1. Indiscreet Logs: Diffie-Hellman Backdoors in TLS 2017 Backdoors DLP NDSS TLS
    Kristen Dorey and Nicholas Chang-Fong and Aleksander Essex
    [View PDF on ndss-symposium.org]
    [Show BibTex Citation]

      author    = {Kristen Dorey and Nicholas Chang-Fong and Aleksander Essex},
      title     = {Indiscreet Logs: Diffie-Hellman Backdoors in {TLS}},
      booktitle = {24th Annual Network and Distributed System Security Symposium, {NDSS}
                   2017, San Diego, California, USA, February 26 - March 1, 2017},
      year      = {2017},
      url       = {https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/indiscreet-logs-persistent-diffie-hellman-backdoors-tls/},
      timestamp = {Tue, 16 Jan 2018 15:43:37 +0100},
      biburl    = {https://dblp.org/rec/bib/conf/ndss/DoreyCE17},
      bibsource = {dblp computer science bibliography, https://dblp.org}

Software implementations of discrete logarithm based cryptosystems over finite fields typically make the assumption that any domain parameters they encounter define cyclic groups for which the discrete logarithm problem is assumed to be hard. In this paper we explore this trust assumption and examine situations where it may not be justified. In particular we focus on groups for which the order is unknown and not easily determined, and explore the scenario in which the modulus is trapdoored to make computing discrete logarithms efficient for an entity with knowledge of the trapdoor, while simultaneously leaving its very existence as matter of speculation to everyone else.

We conducted an investigation of discrete logarithm domain parameters in use across the Internet and discovered a multitude of instances of groups of unknown order in use in TLS and STARTTLS spanning numerous countries, organizations, and implementations. Although our disclosures resulted in a number of organizations taking down their suspicious parameters, none were able or willing to rule out the possibility that their parameters were trapdoors, and obtaining conclusive evidence in each case could be as hard as factoring an RSA modulus, highlighting a key feature of this attack method deniability.