
Special number field sieve discrete log computation in a 1024-bit prime field - nanis
https://eprint.iacr.org/2016/961
======
tptacek
If you don't know what SNFS is, the headline is a little misleading. It hasn't
gotten easier to solve 1024 bit discrete logs (ie: to break 1024 bit FFDH) ---
though it's already presumed feasible to do so given state-level resources.

Instead, the authors have extended a proposed backdoor attack from the 1990s
to 1024 bit parameters. Specifically, they show that it is now practical to
generate a set of SNFS parameters that will produce a random-looking prime
with L=1024 N=160 (ie, a plausible DSA parameter). Since the prime is
generated to conform to SNFS, it's much easier to solve discrete logs in than
a general prime; the difficulty of attacking systems built on it is reduced
from state-level to university-level.

It was possible in the '90s to generate these weakened parameters, but not to
hide them effectively --- making them useless as NOBUS parameters. Two things
appear to have made this tricky: first, the primes in common use at the time
were 512/160, and the smaller gap between L/p and N/q gave less flexibility to
backdoor designers; secondly, we have much better compute available today.
Also, we (meaning them, not me) understand NFS a lot better than we used to.

This paper is interesting from a scientific standpoint and from the standpoint
of Kremlinology ("could NSA have done this to earlier systems? was this ever
in their repertoire?"). It's not as interesting from a practical perspective
today, because:

* 1024 bit FFDH is already presumed broken, and while the compute resources needed to attack SNFS-weakened 1024 bit FFDH might not be state-level, the logistical resources needed to get an SNFS-weakened 1024 bit prime deployed probably still are.

* The most common 1024 bit FFDH parameters we use are if not entirely verifiable than at least significantly more constrained than the parameters this paper generates (for instance, if not derived from the bits of pi, as some are, than at least sequential series of primes).

Most importantly: we've moved away as a field not only from FFDH itself, but
also from asymmetric systems with opaque parameters. The Curve25519
parameters, for instance, have clear, easily understood performance and
security rationales.

~~~
pbsd
The more important point to take away from this paper is not that 1024-bit is
already considered broken, so this doesn't matter. It's that the cost of
2048-bit DH---which is used and recommended today, and will stick around
forever---has roughly the cost of 1024-bit DH when coupled with a special
polynomial.

~~~
tptacek
So I'm clear, you're referring here to the bit from the "Lessons" section at
the end of the paper?

~~~
pbsd
I didn't realize that was in there, but yes.

~~~
tptacek
I guess another thing to take away from this is that the logistics of actually
deploying a SIGINT infrastructure based on breaking 1024-bit DH needs to take
into account that a university can break a single dlog in 80 minutes (and so
the NSA's hypothetical Utah data center can probably do it in under a minute)
if you can get SNFS-weakened parameters deployed.

That takes attacks against 1024 bit DH from a "special order, only for high
value target" sort of thing to a "file a ticket and wait a few minutes" kind
of thing.

~~~
pbsd
According to the Logjam paper, the 1024-bit individual logarithm would cost
around 30 (parallelizable) core-days once the group precomputation is over
with. Unless they're being exceedingly stingy with their hardware, 30 core-
days (less than a day in a single powerful workstation) would already be 'file
a ticket' levels of easy.

(Note that the time reported in this newer paper is calendar time---it's still
10 core-days, so quite comparable to the non-special variant.)

------
Cynddl
> _Our computations show that trapdoored primes are entirely feasible with
> current computing technology._

Can anyone explain to me what is the risk with such trapdoored primes? Thanks!

~~~
falcolas
_If_ I understand it correctly, it means that keys derived from such a prime
number (such as via DH Key Exchange) can be factored and messages decrypted in
a reasonable amount of time, where reasonable is less than a day.

I welcome correction.

EDIT: Time squeezed per tptacek, computation space reference removed per
schoen.

~~~
schoen
Also not "factored", but rather a discrete logarithm can be taken.

The apparent difficulty of factorization underlies some public-key systems
(like RSA), while the apparent difficulty of extracting discrete logarithms
underlies others (like Diffie-Hellman key exchange and DSA). This research is
about the second problem.

~~~
tptacek
The problems are closely related, and, in fact, the NFS algorithms are really
IFP algorithms.

