
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (2015) [pdf] - remx
https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
======
adzm
FYI this is logjam from 2015 but still relevant.

[https://weakdh.org](https://weakdh.org)

------
Buge
I've said this before, but there's something I don't like about this paper: it
covers essentially 2 different things. That makes it confusing for people to
try to understand or summarize.

One part is the Logjam protocol flaw in TLS.

The other is the mathematical precomputation attack against DH. It would cost
$100M (well within NSA's budget) and matches capabilities show in Snowden
slides. This seems to me like the more important half of the paper, but all
the media focused on the Logjam half.

~~~
cvwright
Are they really separable though? As I understood it, the precomputation
attack is what makes the discrete log attack practical for the size of primes
that you can get with the Logjam TLS vulnerability.

Otherwise the downgrade attack wouldn't be worth much if you still had to
spend years and years of computation to recover each weak DH secret.

At the same time, once the authors have spent several pages talking about the
practicality of NFS and the precomputation work, it's a logical next step to
speculate about what a more powerful adversary might do.

> This seems to me like the more important half of the paper, but all the
> media focused on the Logjam half.

Here we agree.

------
rnabel
(Related) How to Backdoor Diffie-Hellman

Discussion which contains a number of good comments about weakening DH:
[https://news.ycombinator.com/item?id=11973365](https://news.ycombinator.com/item?id=11973365)

Paper: [http://eprint.iacr.org/2016/644](http://eprint.iacr.org/2016/644)

------
zshrdlu
I wonder whether implementations follow x9.42 parameter generation algorithm?

