Kleptography, Dual EC

Home , Dual EC DRBG, Kleptography, RSA Security, Strong cryptography

Applied Cryptography

Tanja Lange (many slides from Ruben Niederhagen; some from Moti Yung)

December 20, 2016 / department of mathematics and computer science § New designs (and acronyms):

§ Escrowed Encryption Standard (EES)

§ Law Enforcement Access Field (LEAF)

§ Key escrow highly controversial: can be used to spy on citizens and adds weakness to system.

§ Most prominent example: Clipper chip.

§ Matt Blaze showed how to circumvent escrow part; project stopped. [Photo by Travis Goodspeed]

Capstone Project 2/46

§ NSA program, public since 1993.

§ Standards for government, also planned for commercial and private use.

§ Advertised as making strong cryptography available, no risk to security of country and citizens.

/ department of mathematics and computer science § Most prominent example: Clipper chip.

§ Matt Blaze showed how to circumvent escrow part; project stopped. [Photo by Travis Goodspeed]

Capstone Project 2/46

§ NSA program, public since 1993.

§ Standards for government, also planned for commercial and private use.

§ Advertised as making strong cryptography available, no risk to security of country and citizens. § New designs (and acronyms):

§ Escrowed Encryption Standard (EES)

§ Law Enforcement Access Field (LEAF)

§ Key escrow highly controversial: can be used to spy on citizens and adds weakness to system.

/ department of mathematics and computer science Capstone Project 2/46

§ NSA program, public since 1993.

§ Standards for government, also planned for commercial and private use.

§ Advertised as making strong cryptography available, no risk to security of country and citizens. § New designs (and acronyms):

§ Escrowed Encryption Standard (EES)

§ Law Enforcement Access Field (LEAF)

§ Key escrow highly controversial: can be used to spy on citizens and adds weakness to system.

§ Most prominent example: Clipper chip.

§ Matt Blaze showed how to circumvent escrow part; project stopped. [Photo by Travis Goodspeed]

/ department of mathematics and computer science Kleptography — Introduction 3/46

What is Kleptography?

§ Kleptography is the study of stealing information securely (exclusively), eciently, and subliminally (unnoticeably).

§ Stealing from your most trusted hardware protected systems, un-scrutinized software, etc.

§ It employs Crypto against Crypto! Hiding Crypto in Crypto (as steganography hides text in text).

/ department of mathematics and computer science Kleptography — Introduction 4/46

/ department of mathematics and computer science Kleptography — Introduction 5/46

The goal:

§ To develop a robust back door within a cryptosystem that: 1. EXCLUSIVITY: Provides only to the attacker the desired secret information (e.g., private key of the unwary user), 2. INDISTINGUISHABILITY: Cannot be detected in black-box implementations (I/O access only as in tamper-resistant systems) except by the attacker, 3. FORWARD SECRECY: If a reverse-engineer (i.e., not the attacker) breaches the black-box, then the previously stolen information remains condential (secure against reverse-engineering).

§ The successful reverse-engineer may learn that the attack is carried out (dierent algorithm is run), BUT will be unable to use the back door.

/ department of mathematics and computer science Kleptography — Attacking RSA 6/46

RSA Key Generation: Let e be the public RSA exponent shared by all users (e.g., e “ 216 ` 1). 1. Choose a large p randomly (e.g., p is 1024 bits long). 2. If p is composite or gcdpe, p ´ 1q ‰ 1 then goto step 1. 3. Choose a large number q randomly (e.g., q is 1024 bits long). 4. If q is composite or gcdpe, q ´ 1q ‰ 1 then goto step 3. 5. Solve for d given d ¨ e ” 1 mod φpnq. 6. Output the public key pn “ pq, eq and private key d.

/ department of mathematics and computer science Kleptography — Attacking RSA 7/46

Kleptographic RSA Key Generation: The attacker is using a 1024-bit RSA key with public key pY , eq. 1. Choose a large s randomly (e.g., s is 1024 bits long). 2. Compute p “ Hpsq where H is a cryptographic hash function. 3. If p is composite or gcdpe, p ´ 1q ‰ 1 then goto step 1. 4. Choose a large 1024-bit string RND randomly. 5. Compute c to be an encryption of s under the attacker's RSA key, i.e., with public key pY , eq, c “ se mod Y . 6. Solve for pq, rq in pc||RNDq “ pq ` r (integer division). 7. If q is composite or gcdpe, q ´ 1q ‰ 1 then goto step 1. 8. Solve for d given d ¨ e ” 1 mod φpnq. 9. Output the public key pn “ pq, eq and the private key d.

/ department of mathematics and computer science Kleptography — Attacking RSA 8/46

Observe: c is the encryption of s with the attackers key.

pc||RNDq “ pq ` r ùñ pc||RNDq ´ r “ pq “ n Note that r is about square root (i.e., about half the bit length) of n. Thus the p´rq operation will not ruin c by more than one bit (borrow bit). The value c is not hidden much by the high order bits of n.

/ department of mathematics and computer science Kleptography — Attacking RSA 9/46

Recovering the RSA Private Key: § The attacker obtains the public key pn, eq of the user. § Let u be the 1024 uppermost bits of n.

§ The attacker sets c1 “ u and c2 “ u ` 1. (c2 accounts for a potential borrow bit having been taken from the computation n “ pq “ pc||RNDq ´ r). § The attacker decrypts c1 and c2 using his private key to get s1 and s2 respectively. § Either p1 “ Hps1q or p2 “ Hps2q will divide n evenly. Only the attacker can perform this operation since only the attacker knows the needed private decryption key.

/ department of mathematics and computer science What can the attacker do if there is no subliminal channel? (e.g. Die-Hellman key exchange)

Kleptography — Attacking RSA 10/46

Features of the attack:

§ Only the key generation is tempered with.

§ All messages observed outside of the black box are legitimate.

§ There is no direct connection between the black box and the attacker.

§ The security of the klepographic encryption is signicantly lower than that of the user's key Y has only half the length of n.

§ The user's public key is used as an subliminal channel to exltrate the private key to the attacker.

/ department of mathematics and computer science Kleptography — Attacking RSA 10/46

Features of the attack:

§ Only the key generation is tempered with.

§ All messages observed outside of the black box are legitimate.

§ There is no direct connection between the black box and the attacker.

§ The security of the klepographic encryption is signicantly lower than that of the user's key Y has only half the length of n.

§ The user's public key is used as an subliminal channel to exltrate the private key to the attacker. What can the attacker do if there is no subliminal channel? (e.g. Die-Hellman key exchange)

/ department of mathematics and computer science Kleptography — Attacking Difﬁe-Hellman 11/46

Die-Hellman key exchange: 1. Alice chooses a randomly. 2. Alice sends A “ g a mod p to Bob. 3. Bob chooses b randomly. 4. Bob sends B “ g b mod p to Alice. 5. Alice computes k “ Ba mod p. 6. Bob computes k “ Ab mod p. Observe that k “ Ba “ Ab mod p since g ba “ g ab mod p.

/ department of mathematics and computer science § Second exchange:

a1 § Alice's device computes a2 “ Hpym mod pq. a § Alice's device computes A2 “ g 2 and Alice sends A2 to Bob. § Alice's device stores a2 in non-volatile memory. b § Bob picks a random b2 and sends B2 “ g 2 to Alice. a b § Alice and Bob compute k2 “ g 2 2 mod p.

Kleptography — Attacking Difﬁe-Hellman 12/46

Kleptographic Die-Hellman key exchange: x The attacker is using a private xm and a public ym “ g m .

§ First exchange:

§ Alice's device picks a random a1. a § Alice's device computes A1 “ g 1 and Alice sends A1 to Bob. § Alice's device stores a1 in non-volatile memory. b § Bob picks a random b1 and sends B1 “ g 1 to Alice. a b § Alice and Bob compute k1 “ g 1 1 mod p.

/ department of mathematics and computer science Kleptography — Attacking Difﬁe-Hellman 12/46

Kleptographic Die-Hellman key exchange: x The attacker is using a private xm and a public ym “ g m .

§ First exchange:

/ department of mathematics and computer science Kleptography — Attacking Difﬁe-Hellman 13/46

Recovering the Die-Hellman key:

§ The attacker obtains A1 and B1 at rst passive eavesdropping. xm § The attacker computes a2 “ HpA1 mod pq. a2 § The attacker computes k2 “ B2 mod p.

xm a1xm xma1 a1 A1 ” g ” g ” ym mod p In two DH key exchanges three exchanges are run!

The attack can be chained for more key exchanges, the attacker misses only the rst encrypted communication.

/ department of mathematics and computer science Kleptography — Attacking Difﬁe-Hellman 14/46

Denition of a SETUP attack: A Secretly Embedded Trapdoor with Universal Protection (SETUP) attack is an algorithmic modication C 1 of a cryptosystem C with the following properties:

1. Halting Correctness: C and C 1 are ecient algorithms.

2. Output Indistinguishability: The outputs of C and C 1 are computationally indistinguishable to all ecient algorithms except for the attacker. 3. Condentiality of C: The outputs of C do not compromise the security of the cryptosystem that C implements.

4. Condentiality of C 1: The outputs of C 1 only compromise the security of the cryptosystem that C 1 implements with respect to the attacker.

5. Ability to compromise C 1: With overwhelming probability the attacker can break/decrypt/cryptanalyze at least one private output of C 1 given a sucient number of public outputs of C'.

/ department of mathematics and computer science § The device picks random b, computes bP and k “ hashpbPE q. § Pick random prime p. Compute authenticated encryption c of top half of p under key k. This has length m{2 plus the authenticator, e.g., 768+128=896 bits.

§ Put the top part of n equal to an encoding of bP followed by c, compute q and n “ pq. Lots of space left! § Attacker decodes and trial decrypts. If authenticator works, use known bits of p to factor n.

Fancier Attack on RSA 15/46

Let the RSA keys hve n “ 2m bits, e.g., n “ 3072 for 128-bit security. Attacker's key is PE “ aP on a secure elliptic curve. § Combine ECC with interesting RSA facts.

§ Coppersmith's attack (and extensions): can factor eciently if top m{2 bits of p are known. § Can build RSA modulus for any given p and top „ m bits of n.

/ department of mathematics and computer science § Attacker decodes and trial decrypts. If authenticator works, use known bits of p to factor n.

Fancier Attack on RSA 15/46

Let the RSA keys hve n “ 2m bits, e.g., n “ 3072 for 128-bit security. Attacker's key is PE “ aP on a secure elliptic curve. § Combine ECC with interesting RSA facts.

§ Coppersmith's attack (and extensions): can factor eciently if top m{2 bits of p are known. § Can build RSA modulus for any given p and top „ m bits of n. § The device picks random b, computes bP and k “ hashpbPE q. § Pick random prime p. Compute authenticated encryption c of top half of p under key k. This has length m{2 plus the authenticator, e.g., 768+128=896 bits.

§ Put the top part of n equal to an encoding of bP followed by c, compute q and n “ pq. Lots of space left!

/ department of mathematics and computer science Fancier Attack on RSA 15/46

Let the RSA keys hve n “ 2m bits, e.g., n “ 3072 for 128-bit security. Attacker's key is PE “ aP on a secure elliptic curve. § Combine ECC with interesting RSA facts.

/ department of mathematics and computer science Snowden at SXSW: [..] we know that these encryption algorithms we are using today work typically it is the random number generators that are attacked as opposed to the encryption algorithms themselves.

Random numbers are important 16/46

§ Cryptography needs random numbers to generate long-term secret keys for encryption and signatures. § Many schemes expect random (or pseudorandom) numbers, e.g.

§ ephemeral keys for DH key exchange,

§ nonces for digital signatures, § nonces in authenticated encryption.

§ Nonce reuse can reveal long-term secret keys (e.g. PlayStation disaster)

§ DSA/ECDSA are so touchy that biased nonces are enough to break them.

/ department of mathematics and computer science Random numbers are important 16/46

§ Cryptography needs random numbers to generate long-term secret keys for encryption and signatures. § Many schemes expect random (or pseudorandom) numbers, e.g.

§ ephemeral keys for DH key exchange,

§ nonces for digital signatures, § nonces in authenticated encryption.

§ Nonce reuse can reveal long-term secret keys (e.g. PlayStation disaster)

§ DSA/ECDSA are so touchy that biased nonces are enough to break them. Snowden at SXSW: [..] we know that these encryption algorithms we are using today work typically it is the random number generators that are attacked as opposed to the encryption algorithms themselves.

/ department of mathematics and computer science Client Server Generate client random Generate client random session ID, (ě 28 bytes) server random, a, , sig aP signature nonce server random, session ID, cert(pk), Generate b (ď 32 + 28 + 32 (46 bytes) bP, Finished + 32 bytes) Finished

MS = PRF(xpabPq, master secret, client random || server random)

SSL/TLS/HTTPS – internet security protocols 17/46

Use of randomness in internet protocols.

/ department of mathematics and computer science SSL/TLS/HTTPS – internet security protocols 17/46

Use of randomness in internet protocols. Client Server Generate client random Generate client random session ID, (ě 28 bytes) server random, a, , sig aP signature nonce server random, session ID, cert(pk), Generate b (ď 32 + 28 + 32 (46 bytes) bP, Finished + 32 bytes) Finished

MS = PRF(xpabPq, master secret, client random || server random)

/ department of mathematics and computer science Pseudo-random-number generators 18/46

Crypto libraries expand short seed into long stream of random bits. Random bits are used as secret keys, DSA nonces, . . .

The usual structure, starting from short seed s0: f ps0q f ps1q f ps2q f ps3q s0 s1 s2 s3 ¨ ¨ ¨

gps0q gps1q gps2q gps3q

r0 r1 r2 r3

XXX's mission: Predict the random output bits. 1. Create protocols that directly output rn for some reason.

/ department of mathematics and computer science 3. Standardize this design of f , g. 4. Convince users to switch to this design: e.g., publish security proof.

Pseudo-random-number generators 18/46 Crypto libraries expand short seed into long stream of random bits. Random bits are used as secret keys, DSA nonces, . . .

The usual structure, starting from short seed s0: f ps0q f ps1q f ps2q f ps3q s0 s1 s2 s3 ¨ ¨ ¨

gps0q gps1q gps2q gps3q

r0 r1 r2 r3

XXX's mission: Predict the random output bits. 1. Create protocols that directly output rn for some reason. 2. Design f , g with back door from rn to sn`1: i.e., get f psq from gpsq.

/ department of mathematics and computer science 4. Convince users to switch to this design: e.g., publish security proof.

Pseudo-random-number generators 18/46 Crypto libraries expand short seed into long stream of random bits. Random bits are used as secret keys, DSA nonces, . . .

The usual structure, starting from short seed s0: f ps0q f ps1q f ps2q f ps3q s0 s1 s2 s3 ¨ ¨ ¨

gps0q gps1q gps2q gps3q

r0 r1 r2 r3

/ department of mathematics and computer science Pseudo-random-number generators 18/46 Crypto libraries expand short seed into long stream of random bits. Random bits are used as secret keys, DSA nonces, . . .

The usual structure, starting from short seed s0: f ps0q f ps1q f ps2q f ps3q s0 s1 s2 s3 ¨ ¨ ¨

gps0q gps1q gps2q gps3q

r0 r1 r2 r3

XXX's mission: Predict the random output bits. 1. Create protocols that directly output rn for some reason. 2. Design f , g with back door from rn to sn`1: i.e., get f psq from gpsq. 3. Standardize this design of f , g. 4. Convince users to switch to this design: e.g., publish security proof. / department of mathematics and computer science Wait a minute: Curve points px, yq don't look like random strings. They satisfy public curve equation: y 2 “ x3 ´ 3x ` constant. This won't pass public review. Solution: Let's throw away y and some bits of x. Dene f psq “ xpsPq, gpsq “ extpxpsQqq where ext omits 16 bits. Not a big computation for us to recover sQ from gpsq.

Elliptic curves 19/46

If P, Q are random points on a strong elliptic curve then it's hard to predict sP given sQ.

But if we know P “ dQ then it's easy: sP “ sdQ. Let's choose random Q, random d, dene P “ dQ. Standardize this P; Q; f psq “ sP; gpsq “ sQ.

/ department of mathematics and computer science Solution: Let's throw away y and some bits of x. Dene f psq “ xpsPq, gpsq “ extpxpsQqq where ext omits 16 bits. Not a big computation for us to recover sQ from gpsq.

Elliptic curves 19/46

If P, Q are random points on a strong elliptic curve then it's hard to predict sP given sQ.

/ department of mathematics and computer science Elliptic curves 19/46

If P, Q are random points on a strong elliptic curve then it's hard to predict sP given sQ.

But if we know P “ dQ then it's easy: sP “ sdQ. Let's choose random Q, random d, dene P “ dQ. Standardize this P; Q; f psq “ sP; gpsq “ sQ. Wait a minute: Curve points px, yq don't look like random strings. They satisfy public curve equation: y 2 “ x3 ´ 3x ` constant. This won't pass public review. Solution: Let's throw away y and some bits of x. Dene f psq “ xpsPq, gpsq “ extpxpsQqq where ext omits 16 bits. Not a big computation for us to recover sQ from gpsq.

/ department of mathematics and computer science Dual EC RNG: history part I 20/46

Earliest public source (?) June 2004, draft of ANSI X9.82:

Extract gives all but the top 16 bits ñ about 215 points sQ match given string. Claim:

/ department of mathematics and computer science Common public history part II 21/46

Various public warning signals:

§ Gjøsteen (March 2006): output sequence is biased.

§ Brown (March 2006): security proof This proof makes essential use of Q being random. If d with

dQ “ P is known then dRi “ Si`1, concludes that there might be distinguisher.

§ Sidorenko & Schoenmakers (May 2006): output sequence is even more biased. Answer: Too late to change, already implemented.

§ Included in standards ISO 18031 (2005), NIST SP 800-90 (2006), ANSI X9.82 (2007).

§ Shumow & Ferguson (August 2007): Backdoor if d is known.

§ NIST SP800-90 gets appendix about choosing points veriably at random, but requires use of standardized P, Q for FIPS-140 validation.

/ department of mathematics and computer science NYT: the NSA had inserted a back door into a 2006 standard adopted by NIST [..] called the Dual EC DRBG standard.

. . . but surely nobody uses that!?!

NIST's DRBG Validation List: more than 70 validations of Dual EC DRBG; RSA's BSAFE has Dual EC DRBG enabled as default,.

NIST re-opens discussions on SP800.90; recommmends against using Dual EC. RSA suggests changing default in BSAFE. 21 April 2014 NIST removes Dual EC from the standard.

September 2013: NSA Bullrun program 22/46

/ department of mathematics and computer science . . . but surely nobody uses that!?!

NIST's DRBG Validation List: more than 70 validations of Dual EC DRBG; RSA's BSAFE has Dual EC DRBG enabled as default,.

NIST re-opens discussions on SP800.90; recommmends against using Dual EC. RSA suggests changing default in BSAFE. 21 April 2014 NIST removes Dual EC from the standard.

September 2013: NSA Bullrun program 22/46

NYT: the NSA had inserted a back door into a 2006 standard adopted by NIST [..] called the Dual EC DRBG standard.

/ department of mathematics and computer science NIST's DRBG Validation List: more than 70 validations of Dual EC DRBG; RSA's BSAFE has Dual EC DRBG enabled as default,.

NIST re-opens discussions on SP800.90; recommmends against using Dual EC. RSA suggests changing default in BSAFE. 21 April 2014 NIST removes Dual EC from the standard.

September 2013: NSA Bullrun program 22/46

NYT: the NSA had inserted a back door into a 2006 standard adopted by NIST [..] called the Dual EC DRBG standard.

. . . but surely nobody uses that!?!

/ department of mathematics and computer science NIST re-opens discussions on SP800.90; recommmends against using Dual EC. RSA suggests changing default in BSAFE. 21 April 2014 NIST removes Dual EC from the standard.

September 2013: NSA Bullrun program 22/46

NYT: the NSA had inserted a back door into a 2006 standard adopted by NIST [..] called the Dual EC DRBG standard.

. . . but surely nobody uses that!?!

NIST's DRBG Validation List: more than 70 validations of Dual EC DRBG; RSA's BSAFE has Dual EC DRBG enabled as default,.

/ department of mathematics and computer science September 2013: NSA Bullrun program 22/46

NYT: the NSA had inserted a back door into a 2006 standard adopted by NIST [..] called the Dual EC DRBG standard.

. . . but surely nobody uses that!?!

NIST's DRBG Validation List: more than 70 validations of Dual EC DRBG; RSA's BSAFE has Dual EC DRBG enabled as default,.

NIST re-opens discussions on SP800.90; recommmends against using Dual EC. RSA suggests changing default in BSAFE. 21 April 2014 NIST removes Dual EC from the standard.

/ department of mathematics and computer science Dual-EC — Introduction

December 2013 23/46

/ department of mathematics and computer science Dual-EC — Introduction

24/46

MS = PRF(xpabPq, master secret, client random || server random)

SSL/TLS/HTTPS – internet security protocols 25/46

How are RNGs actually used? Do implementations actually leak enough of rn?

/ department of mathematics and computer science SSL/TLS/HTTPS – internet security protocols 25/46

How are RNGs actually used? Do implementations actually leak enough of rn? Client Server Generate client random Generate client random session ID, (ě 28 bytes) server random, a, , sig aP signature nonce server random, session ID, cert(pk), Generate b (ď 32 + 28 + 32 (46 bytes) bP, Finished + 32 bytes) Finished

MS = PRF(xpabPq, master secret, client random || server random)

/ department of mathematics and computer science Dual-EC — Introduction 26/46

Common TLS implementations:

§ RSA's BSAFE

§ RSA BSAFE Share for Java (BSAFE Java)

§ RSA BSAFE Share for C and C++ (BSAFE C)

§ Microsoft's SChannel

§ OpenSSL All of these oer Dual EC.

/ department of mathematics and computer science Dual-EC — Introduction 26/46

Common TLS implementations:

§ RSA's BSAFE

§ RSA BSAFE Share for Java (BSAFE Java)

§ RSA BSAFE Share for C and C++ (BSAFE C)

§ Microsoft's SChannel Remember: NSA paid RSA Security $10 million § OpenSSL to use Dual EC as the default RNG! All of these oer Dual EC.

/ department of mathematics and computer science Dual EC 27/46

Parameters Here: elliptic curve over nite led with NIST prime P-256. (NIST SP800-90A also denes curves for P-384 and P-521.) 256 224 192 96 The elliptic curve is dened over Fp with p “ 2 ´ 2 ` 2 ` 2 ´ 1. The curve is given in short Weierstrass form

2 3 E : y “ x ´ 3x ` b, where

b “ 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b. Dual EC denes two points, a base point P and a second point Q:

Px “ 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296, Py “ 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5;

Qx “ 0xc97445f45cdef9f0d3e05e1e585fc297235b82b5be8ff3efca67c59852018192, Qy “ 0xb28ef557ba31dfcbdd21ac46e2a91e3c304f44cb87058ada2cb815151e610046.

/ department of mathematics and computer science s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

Dual EC — Basic Procedure 28/46

Points Q and P on an elliptic curve.

32 bytes

/ department of mathematics and computer science s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

Dual EC — Basic Procedure 28/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq

s0 s1

/ department of mathematics and computer science s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s2 s3

r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

Dual EC — Basic Procedure 28/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq

s0 s1

r1 “ xps1Qq

/ department of mathematics and computer science s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s2 s3

r2 “ xps2Qq r3 “ xps3Qq

r2 r3

Dual EC — Basic Procedure 28/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq

s0 s1

r1 “ xps1Qq

r1 30 bytes

/ department of mathematics and computer science s3 “ xps2Pq s4 “ xps3Pq

r2 “ xps2Qq r3 “ xps3Qq

r2 r3

Dual EC — Basic Procedure 28/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq

s0 s1 s2

r1 “ xps1Qq

r1 30 bytes

/ department of mathematics and computer science s3 “ xps2Pq s4 “ xps3Pq

r3 “ xps3Qq

r2 r3

Dual EC — Basic Procedure 28/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq

s0 s1 s2

r1 “ xps1Qq r2 “ xps2Qq

r1 r2 30 bytes

/ department of mathematics and computer science s4 “ xps3Pq

r3 “ xps3Qq

r2 r3

Dual EC — Basic Procedure 28/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq

r1 r2 30 bytes

/ department of mathematics and computer science s4 “ xps3Pq

r2 r3

Dual EC — Basic Procedure 28/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science s4 “ xps3Pq

Dual EC — Basic Procedure 28/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science Dual EC — Basic Procedure 28/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science Dual EC — Basic Procedure 28/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq ? r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science Dual EC — Basic Procedure 28/46

Points Q and P on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq ? r2 “ xps2Qq ECDLP!r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science s2 “ xps1dQq

xpd ¨ s1Qq

Shumow and Ferguson – the Basic Attack 28/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science xpd ¨ s1Qq

Shumow and Ferguson – the Basic Attack 28/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1dQq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science Shumow and Ferguson – the Basic Attack 28/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s2 “ xps1dQq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq x d s1Q r1 p r2¨ q r3 30 bytes

/ department of mathematics and computer science Shumow and Ferguson – the Basic Attack 28/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

rc1 r2 r3 30 bytes

/ department of mathematics and computer science Shumow and Ferguson – the Basic Attack 28/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

Rc “ prc , yprc qq rc1 r2 r3 30 bytes

/ department of mathematics and computer science Shumow and Ferguson – the Basic Attack 28/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 sc2 s3 xpdRc q r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

Rc “ prc , yprc qq rc1 r2 r3 30 bytes

/ department of mathematics and computer science Shumow and Ferguson – the Basic Attack 28/46

Points Q and P “ dQ on an elliptic curve.

32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 sc2 s3 xpdRc q r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

Rc “ prc , yprc qq rc1 r2 r3 30 bytes

/ department of mathematics and computer science Shumow and Ferguson – the Basic Attack 28/46

32 bytes s1 “ xps0Pq s3 “ xps2Pq s4 “ xps3Pq

s0 s1 s2 s3

r1 “ xps1Qq r2 “ xps2Qq r3 “ xps3Qq

r1 r2 r3 30 bytes

/ department of mathematics and computer science Dual EC — NIST SP800-90 in June 2006 29/46

t1 t2 H adin x P H adin x P H adin ‚‘ p 1q p‚ q ‚‘ p 2q p‚ q xp‚Pq ‚‘ p 4q

s0 s1 s2 s3 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r3

/ department of mathematics and computer science Dual EC — NIST SP800-90 in June 2006 29/46

t1 t2 H adin x P H adin x P H adin ‚‘ p 1q p‚ q ‚‘ p 2q p‚ q xp‚Pq ‚‘ p 4q

s0 s1 s2 s3 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r3

/ department of mathematics and computer science Dual EC — NIST SP800-90 in June 2006 29/46

t1 t2 H adin x P H adin x P H adin ‚‘ p 1q p‚ q ‚‘ p 2q p‚ q xp‚Pq ‚‘ p 4q

s0 s1 s2 s3 xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r3

/ department of mathematics and computer science Dual EC — NIST SP800-90 in June 2006 29/46

t1 t2 H adin x P H adin x P H adin ‚‘ p 1q p‚ q ‚‘ p 2q p‚ q xp‚Pq ‚‘ p 4q

s0 s1 s?2 s3 xpdRc q xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r3

/ department of mathematics and computer science Dual EC — NIST SP800-90 in June 2006 29/46

t1 t2 H adin x P H adin x P H adin ‚‘ p 1q p‚ q ‚‘ p 2q p‚ q xp‚Pq ‚‘ p 4q

s0 s1 s?2 s3 xpdRc q xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r3

/ department of mathematics and computer science Dual EC — NIST SP800-90 in June 2006 29/46

t1 t2 H adin x P H adin x P H adin ‚‘ p 1q p‚ q ‚‘ p 2q p‚ q xp‚Pq ‚‘ p 4q

s0 s1 s2 s3 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r3

/ department of mathematics and computer science sc

‚‘ Hpadin3q

xpdRc q

Dual EC — NIST SP800-90 in March 2007 30/46

s0 s2 s5

‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q x P x P t1 p‚ q t23 p‚ q x P x P p‚ q p‚ q xp‚Pq

s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq

r1 r32 r34

/ department of mathematics and computer science sc

‚‘ Hpadin3q

xpdRc q

Dual EC — NIST SP800-90 in March 2007 30/46

s0 s2 s5

‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q x P x P t1 p‚ q t23 p‚ q x P x P p‚ q p‚ q xp‚Pq

s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq

r1 r32 r34

/ department of mathematics and computer science sc

‚‘ Hpadin3q

xpdRc q

Dual EC — NIST SP800-90 in March 2007 30/46

s0 s2 s5

‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q x P x P t1 p‚ q t23 p‚ q x P x P p‚ q p‚ q xp‚Pq

s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq

rc1 r32 r34

/ department of mathematics and computer science ‚‘ Hpadin3q

Dual EC — NIST SP800-90 in March 2007 30/46

s0 sc2 s5

‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q x P x P t1 p‚ q t23 p‚ q xpdRc q x P x P p‚ q p‚ q xp‚Pq

s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq

rc1 r32 r34

/ department of mathematics and computer science Dual EC — NIST SP800-90 in March 2007 30/46

s0 sc2 s5

‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q x P x P t1 p‚ q t23 p‚ q xpdRc q x P x P p‚ q p‚ q xp‚Pq

s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq

rc1 r32 r34

/ department of mathematics and computer science Dual EC — NIST SP800-90 in March 2007 30/46

s0 sc2 s5

‚‘ Hpadin1q ‚‘ Hpadin3q ‚‘ Hpadin6q x P x P t1 p‚ q t23 p‚ q xpdRc q x P x P p‚ q p‚ q xp‚Pq

s0 s1 s23 s34 xp‚Qq xp‚Qq xp‚Qq

rc1 r32 r34

/ department of mathematics and computer science -xed

Attack 31/46

Attack targets: In the real world, the attack is more complicated. Targets of the attack:

§ RSA's BSAFE

§ RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C)

§ Microsoft's SChannel

§ OpenSSL The points P and Q have been replaced with known P “ dQ; this required some reverse engineering of BSAFE and SChannel.

/ department of mathematics and computer science Attack 31/46

Attack targets: In the real world, the attack is more complicated. Targets of the attack:

§ RSA's BSAFE

§ RSA BSAFE Share for Java (BSAFE Java) § RSA BSAFE Share for C and C++ (BSAFE C)

§ Microsoft's SChannel

§ OpenSSL-xed The points P and Q have been replaced with known P “ dQ; this required some reverse engineering of BSAFE and SChannel.

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq x P xp‚Pq xpdRq p‚ q s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

sc2 s5 xp‚Pq xp‚Pq xp‚Pq x P xp‚Pq xpdRq p‚ q s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

sc2 s5 xp‚Pq xp‚Pq x P xp‚Pq xpdRq p‚ q s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 xp‚Pq

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

sc2 s5 xp‚Pq xp‚Pq x P xp‚Pq xpdRq p‚ q s3 s4 xp‚Qq xp‚Qq

rc r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 xp‚Pq

s1 xp‚Qq

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

sc2 s5 xp‚Pq xp‚Pq x P xp‚Pq xpdRq p‚ q s3 s4 xp‚Qq xp‚Qq

rc r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 xp‚Pq

s1 xp‚Qq

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

sc s5 xp‚Pq x P xp‚Pq xpdRq p‚ q s3 s4 xp‚Qq xp‚Qq

rc r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 xp‚Pq xp‚Pq

s1 xp‚Qq

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

sc s5 xp‚Pq x P xp‚Pq xpdRq p‚ q s3 s4 xp‚Qq xp‚Qq

rc r3 r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 xp‚Pq xp‚Pq

s1 xp‚Qq

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

sc s5 x P xp‚Pq xpdRq p‚ q s4 xp‚Qq xp‚Qq

rc r3 r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 xp‚Pq xp‚Pq xp‚Pq

s1 s3 xp‚Qq

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

sc s5 x P xp‚Pq xpdRq p‚ q s4 xp‚Qq

rc r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 xp‚Pq xp‚Pq xp‚Pq

s1 s3 xp‚Qq xp‚Qq

r1 r3

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

sc s5 x P xp‚Pq xpdRq p‚ q s4 xp‚Qq

rc r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 xp‚Pq xp‚Pq xp‚Pq

s1 s3 xp‚Qq xp‚Qq

r1 r3

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

sc s5 xp‚Pq xpdRq

xp‚Qq

rc r4

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 x P x P x P p‚ q p‚ q p‚ q xp‚Pq

s1 s3 s4 xp‚Qq xp‚Qq

r1 r3

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

sc s5 xp‚Pq xpdRq

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 x P x P x P p‚ q p‚ q p‚ q xp‚Pq

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

sc s5 xp‚Pq xpdRq

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 x P x P x P p‚ q p‚ q p‚ q xp‚Pq

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

xpdRq

Exposes longterm secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 s5 x P x P x P x P p‚ q p‚ q p‚ q xp‚Pq p‚ q

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

xpdRq

Exposes longterm secret key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 s5 x P x P x P x P p‚ q p‚ q p‚ q xp‚Pq p‚ q

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

xpdRq

Exposes longterm secret key! ECDSA nonce ‚P Impersonation attack possible! ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 s5 x P x P x P x P p‚ q p‚ q p‚ q xp‚Pq p‚ q

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

‚P ECDHE public key

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

xpdRq

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 s5 x P x P x P x P p‚ q p‚ q p‚ q xp‚Pq p‚ q

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

‚P ‚P ECDHE public key ECDSA signature

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

xpdRq

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 s5 x P x P x P x P p‚ q p‚ q p‚ q xp‚Pq p‚ q

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r3 r4

server random ECDHE priv. key ECDSA nonce

‚P ‚P ECDHE public key ECDSA signature

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

xpdRq

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 s2 s5 x P x P x P x P p‚ q p‚ q p‚ q xp‚Pq p‚ q

s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce

‚P ‚P ECDHE public key ECDSA signature

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq x P xp‚Pq xpdRq p‚ q s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce

‚P ‚P ECDHE public key ECDSA signature

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq x P xp‚Pq xpdRq p‚ q s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce

‚P ? ‚P ECDHE public key ECDSA signature

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

31 average cost: 2 pCv ` 5Cf q

Attack — Example: BSAFE-Java 32/46

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq x P xp‚Pq xpdRq p‚ q s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce

‚P ‚P ECDHE public key ECDSA signature

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

Exposes longterm secret key! ECDSA nonce Impersonation attack possible!

Attack — Example: BSAFE-Java 32/46

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq x P xp‚Pq xpdRq p‚ q s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

server random ECDHE priv. key ECDSA nonce

‚P ‚P ECDHE public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

/ department of mathematics and computer science Also BSAFE-Java easily identiable by watermark.

ECDSA nonce

Attack — Example: BSAFE-Java 32/46

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq x P xp‚Pq xpdRq p‚ q s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

/ department of mathematics and computer science Attack — Example: BSAFE-Java 32/46

s0 sc2 s5 xp‚Pq xp‚Pq xp‚Pq x P xp‚Pq xpdRq p‚ q s1 s3 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r3 r4

Exposesserver longterm random secretECDHE priv. key key! ECDSA nonce ‚P ‚P Impersonation attackECDHE possible! public key ECDSA signature

31 average cost: 2 pCv ` 5Cf q

Also BSAFE-Java easily identiable by watermark. / department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDH key

Attack — BSAFE-C 33/46

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDH key

Attack — BSAFE-C 33/46

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 x P x P x P xp‚Pq p‚ q p‚ q p‚ q sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDH key

Attack — BSAFE-C 33/46

s0 xp‚Pq

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 x P x P x P xp‚Pq p‚ q p‚ q p‚ q sc2 s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

session ID server random EDH key

Attack — BSAFE-C 33/46

s0 xp‚Pq

s1 xp‚Qq

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 x P x P x P xp‚Pq p‚ q p‚ q p‚ q sc2 s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

session ID server random EDH key

Attack — BSAFE-C 33/46

s0 xp‚Pq

s1 xp‚Qq

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 xp‚Pq xp‚Pq xp‚Pq

sc s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

session ID server random EDH key

Attack — BSAFE-C 33/46

s0 x P p‚ q xp‚Pq s1 s2 xp‚Qq

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 xp‚Pq xp‚Pq xp‚Pq

sc s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

session ID server random EDH key

Attack — BSAFE-C 33/46

s0 x P p‚ q xp‚Pq s1 s2 xp‚Qq xp‚Qq

r1 r2

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s3 s5 xp‚Pq xp‚Pq xp‚Pq

sc s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

session ID server random EDH key

Attack — BSAFE-C 33/46

s0 x P p‚ q xp‚Pq s1 s2 xp‚Qq xp‚Qq

r1 r2

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s5 xp‚Pq xp‚Pq

sc s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

session ID server random EDH key

Attack — BSAFE-C 33/46

s0 s3 x P x P p‚ q xp‚Pq p‚ q s1 s2 xp‚Qq xp‚Qq

r1 r2

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s5 xp‚Pq xp‚Pq

sc s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

server random EDH key

Attack — BSAFE-C 33/46

s0 s3 x P x P p‚ q xp‚Pq p‚ q s1 s2 xp‚Qq xp‚Qq

r1 r2

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s5 xp‚Pq xp‚Pq

sc s4 xpdRq xp‚Qq xp‚Qq

rc r2 r4

EDH key

Attack — BSAFE-C 33/46

s0 s3 x P x P p‚ q xp‚Pq p‚ q s1 s2 xp‚Qq xp‚Qq

r1 r2

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s5 xp‚Pq

sc xpdRq xp‚Qq xp‚Qq

rc r2 r4

EDH key

Attack — BSAFE-C 33/46

s0 s3 x P x P x P p‚ q xp‚Pq p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq

r1 r2

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s5 xp‚Pq

sc xpdRq xp‚Qq

rc r2

EDH key

Attack — BSAFE-C 33/46

s0 s3 x P x P x P p‚ q xp‚Pq p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

s5 xp‚Pq

sc xpdRq xp‚Qq

rc r2

EDH key

Attack — BSAFE-C 33/46

s0 s3 x P x P x P p‚ q xp‚Pq p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

sc xpdRq xp‚Qq

rc r2

EDH key

Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4

session ID server random DHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

sc xpdRq xp‚Qq

rc r2

Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

sc xpdRq xp‚Qq

rc r2

Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

sc xpdRq xp‚Qq

rc r2

Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

sc xpdRq xp‚Qq

Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 s2 s4 xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

xp‚Qq

Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 ?

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

15 average cost: 2 pCv ` Cf q

Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

/ department of mathematics and computer science 30 ¨

Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

15 average cost: 2 pCv ` Cf q

/ department of mathematics and computer science Attack — BSAFE-C 33/46

s0 s3 s5 x P x P x P x P p‚ q xp‚Pq p‚ q p‚ q p‚ q s1 sc2 s4 xpdRq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4

session ID server random EDHDHE key

15 average cost: 30 ¨ 2 pCv ` Cf q

/ department of mathematics and computer science 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q

sc xpdRq

Attack — SChannel 34/46

s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 s2 s4 s5 xp‚Qq xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4 r5

session ID ECDHE priv. key server random

‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature

/ department of mathematics and computer science 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q

sc xpdRq

Attack — SChannel 34/46

s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 s2 s4 s5 xp‚Qq xp‚Qq xp‚Qq xp‚Qq

r1 r2 r4 r5

session ID ECDHE priv. key server random

‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature

/ department of mathematics and computer science 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q

Attack — SChannel 34/46

s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 sc2 s4 s5 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 r5 ?

session ID ECDHE priv. key server random

‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature

/ department of mathematics and computer science 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q

Attack — SChannel 34/46

s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 sc2 s4 s5 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 r5

session ID ECDHE priv. key server random

‚P ? ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature

/ department of mathematics and computer science 33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q

Attack — SChannel 34/46

s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 sc2 s4 s5 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 r5

session ID ECDHE priv. key server random

‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature

/ department of mathematics and computer science Attack — SChannel 34/46

s0 s3 s6 x P x P xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q s1 sc2 s4 s5 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rc1 r2 r4 r5

session ID ECDHE priv. key server random

‚P ECDSA nonce %20,000 ECDHE public key ‚P ECDSA signature

33 17 average cost: 2 pCv ` Cf q ` 2 p5Cf q

/ department of mathematics and computer science 31 average cost: 2 pCv ` 4Cf q

sc xpdRq

Attack — SChannel (cont.) 35/46

prev. connection curr. connection

1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q

s´3 s´1 s0 s1 s2 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

r´3 r´1 r0 r1 r2

server random ECDSA nonce session ID

‚P ECDSA signature ECDHE priv. key

‚P ECDHE public key

/ department of mathematics and computer science 31 average cost: 2 pCv ` 4Cf q

sc xpdRq

Attack — SChannel (cont.) 35/46

prev. connection curr. connection

1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q

s´3 s´1 s0 s1 s2 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

r´3 r´1 r0 r1 r2

server random ECDSA nonce session ID

‚P ECDSA signature ECDHE priv. key

‚P ECDHE public key

/ department of mathematics and computer science 31 average cost: 2 pCv ` 4Cf q

Attack — SChannel (cont.) 35/46

prev. connection curr. connection

1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q

s´3 ss´c1 s0 s1 s2 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rr´c3 r´1 r0 r1 r2

server random ECDSA nonce session ID

‚P ? ECDSA signature ECDHE priv. key

‚P ECDHE public key

/ department of mathematics and computer science 31 average cost: 2 pCv ` 4Cf q

Attack — SChannel (cont.) 35/46

prev. connection curr. connection

1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q

s´3 ss´c1 s0 s1 s2 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rr´c3 r´1 r0 r1 r2

server random ECDSA nonce session ID

‚P ECDSA signature ECDHE priv. key

‚P ECDHE public key

/ department of mathematics and computer science Attack — SChannel (cont.) 35/46

prev. connection curr. connection

1 s´4 s´2 s0 s3 x P x P x P xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q xp‚Pq xp‚Pq p‚ q

s´3 ss´c1 s0 s1 s2 xpdRq xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq

rr´c3 r´1 r0 r1 r2

server random ECDSA nonce session ID

‚P ECDSA signature ECDHE priv. key

‚P ECDHE public key

31 average cost: 2 pCv ` 4Cf q

/ department of mathematics and computer science 15 20 k l 13 average cost: 2 pCv ` Cf q ` 2 ` ` p2Cf q ` 2 p5Cf q

xpdRq

Attack — OpenSSL-ﬁxed 36/46

s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s1 s2 s4 s6 s7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq r1 r2 r4 r6 r7

session ID server random ECDHE key

‚P ECDHE public key

/ department of mathematics and computer science 15 20 k l 13 average cost: 2 pCv ` Cf q ` 2 ` ` p2Cf q ` 2 p5Cf q

xpdRq

Attack — OpenSSL-ﬁxed 36/46

session ID server random ECDHE key

‚P ECDHE public key

/ department of mathematics and computer science 15 20 k l 13 average cost: 2 pCv ` Cf q ` 2 ` ` p2Cf q ` 2 p5Cf q

Attack — OpenSSL-ﬁxed 36/46

s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s s s s s x1pdRq 2 4 6 7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq rc1 r2 r4 r6 r7 ?

session ID server random ECDHE key

‚P ECDHE public key

/ department of mathematics and computer science 15 20 k l 13 average cost: 2 pCv ` Cf q ` 2 ` ` p2Cf q ` 2 p5Cf q

Attack — OpenSSL-ﬁxed 36/46

s0 s3 s5 s8 ‚‘ Hpadin1q ‚‘ Hpadin4q ‚‘ Hpadin6q t1 xp‚Pq t4 t6 xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq xp‚Pq s s s s s x1pdRq 2 4 6 7 xp‚Qq xp‚Qq xp‚Qq xp‚Qq xp‚Qq rc1 r2 r4 r6 r7

session ID server random ECDHE key

‚P ECDHE public key

/ department of mathematics and computer science 15 20 k l 13 average cost: 2 pCv ` Cf q ` 2 ` ` p2Cf q ` 2 p5Cf q

Attack — OpenSSL-ﬁxed 36/46

session ID server random ECDHE key

‚P ECDHE public key

/ department of mathematics and computer science Attack — OpenSSL-ﬁxed 36/46

session ID server random ECDHE key

‚P ECDHE public key

15 20 k l 13 average cost: 2 pCv ` Cf q ` 2 ` ` p2Cf q ` 2 p5Cf q

/ department of mathematics and computer science Attack — Attack Timings 37/46

Intel Xeon CPU 16 ˆ AMD CPU Attack Avg. Time (min) # for 1s Tot. Time (min) BSAFE-C v1.1 0.26 16 0.04 BSAFE-Java v1.1 641 38,500 63.96 SChannel I 619 37,100 62.97 SChannel II 1,760 106,000 182.64 OpenSSL-xed I 0.04 3 0.02 OpenSSL-xed II 707 44,200 83.32 OpenSSL-xed III 2k ¨ 707 2k ¨ 44,200 2k ¨ 83.32

/ department of mathematics and computer science Attack — Attack Timings 37/46

/ department of mathematics and computer science xpdRq

144 bits!

Dual EC with P-384 and P-521 38/46

32 bytes

s0 s2 xp‚Pq xp‚Pq xp‚Pq

s1 ... xp‚Qq

server random

/ department of mathematics and computer science xpdRq

144 bits!

Dual EC with P-384 and P-521 38/46

48 bytes

s0 s2 xp‚Pq xp‚Pq xp‚Pq

s1 ... xp‚Qq

server random

/ department of mathematics and computer science Dual EC with P-384 and P-521 38/46

48 bytes

s0 s2 xp‚Pq xp‚Pq xp‚Pq xpdRq s1 ... xp‚Qq

r1 144 bits!

server random

/ department of mathematics and computer science Draft Proposal – Extended Random 39/46

Draft for a proposed TLS extension named Extended Random: 16 § allows client to request up to 2 random bytes,

§ has a weak motivation: The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of randomness provided by the current TLS random values insufficient.

§ was co-authored by an employee of NSA.

/ department of mathematics and computer science xpdRq

Draft Proposal – Extended Random 40/46

s0 s2 xp‚Pq xp‚Pq xp‚Pq

s1 ... xp‚Qq

extended random

/ department of mathematics and computer science Draft Proposal – Extended Random 40/46

s0 s2 xp‚Pq xp‚Pq xp‚Pq xpdRq s1 ... xp‚Qq

extended random

/ department of mathematics and computer science How did we get here . . . 41/46

Ocial editors of SP800-90 are Elaine Barker and John Kelsey.

No editors stated for ANSI X9.82 nor for ISO 18031.

Interesting Dec 2013 slide deck by John Kelsey 800 90 and Dual EC DRBG.

§ Standardization eort by NIST and NSA, with some participation from CSE.

§ Most of work on standards done by US federal employees (NIST and NSA, with some help from CSE).

§ The standard Dual EC parameters P and Q come ultimately from designers of Dual EC DRBG at NSA.

/ department of mathematics and computer science NIST FOIA 42/46

Two FOIA requests by Andrew Crocker and Nate Cardozo of EFF and Matthew Stoller and Rep. Alan Grayson. Files hosted by Matt Green at https://github.com/matthewdgreen/nistfoia. Interesting documents, e.g.

This is most likely a reaction to the research on biases.

/ department of mathematics and computer science Draft Proposal – Extended Random 43/46 From 011 9.12 Choosing a DRBG Algorithm.pdf

/ department of mathematics and computer science Draft Proposal – Extended Random 44/46

/ department of mathematics and computer science Hat tip @nymble. Certicom patents 45/46

The Canadian company Certicom (now part of Blackberry) has patents in multiple countries on

§ Dual EC exploitation: the use of Dual EC for key escrow (i.e., for a deliberate back door)

§ Dual EC escrow avoidance: modifying Dual EC to avoid key escrow. The patent ling history also shows that

§ Certicom knew the Dual EC back door by 2005;

§ NSA was informed of the Dual EC back door by 2005, even if they did not know it earlier;

§ the patent application, including examples of Dual EC exploitation, was publicly available in July 2006, just a month after SP800-90 was standardized. http://projectbullrun.org/dual-ec/patent.html

/ department of mathematics and computer science § may contain a back door (can neither be proven nor disproven),

§ allows the back-door owner to compute all future random outputs,

§ makes aw in DSS a back door that allows impersonation,

§ proven to be practical in various TLS libraries,

§ was default RNG in RSA's BSAFE library,

§ back door becomes even stronger with proposed Extended Random,

§ it is not only standardized but even patented.

Don’t useHow to x Dual it? EC!

Summary 46/46

Dual EC a standardized back door:

§ (co-)authored by NSA,

/ department of mathematics and computer science § allows the back-door owner to compute all future random outputs,

§ makes aw in DSS a back door that allows impersonation,

§ proven to be practical in various TLS libraries,

§ was default RNG in RSA's BSAFE library,

§ back door becomes even stronger with proposed Extended Random,

§ it is not only standardized but even patented.

Don’t useHow to x Dual it? EC!

Summary 46/46

Dual EC a standardized back door:

§ (co-)authored by NSA,

§ may contain a back door (can neither be proven nor disproven),

/ department of mathematics and computer science § makes aw in DSS a back door that allows impersonation,

§ proven to be practical in various TLS libraries,

§ was default RNG in RSA's BSAFE library,

§ back door becomes even stronger with proposed Extended Random,

§ it is not only standardized but even patented.

Don’t useHow to x Dual it? EC!

Summary 46/46

Dual EC a standardized back door:

§ (co-)authored by NSA,

§ may contain a back door (can neither be proven nor disproven),

§ allows the back-door owner to compute all future random outputs,

/ department of mathematics and computer science § proven to be practical in various TLS libraries,

§ was default RNG in RSA's BSAFE library,

§ back door becomes even stronger with proposed Extended Random,

§ it is not only standardized but even patented.

Don’t useHow to x Dual it? EC!

Summary 46/46

Dual EC a standardized back door:

§ (co-)authored by NSA,

§ may contain a back door (can neither be proven nor disproven),

§ allows the back-door owner to compute all future random outputs,

§ makes aw in DSS a back door that allows impersonation,

/ department of mathematics and computer science § was default RNG in RSA's BSAFE library,

§ back door becomes even stronger with proposed Extended Random,

§ it is not only standardized but even patented.

Don’t useHow to x Dual it? EC!

Summary 46/46

Dual EC a standardized back door:

§ (co-)authored by NSA,

§ may contain a back door (can neither be proven nor disproven),

§ allows the back-door owner to compute all future random outputs,

§ makes aw in DSS a back door that allows impersonation,

§ proven to be practical in various TLS libraries,

/ department of mathematics and computer science § back door becomes even stronger with proposed Extended Random,

§ it is not only standardized but even patented.

Don’t useHow to x Dual it? EC!

Summary 46/46

Dual EC a standardized back door:

§ (co-)authored by NSA,

§ may contain a back door (can neither be proven nor disproven),

§ allows the back-door owner to compute all future random outputs,

§ makes aw in DSS a back door that allows impersonation,

§ proven to be practical in various TLS libraries,

§ was default RNG in RSA's BSAFE library,

/ department of mathematics and computer science § it is not only standardized but even patented.

Don’t useHow to x Dual it? EC!

Summary 46/46

Dual EC a standardized back door:

§ (co-)authored by NSA,

§ may contain a back door (can neither be proven nor disproven),

§ allows the back-door owner to compute all future random outputs,

§ makes aw in DSS a back door that allows impersonation,

§ proven to be practical in various TLS libraries,

§ was default RNG in RSA's BSAFE library,

§ back door becomes even stronger with proposed Extended Random,

/ department of mathematics and computer science Don’t useHow to x Dual it? EC!

Summary 46/46

Dual EC a standardized back door:

§ (co-)authored by NSA,

§ may contain a back door (can neither be proven nor disproven),

§ allows the back-door owner to compute all future random outputs,

§ makes aw in DSS a back door that allows impersonation,

§ proven to be practical in various TLS libraries,

§ was default RNG in RSA's BSAFE library,

§ back door becomes even stronger with proposed Extended Random,

§ it is not only standardized but even patented.

/ department of mathematics and computer science Don’t use Dual EC!

Summary 46/46

Dual EC a standardized back door:

§ (co-)authored by NSA,

§ may contain a back door (can neither be proven nor disproven),

§ allows the back-door owner to compute all future random outputs,

§ makes aw in DSS a back door that allows impersonation,

§ proven to be practical in various TLS libraries,

§ was default RNG in RSA's BSAFE library,

§ back door becomes even stronger with proposed Extended Random,

§ it is not only standardized but even patented.

How to x it?

/ department of mathematics and computer science Summary 46/46

Dual EC a standardized back door:

§ (co-)authored by NSA,

§ may contain a back door (can neither be proven nor disproven),

§ allows the back-door owner to compute all future random outputs,

§ makes aw in DSS a back door that allows impersonation,

§ proven to be practical in various TLS libraries,

§ was default RNG in RSA's BSAFE library,

§ back door becomes even stronger with proposed Extended Random,

§ it is not only standardized but even patented.

Don’t useHow to x Dual it? EC!

/ department of mathematics and computer science