31

Recently someone found that a Diffie-Hellman modulus used in a unix tool (socat) was not prime. This led some people to shout "backdoor".

What I don't understand is, how could this allow for a backdoor?

I'm guessing the problem could be small subgroup attacks. But this can be as much of a problem as when the modulus is prime. Or better: a non-prime group could have a big prime subgroup while a prime group could have small prime subgroups.

Thoughts?

It seems like Pohlig–Hellman could be one answer: you can compute the discrete log in a smooth order group. Someone started testing small factors of the non-prime modulus and found 3684787 = 271 x 13597 as a factor. It doesn't seem like any other "easy" factors are findable, so does this mean Pohlig–Hellman wouldn't work even if the adversary knows the factorization? (He needs small factors, not only known factors.)

otus
  • 32,132
  • 5
  • 70
  • 165
David 天宇 Wong
  • 1,535
  • 11
  • 26
  • 2
    Has that modulus been publicly factored? ​ ​ –  Feb 03 '16 at 01:46
  • kind of, someone found 3684787 = 271 x 13597 to be a factor – David 天宇 Wong Feb 03 '16 at 02:13
  • 4
    As long as the order of the multiplicative group order of each factor $p_i^{e_i}$ is smooth, i.e., whether $p_i^{e_i - 1}(p_i - 1)$ is smooth, Pohlig-Hellman will work quickly. The factors themselves can be arbitrarily large. But this cannot be the case, otherwise the number would be easily factorable with the $p-1$ method. – Samuel Neves Feb 03 '16 at 05:20
  • what's the $p-1$ method? – David 天宇 Wong Feb 03 '16 at 18:42
  • 1
    @David天宇Wong p-1 = https://en.wikipedia.org/wiki/Pollard%27s_p_%E2%88%92_1_algorithm – otus Feb 03 '16 at 19:49

2 Answers2

24

How could this allow for a backdoor?

Well, if you do DH modulo a composite, an attacker can recover the shared secret if they can solve the DH problem (or the DLog problem) modulo each of the primes that make up the composite.

There are a couple of ways that could be used by someone who knows the factorization to solve the DLog problem easier than expected.

Each prime could be set up to admit to a small subgroup attack (that is, each of the primes $p, q$ has $p-1, q-1$ smooth; however that also makes it easier to factor (as Samuel notes). On the other hand, one could have a $p$ and $q$ "partially smooth"; say, both $p-1$ and $q-1$ would include a factor circa 64 bits. This would give a DLog that takes $O(2^{32})$ time (annoying, but quite feasible); while the $p-1$ factoring method would likely take $O(2^{64})$ time (which is likely that no one would bother trying).

A variant of this approach (if one can select $g$ as well) is to select $p-1 = 2p_1p_2$, where $p_1$ is a (say) 32 bit prime, and $p_2$ is a 479 bit prime, and select $g$ so that (mod $p$) generates a subgroup of order $p_1$. And, of course, you do the same for $q$. The DLog problem that you actually see would take $O(2^{16})$ work, and $pq$ would be hard to factor (unless someone guesses $p_1$, and computes $gcm(pq, g^{p_1}-1)$; the backdoor-installer would be hoping that no one would think of trying that).

Another way would be to have the composite be (say) a factor of 4 256 bit primes, which need not admit to small subgroups. In that case, to someone knowing the factorization can solve the DLog problem by solving 4 problems modulo 256 bit primes; a bit more effort than what a small group attack can do; however it's still practical (and the composite would still be difficult to factor).

A third method is to select primes $p$ and $q$ to be SNFS friendly; that is, both of the form $r^e + s$, for $r, s$ small. If $p$ and $q$ use different values for $r$, this would not be immediately apparent.

So, yes, the composite modulus could be a backdoor.

Matthias Braun
  • 217
  • 1
  • 6
poncho
  • 147,019
  • 11
  • 229
  • 360
  • 2
    @David天宇Wong: I'm looking at how someone who picks the modulus ("the attacker") can use a composite modulus to hide a small group (or other) attack. Yes, he could also pick a 1024 bit prime that is vulnerable to a small group attack, but anyone else who notices that $p-1$ is smooth can also listen in - I'm going through ways we can do NOBUS ("nobody but us") - that is, the installer can listen in, but it's hard for anyone else, even if they have a guess to what the attacker did. – poncho Feb 03 '16 at 18:43
  • I deleted my question because I figured out the answer (and didn't see you had the time to reply), but I actually didn't think that doing this with a prime would cancel the NOBUS! (This is because the order is easy to calculate if p is prime, but hard if we don't know the factorization of a non-prime p) – David 天宇 Wong Feb 03 '16 at 18:51
  • also in the $2p_1p_2$ way, you would only be able to do the dlog on the subgroup of order $p_1$, would that be enough to guess the dlog on the whole group? – David 天宇 Wong Feb 03 '16 at 19:05
  • @David天宇Wong: no; however if you get to choose $g$ (the generator for the DH operation), you don't have to; as long as you can perform the dlog operation on $g^a$, that's good enough. – poncho Feb 03 '16 at 19:11
  • I fail to understand your last comment. How can you guess the $a$ exponent in $g^a \pmod{p}$ if you can only compute the exponent $a \pmod{p_1}$ (because $p_1$ is small enough) and $a \pmod{2}$. You're missing $a \pmod{p_2}$ – David 天宇 Wong Feb 03 '16 at 20:48
  • @David天宇Wong: if the order of $g$ is $p_1$, then the value of $a \pmod{p_1}$ gives us the value of $a$ in $g^a \bmod{p}$ – poncho Feb 03 '16 at 21:10
  • it could still be $a \times p_1$ or in general $a \times k p_1$ with $k$ up to $2p_2$. So you would have to brute force that part as well. – David 天宇 Wong Feb 03 '16 at 22:15
  • @David天宇Wong: I think you mean $a + kp_1$. In any case, all those values are exactly the same, as $g^a = g^{a + kp_1}$, so there's no difference; there's no point in brute-forcing anything. Remember, the order of $g$ is $p_1$... – poncho Feb 04 '16 at 01:31
  • Ahh.. yup my bad ^_^ – David 天宇 Wong Feb 04 '16 at 03:40
  • @poncho Perhaps better than picking a 64-bit prime factor for $p-1$ would be to pick a set of high prime powers. Say, $p-1 = 2^i 3^j 5^k$. This would still ensure instant discrete logs with Pohlig-Hellman, but no regular usage of $p-1$ factoring would be able to get at it. You could even make one of the prime factors of $p-1$ be, e.g., $(2^{32}-c)^{16}$ for good measure. – Samuel Neves Feb 04 '16 at 07:37
  • @SamuelNeves: with $p-1 = 2^i3^jk^k$, $i, j, k$ would have to be fairly modest, and so I suspect that a standard P.H. attack would break it easier than you'd hope. As for $(2^{32}-c)^{16}$, I suspect that has a better chance, but mostly because a standard attack wouldn't bother trying that. In any case, what I'm trying to take advantage of is, if $p-1$ has a largest factor $q$, then using the backdoor would take $O(\sqrt{q})$ time, but finding the backdoor would take $O(q)$ time. I'm trying to arrange $q$ so that $\sqrt{q}$ effort is feasible, but $q$ is not – poncho Feb 04 '16 at 21:18
  • this spunned a new question, why do we really need a non-prime to make the backdoor a NOBUS one? http://crypto.stackexchange.com/questions/32522/why-does-a-non-prime-dh-modulus-creates-a-nobus-backdoor – David 天宇 Wong Feb 06 '16 at 23:56
  • you said that a DLOG of 64 bits is annoying, but I look at the DLOG records and in 2014 they found a 596 bits one. I would imagine that 64bits is nothing compared to that. – David 天宇 Wong Feb 23 '16 at 16:48
  • Also 2) the 32 bit and 479 bit prime variant, if you're generator is in a 32bit subgroup then wouldn't the DLOG be easy for anyone even without knowing the order of the group? – David 天宇 Wong Feb 23 '16 at 17:03
  • And 3) What do you mean by SNFS friendly. You mean p-1 and q-1 big factors are SNFS primes? – David 天宇 Wong Feb 23 '16 at 17:10
  • also 4) in the first case where p-1 and q-1 are smooth, then you might not even have a generator for the whole group (whole group is not cyclic) – David 天宇 Wong Feb 23 '16 at 22:20
  • @David天宇Wong: as for a DLOG of 64 bits being annoying, actually, that'd be $O(2^{32})$ work; that's annoying if you're actively decrypting a number of traffic streams; it is obviously feasible if you care about this particular stream. – poncho Feb 24 '16 at 18:08
  • @David天宇Wong: as for SNFS friendly, I mean that both $p$ and $q$ are primes with small polynomials that SNFS needs; in this case, we really don't care what $p-1$ and $q-1$ are – poncho Feb 24 '16 at 18:10
  • @David天宇Wong: as for there not being a generator, well, if $p$ and $q$ are distinct odd primes, there won't be a true generator (as we're always have the subgroup $Z_2 \times Z_2$. On the other hand, DH doesn't require that the generator being used generate the entire group. – poncho Feb 24 '16 at 18:11
  • I see! I was worried about creating a generator too small by not having a cyclic group, but I discarded all generators of order the subgroups hoping its order would be a good combination of subgroups. – David 天宇 Wong Feb 24 '16 at 19:09
  • Since SNFS' run-time is a function of the modulus, how does the factorization being SNFS primes help? – David 天宇 Wong Feb 27 '16 at 15:42
  • @David天宇Wong: we can solve DH mod $pq$ if we can solve it mod $p$ and mod $q$. And, if $p$ (and $q$) are SNFS primes, we can solve it mod $p$ easier than expected. The reason we would use a composite modulus is to hide that the two factors are SNFS primes. – poncho Feb 28 '16 at 18:26
  • Wait, you can't reduce your problem mod $p$. If you have your public key $y = g^a \pmod{n}$, you can't just take $y \pmod{p}$ and solve the discrete logarithm there. – David 天宇 Wong Feb 29 '16 at 16:11
  • 2
    @David天宇Wong: sure you can; if you have a solution $y = g^{a_p} \pmod{p}$ and a solution $y = g^{a_q} \pmod{q}$, then we know at the solution to $y = g^a \pmod{pq}$ has $a \equiv a_p \pmod{p-1}$ and $a \equiv a_q \pmod{q-1}$ – poncho Feb 29 '16 at 16:16
  • yeah actually that's right. I'm wondering why we do the Pohlig-Hellman trick of exponentiating the public key with $\varphi(n) / p$ if we can just do $y \pmod{p}$ and do the dlog there? – David 天宇 Wong Feb 29 '16 at 16:20
  • is Pohlig-Hellman useful only for prime modulus? It looks useless for composite modulus now :| – David 天宇 Wong Feb 29 '16 at 16:21
  • ahm, ok, I was confused here =) so yeah, Pohlig-Hellman is indeed only useful for prime modulus. But since a discrete-logarithm modulo $p$ has order $p-1$ you can use Pohlig-Hellman there again. – David 天宇 Wong Feb 29 '16 at 17:03
  • btw, I keep coming back to that answer and learn new things every time. That's such a complete answer, I rarely see that! So thanks again :) – David 天宇 Wong Feb 29 '16 at 18:31
  • "unless someone guesses $p1$, and computes $gcd(pq,g^{p_1−1})$" : I don't see how anyone could do that (since we don't know $p$) we would have to first find a generator of that subgroup $p_1$, I believe there are only $p_1 - 1$ of them out of the $\varphi(n)$ elements of our group, that's impossible to find. – David 天宇 Wong Feb 29 '16 at 18:42
12

I've since then wrote a paper to answer this question (of course with a huge help from Poncho)

I found many ways to implement a backdoor, some are Nobody-But-Us (NOBUS) backdoors, while some are not (I also give some numbers of "security" for the NOBUS ones in the paper).

The idea is to look at a natural way of injecting a backdoor into DH with Pohlig-Hellman:

prime backdoor

Here the modulus $p$ is prime, so we can naturally compute the number of public keys (elements) in our group: $p-1$. By factoring this number you can also get the possible subgroups. If you have enough small subgroups $p_i$ then you can use the Chinese Remainder Theorem to stitch together the many partial private keys you found into the real private key.

The problem here is that, if you can do Pohlig-Hellman, it means that the subgroups $p_i$ are small enough for anyone to find them by factoring $p-1$.

The next idea is to hide these small subgroups so that only us can use this Pohlig-Hellman attack.

CM-HSO

Here the prime $n$ is not so much a prime anymore. We instead use a RSA modulus $n = p \times q$. Since $n$ is not a prime anymore, to compute the number of possible public keys in our new DH group, we need to compute $(p-1)(q-1)$ (the number of elements co-prime to $n$). This is a bit tricky and only us, with the knowledge of $p$ and $q$ should be able to compute that. This way, under the assumptions of RSA, we know that no-one will be able to factor the number of elements ($(p-1)(q-1)$) to find out what subgroups there are. And now our small subgroups are well hidden for us, and only us, to perform Pohlig-Hellman.

There is of course more to it. Read the paper :)

SEJPM
  • 45,967
  • 7
  • 99
  • 205
David 天宇 Wong
  • 1,535
  • 11
  • 26