) more secure. > > The problem is that 2^X consists of a single bit of > value 1 followed by a huge string of zeros. When > you then reduce this modulo a large prime number, > there will be a pattern in the bits which may help > an attacker discern the value of X. This is further > helped by the fact that all of the published primes > have 64 bits of 1 in the topmost and bottom-most bits. > In addition, the larger published primes are very > similar to the shorter ones, the shorter ones closely > matching truncated versions of the larger primes. > > If you were to manually perform the modulo-P operation > yourself, you would add enough zeros to the end of P > until the topmost bit is just to the right of the 1 > bit from 2^X, and then you'd subtract. This bit > pattern will always be the same, no matter the value > of X. In particular, the top 64 bits disappear since > they're all one. Continuing the mod-P operation, you > adjust the number of zeros after the prime P and then > subtract again, reducing the size of the operand. The > pattern of bits again will be the same, regardless of > the value of X, the only difference being the number > of trailing zeros. > > I have not looked at the cyclic patterns which happen > as you do this, but I wouldn't be surprised to find > that the "new" primes based on e (RFC 7919) have > easier-to-spot bit patterns than those based on pi. > > This is speculation of course. > > Should we define some new DH parameters which use a > different generator? Maybe the primes are fine.... > > Mike _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
