Kleptography, Dual EC

Home , Dual EC DRBG, Forward secrecy, Kleptography

2nd Assignment

§ Choice of topic: before Thursday, December 17th, 23:59. § Assignment of topic: Friday, December 18th. § Deadline of second assignment: Sunday, January 31st, 23:59.

The deadlines are strict!

/ department of mathematics and computer science Kleptography, Dual EC

Applied Cryptography, Lecture 11

Ruben Niederhagen (some slides borrowed from Moti Yung)

December 15, 2015 / department of mathematics and computer science Kleptography — Introduction 2/46

What is Kleptography? § Kleptography is the study of stealing information securely (exclusively), eﬃciently, and subliminally (unnoticeably). § Stealing from your most trusted “hardware protected systems”, “un-scrutinized software”, etc. § It employs Crypto against Crypto! Hiding Crypto in Crypto (as steganography hides text in text).

/ department of mathematics and computer science Kleptography — Introduction 3/46

/ department of mathematics and computer science Kleptography — Introduction 4/46

The goal: § To develop a robust back door within a cryptosystem that: 1. EXCLUSIVITY: Provides only to the attacker the desired secret information (e.g., private key of the unwary user), 2. INDISTINGUISHABILITY: Cannot be detected in black-box implementations (I/O access only as in tamper-resistant systems) except by the attacker, 3. FORWARD SECRECY: If a reverse-engineer (i.e., not the attacker) breaches the black-box, then the previously stolen information remains conﬁdential (secure against reverse-engineering). § The successful reverse-engineer may learn that the attack is carried out (diﬀerent algorithm is run), BUT will be unable to use the back door.

/ department of mathematics and computer science Kleptography — Attacking RSA 5/46

RSA Key Generation: Let e be the public RSA exponent shared by all users (e.g., e “ 216 ` 1). 1. Choose a large p randomly (e.g., p is 1024 bits long). 2. If p is composite or gcdpe, p ´ 1q ‰ 1 then goto step 1. 3. Choose a large number q randomly. 4. If q is composite or gcdpe, q ´ 1q ‰ 1 then goto step 3. 5. Output the public key pn “ pq, eq and private key p. Solve for d given d ¨ e ” 1 mod φpnq.

/ department of mathematics and computer science Kleptography — Attacking RSA 6/46

Kleptographic RSA Key Generation: The attacker is using a 1024-bit RSA key with public key pY , eq. 1. Choose a large s randomly (e.g., s is 1024 bits long). 2. Compute p “ Hpsq where H is a cryptographic hash function. 3. If p is composite or gcdpe, p ´ 1q ‰ 1 then goto step 1. 4. Choose a large 1024-bit string RND randomly. 5. Compute c to be an encryption of s under RSA with public Y , c “ se mod Y . 6. Solve for pq, rq in pc||RNDq “ pq ` r (integer division). 7. If q is composite or gcdpe, q ´ 1q ‰ 1 then goto step 1. 8. Output the public key pn “ pq, eq and the private key p. Solve for d given d ¨ e ” 1 mod φpnq.

/ department of mathematics and computer science Kleptography — Attacking RSA 7/46

Observe: c is the encryption of s with the attackers key.

pc||RNDq “ pq ` r ùñ pc||RNDq ´ r “ pq “ n Note that r is about square root (i.e., about half the bit length) of n. Thus the p´rq operation will not ruin c by more than one bit (borrow bit).

The value c is not hidden much by the high order bits of n.

/ department of mathematics and computer science Kleptography — Attacking RSA 8/46

Recovering the RSA Private Key: § The attacker obtains the public key pn, eq of the user. § Let u be the 1024 uppermost bits of n.

§ The attacker sets c1 “ u and c2 “ u ` 1. (c2 accounts for a potential borrow bit having been taken from the computation n “ pq “ pc||RNDq ´ r).

§ The attacker decrypts c1 and c2 using his private key to get s1 and s2 respectively.

§ Either p1 “ Hps1q or p2 “ Hps2q will divide n evenly. Only the attacker can perform this operation since only the attacker knows the needed private decryption key.

/ department of mathematics and computer science What can the attacker do if there is no subliminal channel? (e.g. Diﬃe-Hellman key exchange)

Kleptography — Attacking RSA 9/46

Features of the attack: § “Only” the key generation is tempered with. § All messages observed outside of the black box are legitimate. § There is no direct connection between the black box and the attacker. § The security of the klepographic encryption is only half the size of the actual key. § The public key is used as an “subliminal” to exﬁltrate the private key to the attacker.

/ department of mathematics and computer science Kleptography — Attacking RSA 9/46

/ department of mathematics and computer science Kleptography — Attacking Difﬁe-Hellman 10/46

Diﬃe-Hellman key exchange: 1. Alice chooses a randomly. 2. Alice sends A “ g a mod p to Bob. 3. Bob chooses b randomly. 4. Bob sends B “ g b mod p to Alice. 5. Alice computes k “ Ba mod p. 6. Bob computes k “ Ab mod p. Observe that k “ Ba “ Ab mod p since g ba “ g ab mod p.

/ department of mathematics and computer science § Second exchange:

a1 § Alice’s device computes a2 “ Hpym mod pq. a2 § Alice’s device computes A2 “ g and Alice sends A2 to Bob. § Alice’s device stores a2 in non-volatile memory. b2 § Bob picks a random b2 and sends B2 “ g to Alice. a2b2 § Alice and Bob compute k2 “ g mod p.

Kleptography — Attacking Difﬁe-Hellman 11/46

Kleptographic Diﬃe-Hellman key exchange:

xm The attacker is using a private xm and a public ym “ g . § First exchange:

§ Alice’s device picks a random a1. a1 § Alice’s device computes A1 “ g and Alice sends A1 to Bob. § Alice’s device stores a1 in non-volatile memory. b1 § Bob picks a random b1 and sends B1 “ g to Alice. a1b1 § Alice and Bob compute k1 “ g mod p.

/ department of mathematics and computer science Kleptography — Attacking Difﬁe-Hellman 11/46

Kleptographic Diﬃe-Hellman key exchange:

xm The attacker is using a private xm and a public ym “ g . § First exchange:

/ department of mathematics and computer science Kleptography — Attacking Difﬁe-Hellman 12/46

Recovering the Diﬃe-Hellman key:

§ The attacker obtains A1 and B1 at ﬁrst passive eavesdropping. § xm The attacker computes a2 “ HpA1 mod pq. a § 2 The attacker computes k2 “ B2 mod p.

xm a1xm xma1 a1 A1 ” g ” g ” ym mod p In two DH key exchanges three exchanges are run!

The attack can be chained for more key exchanges, the attacker misses only the ﬁrst encrypted communication.

/ department of mathematics and computer science Kleptography — Attacking Difﬁe-Hellman 13/46

Deﬁnition of a SETUP attack: A Secretly Embedded Trapdoor with Universal Protection (SETUP) attack is an algorithmic modiﬁcation C 1 of a cryptosystem C with the following properties:

1. Halting Correctness: C and C 1 are efficient algorithms. 2. Output Indistinguishability: The outputs of C and C 1 are computationally indistinguishable to all efficient algorithms except for the attacker. 3. Confidentiality of C: The outputs of C do not compromise the security of the cryptosystem that C implements. 4. Confidentiality of C 1: The outputs of C 1 only compromise the security of the cryptosystem that C 1 implements with respect to the attacker. 5. Ability to compromise C 1: With overwhelming probability the attacker can break/decrypt/cryptanalyze at least one private output of C 1 given a sufficient number of public outputs of C’.

/ department of mathematics and computer science Kleptography — Attacking Difﬁe-Hellman 14/46

Kleptography in the wild: Dual EC

/ department of mathematics and computer science Must be impossible for an attacker to predict!

Random Numbers in Cryptography 15/46

Random numbers are crucial for cryptography: § generation of private keys for authentication, § generation of secret keys for encryption, § generation of secret nonces for digital signatures, § generation of ephemeral keys for perfect-forward secrecy, § ...

/ department of mathematics and computer science Random Numbers in Cryptography 15/46

Must be impossible for an attacker to predict!

/ department of mathematics and computer science Common approach: § use pseudo random numbers, § start with a random seed, § compute subsequent values deterministically, ñ update a secret internal state.

Random Numbers in Cryptography 16/46

Challenges of random number generation: § computers are built to be deterministic, § “real” randomness is rare.

/ department of mathematics and computer science Random Numbers in Cryptography 16/46

Challenges of random number generation: § computers are built to be deterministic, § “real” randomness is rare.

Common approach: § use pseudo random numbers, § start with a random seed, § compute subsequent values deterministically, ñ update a secret internal state.

/ department of mathematics and computer science f ps0q f ps1q f ps2q f ps3q f ps4q s1 s2 s3 s4 ¨ ¨ ¨

gps0q gps1q gps2q gps3q gps4q

r0 r1 r2 r3 r4

Broken if attacker learns internal state!

Random Numbers in Cryptography 17/46

/ department of mathematics and computer science f ps0q f ps1q f ps2q f ps3q f ps4q s1 s2 s3 s4 ¨ ¨ ¨

gps1q gps2q gps3q gps4q

r1 r2 r3 r4

Broken if attacker learns internal state!

Random Numbers in Cryptography 17/46

gps0q

/ department of mathematics and computer science f ps1q f ps2q f ps3q f ps4q s2 s3 s4 ¨ ¨ ¨

gps1q gps2q gps3q gps4q

r1 r2 r3 r4

Broken if attacker learns internal state!

Random Numbers in Cryptography 17/46

f ps0q s0 s1

gps0q

/ department of mathematics and computer science f ps1q f ps2q f ps3q f ps4q s2 s3 s4 ¨ ¨ ¨

gps1q gps2q gps3q gps4q

r2 r3 r4

Broken if attacker learns internal state!

Random Numbers in Cryptography 17/46

f ps0q s0 s1

gps0q gps1q

r0 r1

/ department of mathematics and computer science f ps2q f ps3q f ps4q s3 s4 ¨ ¨ ¨

gps1q gps2q gps3q gps4q

r2 r3 r4

Broken if attacker learns internal state!

Random Numbers in Cryptography 17/46

f ps0q f ps1q s0 s1 s2

gps0q gps1q

r0 r1

/ department of mathematics and computer science Broken if attacker learns internal state!

Random Numbers in Cryptography 17/46

f ps0q f ps1q f ps2q f ps3q f ps4q s0 s1 s2 s3 s4 ¨ ¨ ¨

gps0q gps1q gps2q gps3q gps4q

r0 r1 r2 r3 r4

/ department of mathematics and computer science Random Numbers in Cryptography 17/46

f ps0q f ps1q f ps2q f ps3q f ps4q s0 s1 s2 s3 s4 ¨ ¨ ¨

gps0q gps1q gps2q gps3q gps4q

r0 r1 r2 r3 r4

Broken if attacker learns internal state!

/ department of mathematics and computer science Random Numbers in Cryptography 17/46

f ps0q f ps1q f ps2q f ps3q f ps4q s0 s1 s2 s3 s4 ¨ ¨ ¨

gps0q gps1q gps2q gps3q gps4q

r0 r1 r2 r3 r4

Broken if attacker learns internal state!

/ department of mathematics and computer science in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC. Dec. 2005 A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certiﬁcation for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.

History of Dual EC 18/46

June 2004 Dual EC appears in an ANSI draft.

/ department of mathematics and computer science in 2005 An ISO standard is published including Dual EC. Dec. 2005 A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certiﬁcation for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.

History of Dual EC 18/46

June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE.

/ department of mathematics and computer science Dec. 2005 A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certiﬁcation for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.

History of Dual EC 18/46

June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC.

/ department of mathematics and computer science early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certiﬁcation for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.

History of Dual EC 18/46

/ department of mathematics and computer science June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings. This includes Dual EC in FIPS 140-2, the typical certiﬁcation for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.

History of Dual EC 18/46

/ department of mathematics and computer science This includes Dual EC in FIPS 140-2, the typical certiﬁcation for RNGs. Aug. 2007 Shumow and Ferguson demonstrate the basic back door.

History of Dual EC 18/46

June 2004 Dual EC appears in an ANSI draft. in 2004 RSA makes Dual EC the default RNG in BSAFE. in 2005 An ISO standard is published including Dual EC. Dec. 2005 A draft is released by NIST including Dual EC. early 2006 Several researchers, e.g., Schoenmakers and Sidorenko, point out cryptographic weaknesses in Dual EC. June 2006 NIST SP 800/90A is published including Dual EC, ignoring the warnings.

/ department of mathematics and computer science Aug. 2007 Shumow and Ferguson demonstrate the basic back door.

History of Dual EC 18/46

/ department of mathematics and computer science History of Dual EC 18/46

/ department of mathematics and computer science The New York Times writes that “the NSA had inserted a back door into a 2006 standard adopted by NIST r... s called the Dual EC DRBG standard.” 19 Sept. 2013 RSA advises not to use Dual EC. 20 Dec. 2013 Reuters reports that NSA paid RSA $10 million to use Dual EC as their default RNG. 21 Apr. 2014 NIST removes Dual EC from the standard.

Recent History of Dual EC 19/46

/ department of mathematics and computer science 19 Sept. 2013 RSA advises not to use Dual EC. 20 Dec. 2013 Reuters reports that NSA paid RSA $10 million to use Dual EC as their default RNG. 21 Apr. 2014 NIST removes Dual EC from the standard.

Recent History of Dual EC 19/46

/ department of mathematics and computer science 20 Dec. 2013 Reuters reports that NSA paid RSA $10 million to use Dual EC as their default RNG. 21 Apr. 2014 NIST removes Dual EC from the standard.

Recent History of Dual EC 19/46

5 Sept. 2013 NSA’s “Project Bullrun” is revealed by documents from Edward Snowden with the purpose “to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.” The New York Times writes that “the NSA had inserted a back door into a 2006 standard adopted by NIST r... s called the Dual EC DRBG standard.” 19 Sept. 2013 RSA advises not to use Dual EC.

/ department of mathematics and computer science 21 Apr. 2014 NIST removes Dual EC from the standard.

Recent History of Dual EC 19/46

/ department of mathematics and computer science Recent History of Dual EC 19/46

/ department of mathematics and computer science Authors of Dual EC 20/46

Kelsey, in December 2013 slides: § Standardization eﬀort by “NIST and NSA, with some participation from CSE”. § “Most of work on standards done by US federal employees (NIST and NSA, with some help from CSE)” § The standard Dual EC parameters P and Q come “ultimately from designers of Dual EC DRBG at NSA”.

/ department of mathematics and computer science Attack Target — TLS 21/46

Transport Layer Security (TLS) § Used in the Internet for encryption of communication. Examples:

§ eMail transport, § online banking, § online shopping, § ...

§ Standard covers a fast amount of protocols and optional features. § Client and server agree on what parameters to use. § Client and server agree on a random secret key.

/ department of mathematics and computer science TLS Handshake 22/46

Client Server generate client random client random generate session ID, , sig aP server random, a, server random, session ID, cert(pk), signature nonce generate b bP, Finished

Finished

KDFpabP,... ) KDFpabP,... )

/ department of mathematics and computer science Attack Target — TLS 23/46

Common TLS implementations: § RSA’s BSAFE § RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C) § Microsoft’s SChannel § OpenSSL All of these oﬀer Dual EC.

/ department of mathematics and computer science Attack Target — TLS 23/46

Common TLS implementations: § RSA’s BSAFE § RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C) § Microsoft’s SChannel Remember: NSA paid RSA Security $10 million § OpenSSL to use Dual EC as the default RNG! All of these oﬀer Dual EC.

/ department of mathematics and computer science ‚

‚B A‚

‚A ` B

Arithmetic on Elliptic Curves 24/46

Example – Point Addition: y “ x 3 ´ x over R y

/ department of mathematics and computer science ‚

‚ ‚

‚A ` B

Arithmetic on Elliptic Curves 24/46

Example – Point Addition: y “ x 3 ´ x over R y

‚B x A‚

/ department of mathematics and computer science ‚A ` B

Arithmetic on Elliptic Curves 24/46

Example – Point Addition: y “ x 3 ´ x over R y ‚

‚B x A‚

/ department of mathematics and computer science Arithmetic on Elliptic Curves 24/46

Example – Point Addition: y “ x 3 ´ x over R y ‚

‚B x A‚

‚A ` B

/ department of mathematics and computer science ‚

‚

‚2 ¨ D

Arithmetic on Elliptic Curves 25/46

Example – Point Doubling: y “ x 3 ´ x over R y

D ‚ x

/ department of mathematics and computer science ‚2 ¨ D

Arithmetic on Elliptic Curves 25/46

Example – Point Doubling: y “ x 3 ´ x over R y

‚ D ‚ x

/ department of mathematics and computer science Arithmetic on Elliptic Curves 25/46

Example – Point Doubling: y “ x 3 ´ x over R y

‚ D ‚ x

‚2 ¨ D

/ department of mathematics and computer science ‚ 3 ¨ D ‚

‚

Arithmetic on Elliptic Curves 26/46

Example – Scalar Mult.: y “ x 3 ´ x over R y

D ‚ x

‚2 ¨ D

/ department of mathematics and computer science 3 ¨ D ‚

Arithmetic on Elliptic Curves 26/46

Example – Scalar Mult.: y “ x 3 ´ x over R y

D ‚ x

‚2 ¨ D

/ department of mathematics and computer science 3 ¨ D ‚

Arithmetic on Elliptic Curves 26/46

Example – Scalar Mult.: y “ x 3 ´ x over R y

D ‚ ‚ x

‚2 ¨ D

/ department of mathematics and computer science Arithmetic on Elliptic Curves 26/46

Example – Scalar Mult.: y “ x 3 ´ x over R y

D ‚ 3 ¨ D ‚ x

‚2 ¨ D

/ department of mathematics and computer science Useful in Cryptography: It is easy to compute k ¨ A, e.g.:

B “ 243 ¨ A “ 11110011b ¨ A “ A ` 2A ` 16A ` 32A ` 64A ` 128A. Cost: 5 additions and 7 doublings.

For given A and B, it is hard to ﬁnd k such that B “ k ¨ A!

Elliptic Curve Discrete Logarithm Problem 27/46

Arithmetic on Elliptic Curves

Operate on points P “ pxP , yP q on an elliptic curve: § addition: A ` B “ C, § scalar mul.: k ¨ A “ A ` A ` ¨ ¨ ¨ ` A. k´times loooooooomoooooooon

/ department of mathematics and computer science For given A and B, it is hard to ﬁnd k such that B “ k ¨ A!

Elliptic Curve Discrete Logarithm Problem 27/46

Arithmetic on Elliptic Curves

Operate on points P “ pxP , yP q on an elliptic curve: § addition: A ` B “ C, § scalar mul.: k ¨ A “ A ` A ` ¨ ¨ ¨ ` A. k´times loooooooomoooooooon Useful in Cryptography: It is easy to compute k ¨ A, e.g.:

B “ 243 ¨ A “ 11110011b ¨ A “ A ` 2A ` 16A ` 32A ` 64A ` 128A. Cost: 5 additions and 7 doublings.

/ department of mathematics and computer science Elliptic Curve Discrete Logarithm Problem 27/46

Arithmetic on Elliptic Curves

B “ 243 ¨ A “ 11110011b ¨ A “ A ` 2A ` 16A ` 32A ` 64A ` 128A. Cost: 5 additions and 7 doublings.

For given A and B, it is hard to ﬁnd k such that B “ k ¨ A!

/ department of mathematics and computer science Dual EC 28/46

Parameters Here: elliptic curve over finite filed with NIST prime P-256. (NIST SP800-90A also defines curves for P-384 and P-521.) 256 224 192 96 The elliptic curve is defined over Fp with p “ 2 ´ 2 ` 2 ` 2 ´ 1. The curve is given in short Weierstrass form

E : y 2 “ x3 ´ 3x ` b, where

b “ 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b.

Dual EC deﬁnes two points, a base point P and a second point Q:

Px “ 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296, Py “ 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5;

Qx “ 0xc97445f45cdef9f0d3e05e1e585fc297235b82b5be8ff3efca67c59852018192, Qy “ 0xb28ef557ba31dfcbdd21ac46e2a91e3c304f44cb87058ada2cb815151e610046.

/ department of mathematics and computer science s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

Dual EC — Basic Procedure 29/46

Points Q and P on an elliptic curve.

32 bytes

/ department of mathematics and computer science s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

Dual EC — Basic Procedure 29/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq

s0 s1

/ department of mathematics and computer science s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s2 s3

r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

Dual EC — Basic Procedure 29/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq

s0 s1

r1 “ xps1Qq

/ department of mathematics and computer science s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s2 s3

r2 “ xps2Qq r3 “ xps3Qq

r2 r3

Dual EC — Basic Procedure 29/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq

s0 s1

r1 “ xps1Qq

r1 30 bytes

/ department of mathematics and computer science s3 “ xps2Pq s4 “ xps3Pq

r2 “ xps2Qq r3 “ xps3Qq

r2 r3

Dual EC — Basic Procedure 29/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq

s0 s1 s2

r1 “ xps1Qq

r1 30 bytes

/ department of mathematics and computer science s3 “ xps2Pq s4 “ xps3Pq

r3 “ xps3Qq

r2 r3

Dual EC — Basic Procedure 29/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq

s0 s1 s2

r1 “ xps1Qq r2 “ xps2Qq

r1 r2 30 bytes

/ department of mathematics and computer science s4 “ xps3Pq

r3 “ xps3Qq

r2 r3

Dual EC — Basic Procedure 29/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq

r1 r2 30 bytes

/ department of mathematics and computer science s4 “ xps3Pq

r2 r3

Dual EC — Basic Procedure 29/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science s4 “ xps3Pq

Dual EC — Basic Procedure 29/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science Dual EC — Basic Procedure 29/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science Dual EC — Basic Procedure 29/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq ? r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science Dual EC — Basic Procedure 29/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq ? r2 “ xps2Qq ECDLP!r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science s2 “ xps1dQq

xpd ¨ s1Qq

Shumow and Ferguson – the Basic Attack 29/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science xpd ¨ s1Qq

Shumow and Ferguson – the Basic Attack 29/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1dQq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science Shumow and Ferguson – the Basic Attack 29/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1dQq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq xpd ¨ s1Qq r1 r2 r3 30 bytes

/ department of mathematics and computer science Shumow and Ferguson – the Basic Attack 29/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

rc1 r2 r3 30 bytes

/ department of mathematics and computer science Shumow and Ferguson – the Basic Attack 29/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

Rc “ prc , yprc qq rc1 r2 r3 30 bytes

/ department of mathematics and computer science Shumow and Ferguson – the Basic Attack 29/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 sc2 s3 xpdRc q r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

Rc “ prc , yprc qq rc1 r2 r3 30 bytes

/ department of mathematics and computer science Shumow and Ferguson – the Basic Attack 29/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 sc2 s3 xpdRc q r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

Rc “ prc , yprc qq rc1 r2 r3 30 bytes

/ department of mathematics and computer science Shumow and Ferguson – the Basic Attack 29/46

32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science Dual EC — NIST SP800-90 in June 2006 30/46

t1 t2

‚‘ Hpadin1q xp‚Pq ‚‘ Hpadin2q xp‚Pq xp‚Pq ‚‘ Hpadin4q

s0 s1 s2 s3 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r3

/ department of mathematics and computer science Dual EC — NIST SP800-90 in June 2006 30/46

t1 t2

‚‘ Hpadin1q xp‚Pq ‚‘ Hpadin2q xp‚Pq xp‚Pq ‚‘ Hpadin4q

s0 s1 s2 s3 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r3

/ department of mathematics and computer science Dual EC — NIST SP800-90 in June 2006 30/46

t1 t2

‚‘ Hpadin1q xp‚Pq ‚‘ Hpadin2q xp‚Pq xp‚Pq ‚‘ Hpadin4q

s0 s1 s2 s3 xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r3

/ department of mathematics and computer science Dual EC — NIST SP800-90 in June 2006 30/46

t1 t2

‚‘ Hpadin1q xp‚Pq ‚‘ Hpadin2q xp‚Pq xp‚Pq ‚‘ Hpadin4q

s0 s1 s?2 s3 xpdRc q xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r3

/ department of mathematics and computer science Dual EC — NIST SP800-90 in June 2006 30/46

t1 t2

‚‘ Hpadin1q xp‚Pq ‚‘ Hpadin2q xp‚Pq xp‚Pq ‚‘ Hpadin4q

s0 s1 s?2 s3 xpdRc q xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r3

/ department of mathematics and computer science Dual EC — NIST SP800-90 in June 2006 30/46

t1 t2

‚‘ Hpadin1q xp‚Pq ‚‘ Hpadin2q xp‚Pq xp‚Pq ‚‘ Hpadin4q

s0 s1 s2 s3 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r3

/ department of mathematics and computer science sc

‚‘ Hpadin3q

xpdRc q

Dual EC — NIST SP800-90 in March 2007 31/46

s0 s2 s5

‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q xp‚Pq xp‚Pq t1 t23

xp‚Pq xp‚Pq xp‚Pq

s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq

r1 r32 r34

/ department of mathematics and computer science sc

‚‘ Hpadin3q

xpdRc q

Dual EC — NIST SP800-90 in March 2007 31/46

s0 s2 s5

‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q xp‚Pq xp‚Pq t1 t23

xp‚Pq xp‚Pq xp‚Pq

s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq

r1 r32 r34

/ department of mathematics and computer science sc

‚‘ Hpadin3q

xpdRc q

Dual EC — NIST SP800-90 in March 2007 31/46

s0 s2 s5

‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q xp‚Pq xp‚Pq t1 t23

xp‚Pq xp‚Pq xp‚Pq

s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq

rc1 r32 r34

/ department of mathematics and computer science ‚‘ Hpadin3q

Dual EC — NIST SP800-90 in March 2007 31/46

s0 sc2 s5

‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q xp‚Pq xp‚Pq t1 t23 xpdRc q xp‚Pq xp‚Pq xp‚Pq

s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq

rc1 r32 r34

/ department of mathematics and computer science Dual EC — NIST SP800-90 in March 2007 31/46

s0 sc2 s5

‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q xp‚Pq xp‚Pq t1 t23 xpdRc q xp‚Pq xp‚Pq xp‚Pq

s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq

rc1 r32 r34

/ department of mathematics and computer science Dual EC — NIST SP800-90 in March 2007 31/46

s0 sc2 s5

‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q xp‚Pq xp‚Pq t1 t23 xpdRc q xp‚Pq xp‚Pq xp‚Pq

s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq

rc1 r32 r34

/ department of mathematics and computer science -ﬁxed

Attack 32/46

Attack targets: In the real world, the attack is more complicated. Targets of the attack: § RSA’s BSAFE § RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C) § Microsoft’s SChannel § OpenSSL The points P and Q have been replaced with known P “ dQ; this required some reverse engineering of BSAFE and SChannel.

/ department of mathematics and computer science Attack 32/46

Attack targets: In the real world, the attack is more complicated. Targets of the attack: § RSA’s BSAFE § RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C) § Microsoft’s SChannel § OpenSSL-ﬁxed The points P and Q have been replaced with known P “ dQ; this required some reverse engineering of BSAFE and SChannel.

/ department of mathematics and computer science s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc2 s5 xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 xp‚Pq

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc2 s5 xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s3 s4 xp‚Qq xp‚Qq

rc r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 xp‚Pq

s1 xp‚Qq

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc2 s5 xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s3 s4 xp‚Qq xp‚Qq

rc r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 xp‚Pq

s1 xp‚Qq

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc s5 xp‚Pq xp‚Pq xpdRq xp‚Pq s3 s4 xp‚Qq xp‚Qq

rc r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2 xp‚Pq xp‚Pq

s1 xp‚Qq

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc s5 xp‚Pq xp‚Pq xpdRq xp‚Pq s3 s4 xp‚Qq xp‚Qq

rc r3 r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2 xp‚Pq xp‚Pq

s1 xp‚Qq

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc s5 xp‚Pq xpdRq xp‚Pq s4 xp‚Qq xp‚Qq

rc r3 r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2 xp‚Pq xp‚Pq xp‚Pq

s1 s3 xp‚Qq

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc s5 xp‚Pq xpdRq xp‚Pq s4 xp‚Qq

rc r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2 xp‚Pq xp‚Pq xp‚Pq

s1 s3 xp‚Qq xp‚Qq

r1 r3

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc s5 xp‚Pq xpdRq xp‚Pq s4 xp‚Qq

rc r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2 xp‚Pq xp‚Pq xp‚Pq

s1 s3 xp‚Qq xp‚Qq

r1 r3

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc s5 xp‚Pq xpdRq

xp‚Qq

rc r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2

xp‚Pq xp‚Pq xp‚Pq xp‚Pq

s1 s3 s4 xp‚Qq xp‚Qq

r1 r3

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc s5 xp‚Pq xpdRq

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2

xp‚Pq xp‚Pq xp‚Pq xp‚Pq

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc s5 xp‚Pq xpdRq

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2

xp‚Pq xp‚Pq xp‚Pq xp‚Pq

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc xpdRq

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2 s5

xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc xpdRq

Exposes longterm secret key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2 s5

xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science sc xpdRq

Exposes longterm secret key! ECDSA nonce ‚P Impersonation attack possible! ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2 s5

xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce ‚P ECDHE public key

/ department of mathematics and computer science sc xpdRq

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2 s5

xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce ‚P ‚P ECDHE public key ECDSA signature

/ department of mathematics and computer science sc xpdRq

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2 s5

xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce ‚P ‚P ECDHE public key ECDSA signature

/ department of mathematics and computer science sc xpdRq

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 s2 s5

xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce ‚P ‚P ECDHE public key ECDSA signature

/ department of mathematics and computer science Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce ‚P ‚P ECDHE public key ECDSA signature

/ department of mathematics and computer science Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce ‚P ? ‚P ECDHE public key ECDSA signature

/ department of mathematics and computer science Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 33/46

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce ‚P ‚P ECDHE public key ECDSA signature

/ department of mathematics and computer science Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

Attack — Example: BSAFE-Java 33/46

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce ‚P ‚P ECDHE public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

/ department of mathematics and computer science ECDSA nonce

Attack — Example: BSAFE-Java 33/46

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

/ department of mathematics and computer science Attack — Example: BSAFE-Java 33/46

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xpdRq xp‚Pq s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDH key

Attack — BSAFE-C 34/46

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDH key

Attack — BSAFE-C 34/46

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 x P x P x P xp‚Pq p‚ q p‚ q p‚ q sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDH key

Attack — BSAFE-C 34/46

s0 xp‚Pq

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 x P x P x P xp‚Pq p‚ q p‚ q p‚ q sc2 s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

session ID server random EDH key

Attack — BSAFE-C 34/46

s0 xp‚Pq

s1 xp‚Qq

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 x P x P x P xp‚Pq p‚ q p‚ q p‚ q sc2 s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

session ID server random EDH key

Attack — BSAFE-C 34/46

s0 xp‚Pq

s1 xp‚Qq

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 xp‚Pq xp‚Pq xp‚Pq

sc s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

session ID server random EDH key

Attack — BSAFE-C 34/46

s0 x P p‚ q xp‚Pq s1 s2 xp‚Qq

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 xp‚Pq xp‚Pq xp‚Pq

sc s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

session ID server random EDH key

Attack — BSAFE-C 34/46

s0 x P p‚ q xp‚Pq s1 s2 xp‚Qq xp‚Qq

r1 r2

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 xp‚Pq xp‚Pq xp‚Pq

sc s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

session ID server random EDH key

Attack — BSAFE-C 34/46

s0 x P p‚ q xp‚Pq s1 s2 xp‚Qq xp‚Qq

r1 r2

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s5 xp‚Pq xp‚Pq

sc s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

session ID server random EDH key

Attack — BSAFE-C 34/46

s0 s3 x P x P p‚ q xp‚Pq p‚ q s1 s2 xp‚Qq xp‚Qq

r1 r2

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s5 xp‚Pq xp‚Pq

sc s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

server random EDH key

Attack — BSAFE-C 34/46

s0 s3 x P x P p‚ q xp‚Pq p‚ q s1 s2 xp‚Qq xp‚Qq

r1 r2

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s5 xp‚Pq xp‚Pq

sc s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

EDH key

Attack — BSAFE-C 34/46

s0 s3 x P x P p‚ q xp‚Pq p‚ q s1 s2 xp‚Qq xp‚Qq

r1 r2

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s5 xp‚Pq

sc xpdRq xp‚Qq xp‚Qq

rc r2 r4

EDH key

Attack — BSAFE-C 34/46

s0 s3 x P x P x P p‚ q xp‚Pq p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq

r1 r2

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s5 xp‚Pq

sc xpdRq xp‚Qq

rc r2

EDH key

Attack — BSAFE-C 34/46

s0 s3 x P x P x P p‚ q xp‚Pq p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s5 xp‚Pq

sc xpdRq xp‚Qq

rc r2

EDH key

Attack — BSAFE-C 34/46

s0 s3 x P x P x P p‚ q xp‚Pq p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

sc xpdRq xp‚Qq

rc r2

EDH key

Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

sc xpdRq xp‚Qq

rc r2

Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

sc xpdRq xp‚Qq

rc r2

Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

sc xpdRq xp‚Qq

rc r2

Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

sc xpdRq xp‚Qq

Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

xp‚Qq

Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 ?

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

15 average cost: 2 pCv ` Cf q

/ department of mathematics and computer science Attack — BSAFE-C 34/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

15 average cost: 30 ¨ 2 pCv ` Cf q

/ department of mathematics and computer science 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q

sc xpdRq

Attack — SChannel 35/46

s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 s2 s4 s5 xp‚Qq xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4 r5

session ID ECDHE priv. key server random ‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature

/ department of mathematics and computer science 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q

sc xpdRq

Attack — SChannel 35/46

s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 s2 s4 s5 xp‚Qq xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4 r5

session ID ECDHE priv. key server random ‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature

/ department of mathematics and computer science 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q

Attack — SChannel 35/46

s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 sc2 s4 s5 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 r5 ?

session ID ECDHE priv. key server random ‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature

/ department of mathematics and computer science 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q

Attack — SChannel 35/46

s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 sc2 s4 s5 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 r5

session ID ECDHE priv. key server random ‚P ? ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature

/ department of mathematics and computer science 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q

Attack — SChannel 35/46

s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 sc2 s4 s5 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 r5

session ID ECDHE priv. key server random ‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature

/ department of mathematics and computer science Attack — SChannel 35/46

s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 sc2 s4 s5 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 r5

session ID ECDHE priv. key server random ‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature

33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q

/ department of mathematics and computer science 31 average cost: 2 pCv ` 4Cf q

sc xpdRq

Attack — SChannel (cont.) 36/46

prev. connection curr. connection

1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q

s´3 s´1 s0 s1 s2 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

r´3 r´1 r0 r1 r2

server random ECDSA nonce session ID ‚P ECDSA signature ECDHE priv. key ‚P ECDHE public key

/ department of mathematics and computer science 31 average cost: 2 pCv ` 4Cf q

sc xpdRq

Attack — SChannel (cont.) 36/46

prev. connection curr. connection

1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q

s´3 s´1 s0 s1 s2 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

r´3 r´1 r0 r1 r2

server random ECDSA nonce session ID ‚P ECDSA signature ECDHE priv. key ‚P ECDHE public key

/ department of mathematics and computer science 31 average cost: 2 pCv ` 4Cf q

Attack — SChannel (cont.) 36/46

prev. connection curr. connection

1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q

s´3 ss´c1 s0 s1 s2 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rr´c3 r´1 r0 r1 r2

server random ECDSA nonce session ID ‚P ? ECDSA signature ECDHE priv. key ‚P ECDHE public key

/ department of mathematics and computer science 31 average cost: 2 pCv ` 4Cf q

Attack — SChannel (cont.) 36/46

prev. connection curr. connection

1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q

s´3 ss´c1 s0 s1 s2 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rr´c3 r´1 r0 r1 r2

server random ECDSA nonce session ID ‚P ECDSA signature ECDHE priv. key ‚P ECDHE public key

/ department of mathematics and computer science Attack — SChannel (cont.) 36/46

prev. connection curr. connection

1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q

s´3 ss´c1 s0 s1 s2 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rr´c3 r´1 r0 r1 r2

server random ECDSA nonce session ID ‚P ECDSA signature ECDHE priv. key ‚P ECDHE public key

31 average cost: 2 pCv ` 4Cf q

/ department of mathematics and computer science 15 20`k`l 13 average cost: 2 pCv ` Cf q ` 2 p2Cf q ` 2 p5Cf q

xpdRq

Attack — OpenSSL-ﬁxed 37/46

s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q

t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s1 s2 s4 s6 s7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4 r6 r7

session ID server random ECDHE key ‚P ECDHE public key

/ department of mathematics and computer science 15 20`k`l 13 average cost: 2 pCv ` Cf q ` 2 p2Cf q ` 2 p5Cf q

xpdRq

Attack — OpenSSL-ﬁxed 37/46

s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q

t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s1 s2 s4 s6 s7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4 r6 r7

session ID server random ECDHE key ‚P ECDHE public key

/ department of mathematics and computer science 15 20`k`l 13 average cost: 2 pCv ` Cf q ` 2 p2Cf q ` 2 p5Cf q

Attack — OpenSSL-ﬁxed 37/46

s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q

t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s s s s s x1pdRq 2 4 6 7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 r6 r7 ?

session ID server random ECDHE key ‚P ECDHE public key

/ department of mathematics and computer science 15 20`k`l 13 average cost: 2 pCv ` Cf q ` 2 p2Cf q ` 2 p5Cf q

Attack — OpenSSL-ﬁxed 37/46

s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q

t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s s s s s x1pdRq 2 4 6 7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 r6 r7

session ID server random ECDHE key ‚P ECDHE public key

/ department of mathematics and computer science 15 20`k`l 13 average cost: 2 pCv ` Cf q ` 2 p2Cf q ` 2 p5Cf q

Attack — OpenSSL-ﬁxed 37/46

s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q

t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s s s s s x1pdRq 2 4 6 7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 r6 r7

session ID server random ECDHE key ‚P ECDHE public key

/ department of mathematics and computer science Attack — OpenSSL-ﬁxed 37/46

s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q

t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s s s s s x1pdRq 2 4 6 7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 r6 r7

session ID server random ECDHE key ‚P ECDHE public key

15 20`k`l 13 average cost: 2 pCv ` Cf q ` 2 p2Cf q ` 2 p5Cf q

/ department of mathematics and computer science Attack — Attack Timings 38/46

Intel Xeon CPU 16 ˆ AMD CPU Attack Avg. Time (min) # for 1s Tot. Time (min) BSAFE-C v1.1 0.26 16 0.04 BSAFE-Java v1.1 641 38,500 63.96 SChannel I 619 37,100 62.97 SChannel II 1,760 106,000 182.64 OpenSSL-fixed I 0.04 3 0.02 OpenSSL-fixed II 707 44,200 83.32 OpenSSL-fixed III 2k ¨ 707 2k ¨ 44,200 2k ¨ 83.32

/ department of mathematics and computer science Attack — Attack Timings 38/46

/ department of mathematics and computer science xpdRq

144 bits!

Dual EC with P-384 and P-521 39/46

32 bytes

s0 s2 xp‚Pq xp‚Pq xp‚Pq

s1 ... xp‚Qq

server random

/ department of mathematics and computer science xpdRq

144 bits!

Dual EC with P-384 and P-521 39/46

48 bytes

s0 s2 xp‚Pq xp‚Pq xp‚Pq

s1 ... xp‚Qq

server random

/ department of mathematics and computer science Dual EC with P-384 and P-521 39/46

48 bytes

s0 s2 xp‚Pq xp‚Pq xp‚Pq xpdRq s1 ... xp‚Qq

r1 144 bits!

server random

/ department of mathematics and computer science Draft Proposal – Extended Random 40/46

Draft for a proposed TLS extension named “Extended Random”: § allows client to request up to 216 random bytes, § has a weak motivation: The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of randomness provided by the current TLS random values insufficient. § was co-authored by an employee of NSA.

/ department of mathematics and computer science xpdRq

Draft Proposal – Extended Random 41/46

s0 s2 xp‚Pq xp‚Pq xp‚Pq

s1 ... xp‚Qq

extended random

/ department of mathematics and computer science Draft Proposal – Extended Random 41/46

s0 s2 xp‚Pq xp‚Pq xp‚Pq xpdRq s1 ... xp‚Qq

extended random

/ department of mathematics and computer science Snippets from the patent application 42/46

/ department of mathematics and computer science Snippets from the patent application 43/46

/ department of mathematics and computer science The patent ﬁling history also shows that:

§ Certicom knew how to back door Dual EC in 2005, § NSA was informed of the back door technique in 2005, and § the patent application, including examples of Dual EC exploitation, was publicly available in July 2006.

Additional Attack Cost – Patents 44/46

Dual EC patents: Certicom (now part of Blackberry) has patents in multiple countries on:

§ Dual EC exploitation: the use of Dual EC for key escrow and § Dual EC escrow avoidance: modiﬁcation to avoid key escrow.

/ department of mathematics and computer science Additional Attack Cost – Patents 44/46

Dual EC patents: Certicom (now part of Blackberry) has patents in multiple countries on:

§ Dual EC exploitation: the use of Dual EC for key escrow and § Dual EC escrow avoidance: modiﬁcation to avoid key escrow.

The patent ﬁling history also shows that:

/ department of mathematics and computer science § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes ﬂaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.

Don’t useHow to ﬁx Dual it? EC!

Summary 45/46

Dual EC — a standardized back door: § (co-)authored by NSA,

/ department of mathematics and computer science § allows the back-door owner to compute all future random outputs, § makes ﬂaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.

Don’t useHow to ﬁx Dual it? EC!

Summary 45/46

Dual EC — a standardized back door: § (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven),

/ department of mathematics and computer science § makes ﬂaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.

Don’t useHow to ﬁx Dual it? EC!

Summary 45/46

Dual EC — a standardized back door: § (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs,

/ department of mathematics and computer science § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.

Don’t useHow to ﬁx Dual it? EC!

Summary 45/46

/ department of mathematics and computer science § was default RNG in RSA’s BSAFE library, § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.

Don’t useHow to ﬁx Dual it? EC!

Summary 45/46

/ department of mathematics and computer science § back door becomes even stronger with proposed Extended Random, § it is not only standardized but even patented.

Don’t useHow to ﬁx Dual it? EC!

Summary 45/46

Dual EC — a standardized back door: § (co-)authored by NSA, § may contain a back door (can neither be proven nor disproven), § allows the back-door owner to compute all future random outputs, § makes ﬂaw in DSS a back door that allows impersonation, § proven to be practical in various TLS libraries, § was default RNG in RSA’s BSAFE library,

/ department of mathematics and computer science § it is not only standardized but even patented.

Don’t useHow to ﬁx Dual it? EC!

Summary 45/46

/ department of mathematics and computer science Don’t useHow to ﬁx Dual it? EC!

Summary 45/46

/ department of mathematics and computer science Don’t use Dual EC!

Summary 45/46

How to ﬁx it?

/ department of mathematics and computer science Summary 45/46

Don’t useHow to ﬁx Dual it? EC!

/ department of mathematics and computer science 2nd Assignment 46/46

§ Choice of topic: before Thursday, December 17th, 23:59. § Assignment of topic: Friday, December 18th. § Deadline of second assignment: Sunday, January 31st, 23:59.

The deadlines are strict!

/ department of mathematics and computer science