# A Kilobit Hidden SNFS Discrete Logarithm Computation

## Abstract

We perform a special number field sieve discrete logarithm computation in a 1024-bit prime field. To our knowledge, this is the first kilobit-sized discrete logarithm computation ever reported for prime fields. This computation took a little over two months of calendar time on an academic cluster using the open-source CADO-NFS software.

Our chosen prime *p* looks random, and \(p-1\) has a 160-bit prime factor, in line with recommended parameters for the Digital Signature Algorithm. However, our *p* has been trapdoored in such a way that the special number field sieve can be used to compute discrete logarithms in \(\mathbb {F}_p^*\), yet detecting that *p* has this trapdoor seems out of reach. Twenty-five years ago, there was considerable controversy around the possibility of backdoored parameters for DSA. Our computations show that trapdoored primes are entirely feasible with current computing technology. We also describe special number field sieve discrete log computations carried out for multiple conspicuously weak primes found in use in the wild.

As can be expected from a trapdoor mechanism which we say is hard to detect, our research did not reveal any trapdoored prime in wide use. The only way for a user to defend against a hypothetical trapdoor of this kind is to require verifiably random primes.

## Keywords

Prime Ideal Discrete Logarithm Descent Step Individual Logarithm Digital Signature Algorithm## Notes

### Acknowledgements

We are grateful to Paul Zimmermann for numerous discussions all along this work. Rafi Rubin performed invaluable system administration for the University of Pennsylvania cluster. Shaanan Cohney and Luke Valenta contributed to sieving for the 784-bit SNFS-DL computation. Part of the experiments presented in this paper were carried out using the Grid’5000 testbed, supported by a scientific interest group hosted by Inria and including CNRS, RENATER and several Universities as well as other organizations. We are grateful to Cisco for donating the Cisco UCS hardware that makes up most of the University of Pennsylvania cluster. Ian Goldberg donated time on the CrySP RIPPLE Facility at the University of Waterloo and Daniel J. Bernstein donated time on the Saber cluster at TU Eindhoven for the 784-bit SNFS-DL computation. This work was supported by the U.S. National Science foundation under grants CNS-1513671, CNS-1505799, and CNS-1408734, and a gift from Cisco.

## References

- 1.(author redacted): Eurocrypt ’92 reviewed. Cryptolog, March 1994. https://www.nsa.gov/news-features/declassified-documents/cryptologs/
- 2.Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Béguelin, S.Z., Zimmermann, P.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015: 22nd Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015, pp. 5–17. ACM Press (2015)Google Scholar
- 3.Aoki, K., Franke, J., Kleinjung, T., Lenstra, A.K., Osvik, D.A.: A kilobit special number field sieve factorization. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 1–12. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-76900-2_1 CrossRefGoogle Scholar
- 4.Ball, J., Borger, J., Greenwald, G.: Revealed: how US and UK spy agencies defeat internet privacy and security. The Guardian, 5 September 2013. https://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
- 5.Barbulescu, R.: Algorithmes de logarithmes discrets dans les corps finis. Ph.D. thesis, Université de Lorraine, France (2013)Google Scholar
- 6.Barker, E., Roginsky, A.: Transitions: recommendation for transitioning the use of cryptographic algorithms and key lengths. Technical report, National Institute of Standards and Technology (2011). http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-131a.pdf
- 7.Beckerman, B., Labahn, G.: A uniform approach for the fast computation of matrix-type Padé approximants. SIAM J. Matrix Anal. Appl.
**15**(3), 804–823 (1994)MathSciNetCrossRefzbMATHGoogle Scholar - 8.Bernstein, D.J., Chou, T., Chuengsatiansup, C., Hülsing, A., Lambooij, E., Lange, T., Niederhagen, R., van Vredendaal, C.: How to manipulate curve standards: a white paper for the black hat http://bada55.cr.yp.to. In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 109–139. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-27152-1_6 CrossRefGoogle Scholar
- 9.Checkoway, S., Fredrikson, M., Niederhagen, R., Everspaugh, A., Green, M., Lange, T., Ristenpart, T., Bernstein, D.J., Maskiewicz, J., Shacham, H.: On the practical exploitability of Dual EC in TLS implementations. In: Fu, K. (ed.) Proceedings of USENIX Security 2014, pp. 319–335. USENIX, August 2014Google Scholar
- 10.Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., Heninger, N., Weinmann, R.-P., Rescorla, E., Shacham, H.: A systematic analysis of the juniper dual EC incident. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016: 23rd Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 468–479. ACM Press (2016)Google Scholar
- 11.Commeine, A., Semaev, I.: An algorithm to solve the discrete logarithm problem with the number field sieve. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 174–190. Springer, Heidelberg (2006). doi: 10.1007/11745853_12 CrossRefGoogle Scholar
- 12.Coppersmith, D.: Modifications to the number field sieve. J. Cryptol.
**6**(3), 169–180 (1993)MathSciNetCrossRefzbMATHGoogle Scholar - 13.Coppersmith, D.: Solving linear equations over GF(2) via block Wiedemann algorithm. Math. Comp.
**62**(205), 333–350 (1994)MathSciNetzbMATHGoogle Scholar - 14.Denis, T.S.: LibTomCrypt. http://www.libtom.net/
- 15.Desmedt, Y., Landrock, P., Lenstra, A.K., McCurley, K.S., Odlyzko, A.M., Rueppel, R.A., Smid, M.E.: The Eurocrypt’92 controversial issue trapdoor primes and moduli. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 194–199. Springer, Heidelberg (1993). doi: 10.1007/3-540-47555-9_17 Google Scholar
- 16.Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: A search engine backed by internet-wide scanning. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015: 22nd Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015, pp. 542–553. ACM Press (2015)Google Scholar
- 17.Enge, A., Gaudry, P., Thomé, E.: An \({L}(1/3)\) discrete logarithm algorithm for low degree curves. J. Cryptol.
**24**(1), 24–41 (2011)MathSciNetCrossRefzbMATHGoogle Scholar - 18.Friedl, M., Provos, N., de Raadt, T., Steves, K., Miller, D., Tucker, D., McIntyre, J., Rice, T., Lindstrom, B.: Announce: OpenSSH 7.0 released, August 2015. http://www.openssh.com/txt/release-7.0
- 19.Gillmor, D.K.: Negotiated FFDHE for TLS, August 2016. https://datatracker.ietf.org/doc/rfc7919/
- 20.Giorgi, P., Lebreton, R.: Online order basis algorithm and its impact on the block Wiedemann algorithm. In: ISSAC 2014, pp. 202–209. ACM (2014)Google Scholar
- 21.Gordon, D.M.: Designing and detecting trapdoors for discrete log cryptosystems. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 66–75. Springer, Heidelberg (1993). doi: 10.1007/3-540-48071-4_5 CrossRefGoogle Scholar
- 22.Gordon, D.M.: Discrete logarithms in GF\((p)\) using the number field sieve. SIAM J. Discret. Math.
**6**(1), 124–138 (1993)MathSciNetCrossRefzbMATHGoogle Scholar - 23.Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the gaussian integer method. Math. Comp.
**72**(242), 953–967 (2003)MathSciNetCrossRefzbMATHGoogle Scholar - 24.Joux, A., Pierrot, C.: Nearly sparse linear algebra and application to discrete logarithms computations. In: Canteaut, A., Effinger, G., Huczynska, S., Panario, D., Storme, L. (eds.) Contemporary Developments in Finite Fields and Applications, pp. 119–144. World Scientific Publishing Company, Singapore (2016)CrossRefGoogle Scholar
- 25.Juniper Networks: 2015–12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755, CVE-2015-7756), December 2015Google Scholar
- 26.Kaltofen, E.: Analysis of Coppersmith’s block Wiedemann algorithm for the parallel solution of sparse linear systems. Math. Comp.
**64**(210), 777–806 (1995)MathSciNetzbMATHGoogle Scholar - 27.Kleinjung, T., et al.: Factorization of a 768-bit RSA modulus. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 333–350. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_18 CrossRefGoogle Scholar
- 28.Kleinjung, T., Diem, C., Lenstra, A.K., Priplata, C., Stahlke, C.: Discrete logarithms in GF(p) - 768 bits. E-mail on the NMBRTHRY mailing list, 16 June 2016Google Scholar
- 29.Kolkman, O.M., Mekking, W.M., Gieben, R.M.: DNSSEC Operational Practices, Version 2. RFC 6781, Internet Society, December 2012Google Scholar
- 30.Larson, J., Perlroth, N., Shane, S.: Revealed: the NSA’s secret campaign to crack, undermine internet security. ProPublica, 5 September 2013. https://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption
- 31.Lenstra, A.K.: Constructing trapdoor primes for the proposed DSS. Technical report (1991). https://infoscience.epfl.ch/record/164559
- 32.Lenstra, A.K., Lenstra Jr., H.W. (eds.): The Development of the Number Field Sieve. LNM, vol. 1554. Springer, Heidelberg (1993)zbMATHGoogle Scholar
- 33.Lepinski, M., Kent, S.: Additional Diffie-Hellman groups for use with IETF standards (2010). http://ietf.org/rfc/rfc5114.txt
- 34.Lim, C.H., Lee, P.J.: Generating efficient primes for discrete log cryptosystems (2006). http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.43.8261
- 35.Matyukhin, D.V.: On asymptotic complexity of computing discrete logarithms over \({GF}(p)\). Discret. Math. Appl.
**13**(1), 27–50 (2003)MathSciNetCrossRefzbMATHGoogle Scholar - 36.Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
- 37.Murphy, B.A.: Polynomial selection for the number field sieve integer factorisation algorithm. Ph.D. thesis, Australian National University (1999)Google Scholar
- 38.National Institute of Standards and Technology: Supplemental ITL bulletin for september 2013:NIST opens draft special publication 800–90A, recommendation for random number generation using deterministic random bit generators, for review and comment. http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf
- 39.National Institute of Standards and Technology: Examples for NIST 800–56A (2006). http://csrc.nist.gov/groups/ST/toolkit/documents/KS_FFC_Prime.pdf
- 40.National Institute of Standards and Technology: Digital signature standard (DSS, FIPS-186-4). Fourth revision (2013)Google Scholar
- 41.National Institute of Standards and Technology: Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography, SP 800–56A, Second revision (2013)Google Scholar
- 42.Orman, H.: The Oakley key determination protocol. RFC 2412, November 1998Google Scholar
- 43.Perlroth, N., Larson, J., Shane, S.: N.S.A. able to foil basic safeguards of privacy on Web. The New York Times, 5 September 2013. http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html
- 44.Pomerance, C.: Analysis and comparison of some integer factoring algorithms. In: Lenstra Jr., H.W., Tijdeman, R. (eds.) Computational Methods in Number Theory Mathematical Center Tracts, vol. 154, pp. 89–140. Mathematisch Centrum, Amsterdam (1982)Google Scholar
- 45.Rivest, R., Hellman, M., Anderson, J.C., Lyons, J.W.: Responses to NIST’s proposal. CACM
**35**(7), 41–54 (1992)CrossRefGoogle Scholar - 46.Schirokauer, O.: Discrete logarithms and local units. Philos. Trans. Roy. Soc. Lond. Ser. A
**345**(1676), 409–423 (1993)MathSciNetCrossRefzbMATHGoogle Scholar - 47.Scott, M.: Re: NIST announces set of elliptic curves. sci.crypt newsgroup posting dated 1999/06/17. https://groups.google.com/forum/message/raw?msg=sci.crypt/mFMukSsORmI/FpbHDQ6hM_MJ
- 48.Semaev, I.A.: Special prime numbers and discrete logs in finite prime fields. Math. Comput.
**71**(237), 363–377 (2002)MathSciNetCrossRefzbMATHGoogle Scholar - 49.Smid, M.E., Branstad, D.K.: Response to comments on the NIST proposed digital signature standard. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 76–88. Springer, Heidelberg (1993). doi: 10.1007/3-540-48071-4_6 CrossRefGoogle Scholar
- 50.SSL Labs: SSL pulse. https://www.trustworthyinternet.org/ssl-pulse/
- 51.The CADO-NFS Development Team: CADO-NFS, an implementation of the number field sieve algorithm. Development version (prior to release 2.3) (2016). http://cado-nfs.gforge.inria.fr/
- 52.Thomé, E.: Subquadratic computation of vector generating polynomials and improvement of the block Wiedemann algorithm. J. Symb. Comput.
**33**(5), 757–775 (2002)MathSciNetCrossRefzbMATHGoogle Scholar - 53.Valenta, L., Adrian, D., Sanso, A., Cohney, S., Fried, J., Hastings, M., Halderman, J.A., Heninger, N.: The most dangerous groups in the world: exploiting DSA groups for Diffie-Hellman (2016)Google Scholar
- 54.Young, A., Yung, M.: The dark side of “Black-Box” cryptography or: should we trust Capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_8 Google Scholar