Safety in Numbers: On the Need for Robust Diffie-Hellman Parameter Validation

  • Steven Galbraith
  • Jake MassimoEmail author
  • Kenneth G. Paterson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11443)


We consider the problem of constructing Diffie-Hellman (DH) parameters which pass standard approaches to parameter validation but for which the Discrete Logarithm Problem (DLP) is relatively easy to solve. We consider both the finite field setting and the elliptic curve setting.

For finite fields, we show how to construct DH parameters (pqg) for the safe prime setting in which \(p=2q+1\) is prime, q is relatively smooth but fools random-base Miller-Rabin primality testing with some reasonable probability, and g is of order q mod p. The construction involves modifying and combining known methods for obtaining Carmichael numbers. Concretely, we provide an example with 1024-bit p which passes OpenSSL’s Diffie-Hellman validation procedure with probability \(2^{-24}\) (for versions of OpenSSL prior to 1.1.0i). Here, the largest factor of q has 121 bits, meaning that the DLP can be solved with about \(2^{64}\) effort using the Pohlig-Hellman algorithm. We go on to explain how this parameter set can be used to mount offline dictionary attacks against PAKE protocols. In the elliptic curve case, we use an algorithm of Bröker and Stevenhagen to construct an elliptic curve E over a finite field \({\mathbb {F}}_p\) having a specified number of points n. We are able to select n of the form \(h\cdot q\) such that h is a small co-factor, q is relatively smooth but fools random-base Miller-Rabin primality testing with some reasonable probability, and E has a point of order q. Concretely, we provide example curves at the 128-bit security level with \(h=1\), where q passes a single random-base Miller-Rabin primality test with probability 1/4 and where the elliptic curve DLP can be solved with about \(2^{44}\) effort. Alternatively, we can pass the test with probability 1/8 and solve the elliptic curve DLP with about \(2^{35.5}\) effort. These ECDH parameter sets lead to similar attacks on PAKE protocols relying on elliptic curves.

Our work shows the importance of performing proper (EC)DH parameter validation in cryptographic implementations and/or the wisdom of relying on standardised parameter sets of known provenance.



Massimo was supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/K035584/1). Paterson was supported by EPSRC grants EP/M013472/1, EP/K035584/1, and EP/P009301/1.

We thank Matilda Backendal for comments on the paper and Richard G.E. Pinch for providing the data on Carmichael numbers used in Table 1.


  1. [ABD+15]
    Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 5–17. ACM Press, October 2015Google Scholar
  2. [AMPS18]
    Albrecht, M.R., Massimo, J., Paterson, K.G., Somorovsky, J.: Prime and prejudice: primality testing under adversarial conditions. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, Canada, 15–19 October 2018 (2018)Google Scholar
  3. [Arn95]
    Arnault, F.: Constructing Carmichael numbers which are strong pseudoprimes to several bases. J. Symb. Comput. 20(2), 151–161 (1995)MathSciNetCrossRefGoogle Scholar
  4. [ASS+16]
    Aviram, N., et al.: DROWN: breaking TLS using SSLv2. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 2016, Austin, TX, USA, 10–12 August 2016, pp. 689–706. USENIX Association (2016)Google Scholar
  5. [BBD+15]
    Beurdouche, B., et al.: A messy state of the union: taming the composite state machines of TLS. In: 2015 IEEE Symposium on Security and Privacy, pp. 535–552. IEEE Computer Society Press, May 2015Google Scholar
  6. [BCC+15]
    Bernstein, D.J., et al.: How to manipulate curve standards: a white paper for the black hat In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 109–139. Springer, Cham (2015). Scholar
  7. [BCLN16]
    Bos, J.W., Costello, C., Longa, P., Naehrig, M.: Selecting elliptic curves for cryptography: an efficiency and security analysis. J. Crypt. Eng. 6(4), 259–286 (2016)CrossRefGoogle Scholar
  8. [BL07]
    Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007). Scholar
  9. [Ble05]
    Bleichenbacher, D.: Breaking a cryptographic protocol with pseudoprimes. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 9–15. Springer, Heidelberg (2005). Scholar
  10. [BPR14]
    Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). Scholar
  11. [BS05]
    Bröker, R., Stevenhagen, P.: Constructing elliptic curves in almost polynomial time. arXiv:math/0511729 (2005)
  12. [BWBG+06]
    Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., Moeller, B.: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). RFC 4492 (Informational), May 2006. Obsoleted by RFC 8422, updated by RFCs 5246, 7027, 7919Google Scholar
  13. [CMG+16]
    Checkoway, S., et al.: A systematic analysis of the juniper dual EC incident. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers,A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 468–479. ACM Press, October 2016Google Scholar
  14. [CNE+14]
    Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 319–335. USENIX Association (2014)Google Scholar
  15. [DGG+15]
    Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 101–126. Springer, Heidelberg (2015). Scholar
  16. [DLP93]
    Damgård, I., Landrock, P., Pomerance, C.: Average case error estimates for the strong probable prime test. Math. Comput. 61(203), 177–194 (1993)MathSciNetCrossRefGoogle Scholar
  17. [DPSW16]
    Degabriele, J.P., Paterson, K.G., Schuldt, J.C.N., Woodage, J.: Backdoors in pseudorandom number generators: possibility and impossibility results. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 403–432. Springer, Heidelberg (2016). Scholar
  18. [Erd56]
    Erdös, P.: On pseudoprimes and Carmichael numbers. Publ. Math. Debrecen 4, 201–206 (1956)MathSciNetzbMATHGoogle Scholar
  19. [FGHT17]
    Fried, J., Gaudry, P., Heninger, N., Thomé, E.: A kilobit hidden SNFS discrete logarithm computation. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 202–231. Springer, Cham (2017). Scholar
  20. [Gil16]
    Gillmor, D.: Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS). RFC 7919 (Proposed Standard), August 2016Google Scholar
  21. [GMP19]
    Galbraith, S., Massimo, J., Paterson, K.G.: Safety in Numbers: On the Need for Robust Diffie-Hellman Parameter Validation. Cryptology ePrint Archive, Report 2019/032 (2019).
  22. [Gor93]
    Gordon, D.M.: Designing and detecting trapdoors for discrete log cryptosystems. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 66–75. Springer, Heidelberg (1993). Scholar
  23. [GP02]
    Granville, A., Pomerance, C.: Two contradictory conjectures concerning Carmichael numbers. Math. Comput. 71(238), 883–908 (2002)MathSciNetCrossRefGoogle Scholar
  24. [Hao17]
    Hao, F. (ed.): J-PAKE: Password-Authenticated Key Exchange by Juggling. RFC 8236 (Informational), September 2017Google Scholar
  25. [JP06]
    Joye, M., Paillier, P.: Fast generation of prime numbers on portable devices: an update. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 160–173. Springer, Heidelberg (2006). Scholar
  26. [JPV00]
    Joye, M., Paillier, P., Vaudenay, S.: Efficient generation of prime numbers. In: Koç, Ç.K., Paar, C. (eds.) CHES 2000. LNCS, vol. 1965, pp. 340–354. Springer, Heidelberg (2000). Scholar
  27. [LL97]
    Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997). Scholar
  28. [Mon80]
    Monier, L.: Evaluation and comparison of two efficient probabilistic primality testing algorithms. Theor. Comput. Sci. 12(1), 97–108 (1980)MathSciNetCrossRefGoogle Scholar
  29. [Nar14]
    Narayanan, S.: Improving the Speed and Accuracy of the Miller-Rabin Primality Test. MIT PRIMES-USA (2014).
  30. [Pin08]
    Pinch, R.G.E.: The Carmichael numbers up to \(10^{21}\). In: Proceedings Conference on Algorithmic Number Theory, vol. 46. Turku Centre for Computer Science General Publications (2008)Google Scholar
  31. [Rab80]
    Rabin, M.O.: Probabilistic algorithm for testing primality. J. Number Theory 12(1), 128–138 (1980)MathSciNetCrossRefGoogle Scholar
  32. [S+18]
    Stein, W., et al.: Sage Mathematics Software Version 8.3. The Sage Development Team (2018).
  33. [TWMP07]
    Taylor, D., Wu, T., Mavrogiannopoulos, N., Perrin, T.: Using the Secure Remote Password (SRP) Protocol for TLS Authentication. RFC 5054 (Informational), November 2007Google Scholar
  34. [VAS+17]
    Valenta, L., et al.: Measuring small subgroup attacks against Diffie-Hellman. In: NDSS 2017. The Internet Society, February/March 2017Google Scholar
  35. [Won16]
    Wong, D.: How to backdoor Diffie-Hellman. Cryptology ePrint Archive, Report 2016/644 (2016).
  36. [Wu00]
    Wu, T.: The SRP Authentication and Key Exchange System. RFC 2945 (Proposed Standard), September 2000Google Scholar
  37. [YY97]
    Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Steven Galbraith
    • 1
  • Jake Massimo
    • 2
    Email author
  • Kenneth G. Paterson
    • 2
  1. 1.University of AucklandAucklandNew Zealand
  2. 2.Royal HollowayUniversity of LondonEghamUK

Personalised recommendations