Slashdot Mirror

← Back to Stories (view on slashdot.org)

Discrete Logarithm Problem Partly Solved -- Time To Drop Some Crypto Methods?

Posted by Soulskill on from the now-let's-be-paranoid-that-the-NSA-solved-it-years-ago dept.

An anonymous reader points out this Science Daily report: "Researchers ... have solved one aspect of the discrete logarithm problem. This is considered to be one of the 'holy grails' of algorithmic number theory, on which the security of many cryptographic systems used today is based. They have devised a new algorithm that calls into question the security of one variant of this problem, which has been closely studied since 1976. The result ... discredits several cryptographic systems that until now were assumed to provide sufficient security safeguards. Although this work is still theoretical, it is likely to have repercussions especially on the cryptographic applications of smart cards, RFID chips , etc."

28 of 114 comments (clear)

  1. Is Diffie Hellman at risk? by Sun · · Score: 5, Interesting

    I really really skimmed the article, but I think it all boils to this one algorithm. If Diffie Hellman is at risk, then all of our "perfect forward security" reliance of SSL is gone.

    Shachar

    1. Re:Is Diffie Hellman at risk? by LordLimecat · · Score: 5, Insightful

      Seeing it on slashdot means nothing. Wait till a reputable source that DOESNT have a habit of blowing everything up into a crisis reports on this-- schneier's blog would be a good place to start.

    2. Re:Is Diffie Hellman at risk? by houstonbofh · · Score: 4, Interesting

      If Diffie Hellman is at risk, then all of our "perfect forward security" reliance of SSL is gone.

      Shachar

      Really, it was gone already, many times. The key generation bug, the heartbleed bug... Even if it works, it is still probably easier to exploit coding mistakes, and we seem to have enough of them.

    3. Re:Is Diffie Hellman at risk? by Sun · · Score: 5, Informative

      Posted it as a question there already.

      Here's the thing, however. From reading the article, it seems that DH was not, itself, broken. Here's the problem, however: DH is used for forward reference security. It is used to ensure that an adversary that captured the encrypted communication cannot be decrypted later, even if the RSA key is later compromised

      Which means that whether DH has already been broken is a moot question. The real question is whether it is likely to be broken in the near future (where what "near" means depends on what you're actually encrypting).

      Here is what Schneier usually has to say about that: Attacks always get better over time.

      Of course, the main problem with replacing DH is that we don't really have anything better on hand.

      Shachar

    4. Re:Is Diffie Hellman at risk? by Kjella · · Score: 2

      Of course, the main problem with replacing DH is that we don't really have anything better on hand.

      Actually there is no need for DH, you can create a new throwaway RSA private/public key pair on both sides, sign it with your main key, use the throwaway keys to transfer the session key then wipe the throwaway keys. The problem with this approach is that generating a new RSA key pair for every session + transferring new key + extra round trips is a really slow process compared to DH.

      --
      Live today, because you never know what tomorrow brings
    5. Re:Is Diffie Hellman at risk? by russotto · · Score: 2

      Breaking the discrete logarithm problem breaks both DH and RSA; obtaining the private exponent from the RSA public key can be done by solving the discrete logarithm problem. However, this algorithm solves the discrete logarithm problem only for certain fields (Galois fields of small characteristic), and I don't believe those are the ones interesting for RSA or DH. (RSA uses a composite group; DH uses a prime field of large characteristic)

    6. Re:Is Diffie Hellman at risk? by lister+king+of+smeg · · Score: 2

      A better way to handle this would probably be to have the client generate the session key and encrypt it with the servers public key, this would distribute the load for generating keys away form the server so they would not be as easily DOS'ed.

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
    7. Re:Is Diffie Hellman at risk? by maharvey · · Score: 2

      No of course not. Ignorance is considered irresponsible, foolish, and lazy unless you're a neophyte. And while faith is desirable, faith is best based on knowledge, experience, and reason. Faith which cannot be defended by reason or evidence is considered weak and shaky, but better than no faith at all. Sharing evidences of what you have faith in is a very popular activity and is considered healthy and encouraging for all.

      People seriously believe that?

  2. Almost first post! by Anonymous Coward · · Score: 2

    However, someone intercepted the message, cracked slashdot's https rsa key, modified this message, then submitted it on my behalf.

    1. Re:Almost first post! by Sun · · Score: 5, Interesting

      RSA does not rely on discrete log. It rather relies on discrete root.

      Dlog is the base, however, to almost any other public key algorithm out there which isn't elliptic curve. This includes Diffie Hellman, El-Gamal, DSA, Schnor and I'm sure others as well.

      My reading of the article is that those are not yet borken, per se (spelling mistake left in intentionally). Since Diffie Hellman is primarily used for forward reference security, however (i.e. - figuring out a session key that will not be compromised even if the private key later is), the question is not whether it is safe today. The question is whether it will remain safe for the foreseeable future.

      If attacks on dlog are beginning to become practical, the answer is "less and less".

      Shachar

    2. Re:Almost first post! by TeknoHog · · Score: 2

      RSA does not rely on discrete log. It rather relies on discrete root.

      Dlog is the base, however, to almost any other public key algorithm out there which isn't elliptic curve. This includes Diffie Hellman, El-Gamal, DSA, Schnor and I'm sure others as well.

      Discrete log is certainly being used with elliptic curves. EC isn't really an algorithm, but an alternative "number system" that is well suited for crypto (the common alternative is finite/Galois fields).

      --
      Escher was the first MC and Giger invented the HR department.
  3. Springer Verlag says by Mister+Liberty · · Score: 2

    All your Logs are belong to us.

  4. Probably known already by Animats · · Score: 2

    If this is just being publicly announced now, it was probably known to NSA, the GRU, and the MSS years ago. The superpower security agencies put substantial resources into cryptanalytic number theory.

    Early public key cryptosystems used the knapsack problem. That turned out to have reasonably easy solutions. Factoring products of two big primes may be all we have left. That's believed to be hard, but there's no proof of a lower bound on it.

    1. Re:Probably known already by Anonymous Coward · · Score: 2, Interesting

      Unless they are keeping keys to the algorithm that no one else has, and which cannot be determined after the fact. This is essentially the issue that they were accused of in regards to the elliptic curve random number generator they had put forward as a standard.

    2. Re:Probably known already by vadim_t · · Score: 4, Insightful

      No, like the [Dual EC DRBG](http://en.wikipedia.org/wiki/Dual_EC_DRBG) controversy.

      I love it how people (shills?) keep bringing up DES S-boxes, as if they had anything to do with anything. The thing with DES was in 1975. Almost 40 years ago. Since then the NSA went through 10 directors, and the US through 8 presidents. And most of the staff in high positions died or retired.

      It's ridiculous to try to pretend that something nice a completely different NSA did 40 years ago has the slightest relevance to today's completely different environment and politics.

  5. arXiv link (to the technical paper) by l2718 · · Score: 5, Informative

    TFA links to the published version on SpringerLink, which is paywalled. A free preprint is available on the arXiv.

    1. Re:arXiv link (to the technical paper) by l2718 · · Score: 2

      Yes; the preprint was posted to arXiv when the research was completed. Obviously Science Magazine (the source for the slashdot posting) prefers to write about results when the journal article comes out later, because otherwise the magazine would to check the preprints for correctness on its own, which it can't be expected to do.

  6. Somewhat by l2718 · · Score: 5, Interesting

    Reading the paper, the most notable feature is that their algorithm is efficiency for constant characteristic, including the common case of fields of characteristic 2. It's also okay for the characteristic to grow somewhat with the size of the field, but not very fast.

    This is not at all relevant to most implementations of DH, which use prime fields of large characteristic. For example, DSA depends on discrete log modulu a large prime p. In particular, I wouldn't worry about forward secrecy of current internet traffic.

  7. It's still NP. by mark-t · · Score: 4, Informative

    As I understand it, they've simplified the problem to a compiexity of O(n^log(n))... this is still non-polynomial time... but the rate of complexity growth is effectively polynomial. If I understand correctly, that means that the additional security that was formerly thought to be obtained by merely doubling cryptographic key length must now be obtained by squaring it.

    --
    File under 'M' for 'Manic ranting'
    1. Re:It's still NP. by l2718 · · Score: 3, Informative

      Squaring key lengths would be entirely impractical. That said, the improvements only apply to a case of discrete log which isn't actually in use. Cryptographic algorithms generally depend on hardness of discrete log mod p (p a large prime), not in the field with p^k (p fixed, k large).

    2. Re:It's still NP. by ShadowRangerRIT · · Score: 2, Insightful

      That's not how big-O notation works. O() is not a function, you can't just rearrange the components. There isn't even a constant factor involved in either version of what you wrote. Who modded this informative?

      --
      $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  8. Don't put Dlog to sleep so soon by iceco2 · · Score: 5, Insightful

    The result is on for fields with small characteristic, but the most commonly used finite fields in this context are the Zp for some prime p which have characteristic p.
    So though this is a very interesting result, I am not tossing out all my crypto suit yet.
    we should be cautiously seeking better alternatives, but the worst thing we can do is to panic and ditch well studied algorithms and implementations every time some progress is made on their cryptanalysis.

  9. Repercussion on SmartCards? by brainnolo · · Score: 3, Interesting

    SmartCards actually mostly rely on symmetric algorithms for most applications. The only commonly used public key algorithm is RSA, which is not based on discrete logarithm. This leaves DSA, among the relatively common algorithms, but that is rarely used on SmartCards. What would be interesting to know, is how EC-DSA is affected, since it is slowly replacing RSA because of the reduced key size.

  10. Re:Not much to see here. by l2718 · · Score: 2

    Yes, these elliptic curves address defined over a finite field, but there's no known connection between the discrete log problem for the field and for the elliptic curve.

  11. Hold the horses by WoOS · · Score: 2

    Even though I didn't really understood the math, two important points stick out from their description:

    1. a) Complexity is still n^O(log(n)). This is better than O(e^n) but still worse than O(n^c) for any fixed c.
    2. b) It is a heuristic and I couldn't find in their paper a statement how well this heuristics work, i.e. in how many cases it will find its (optimal/only) result and in how many not or only in a much more time.

    As far as I understood they empirically showed their approach to work on one example. A study showing the general feasibility of the heuristics would be more convincing (yeah, that's the engineer speaking not the mathematician).

    It should also be noted that the authors themselves write in their conclusion:
    "Compared to existing approaches, and in particular to the line of recent works [15,10], the practical relevance of our algorithm is not clear, and will be explored by further work."

    So, before running to conclusions maybe we should wait for the "further work".

  12. Re:Not much to see here. by SuricouRaven · · Score: 2

    Until you try to impliment them on hardware that can exist in the real world.

  13. Hype by Anonymous Coward · · Score: 2, Interesting

    I'm a cryptographer and the paper didn't even catch my eye when I was glancing this year's Eurocrypt papers. I also haven't heard anyone talk about it at work and this is despite all my coworkers working on crypto which would break if someone came up with a fast dlog algorithm in groups used in practice. The algorithm is purely for fields of small characteristic, which means that it's totally irrelevant for most practical applications, since typically one will work over subgroup of invertible elements for the finite field F_p, where the characteristic p is of the order of the security parameter (meaning it's huge).

    To me this looks like hype stemming from a popularizing science paper misunderstanding something (or misunderstanding it on purpose).

  14. Re:Not much to see here. by TechyImmigrant · · Score: 2

    Unless you're talking about the Dual EC DRBG.
      Prime fields are safer, but they are inconvenient. Elements in a GF(2**n) field map nicely to n bits.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.