Indiscreet discrete logarithms

In 2013 and 2014 a revolution took place in the understanding of the discrete logarithm problem (DLP) in finite fields of small characteristic. Consequently, many cryptosystems based on cryptographic pairings were rendered completely insecure, which serves as a valuable reminder that long-studied so-called hard problems may turn out to be far easier than initially believed. In this article, Robert Granger gives an overview of the surprisingly simple ideas behind some of the breakthroughs and the many computational records that have so far resulted from them

An Internet-Wide Analysis of Diffie-Hellman Key Exchange and X.509 Certificates in TLS

Transport Layer Security (TLS) is a mature cryptographic protocol, but has flexibility during implementation which can introduce exploitable flaws. New vulnerabilities are routinely discovered that affect the security of TLS implementations. We discovered that discrete logarithm implementations have poor parameter validation, and we mathematically constructed a deniable backdoor to exploit this flaw in the finite field Diffie-Hellman key exchange. We described attack vectors an attacker could use to position this backdoor, and outlined a man-in-the-middle attack that exploits the backdoor to force Diffie-Hellman use during the TLS connection. We conducted an Internet-wide survey of ephemeral finite field Diffie-Hellman (DHE) across TLS and STARTTLS, finding hundreds of potentially backdoored DHE parameters and partially recovering the private DHE key in some cases. Disclosures were made to companies using these parameters, resulting in a public security advisory and discussions with the CTO of a billion-dollar company. We conducted a second Internet-wide survey investigating X.509 certificate name mismatch errors, finding approximately 70 million websites invalidated by these errors and additionally discovering over 1000 websites made inaccessible due to a combination of forced HTTPS and mismatch errors. We determined that name mismatch errors occur largely due to certificate mismanagement by web hosting and content delivery network companies. Further research into TLS implementations is necessary to encourage the use of more secure parameters

Practical Attacks on Cryptographically End-to-end Verifiable Internet Voting Systems

Cryptographic end-to-end verifiable voting technologies concern themselves with the provision of a more trustworthy, transparent, and robust elections. To provide voting systems with more transparency and accountability throughout the process while preserving privacy which allows voters to express their true intent. Helios Voting is one of these systems---an online platform where anyone can easily host their own cryptographically end-to-end verifiable election, aiming to bring verifiable voting to the masses. Helios does this by providing explicit cryptographic checks that an election was counted correctly, checks that any member of the public can independently verify. All of this while still protecting one of the essential properties of open democracy, voter privacy. In spite of these cryptographic checks and the strong mathematical assertions of correctness they provide, this thesis discusses the discovery and exploit of three vulnerabilities. The first is the insufficient validation of cryptographic elements in Helios ballots uploaded by users. This allows a disgruntled voter to cast a carefully crafted ballot which will prevent an election from being tallied. The second vulnerability is the insufficient validation of cryptographic parameters used in ElGamal by an election official. This leads to an attack where the election official can upload weak parameters allowing the official to cast arbitrary votes in a single ballot. The final attack is a cross-site scripting attack that would allow anyone to steal or re-cast ballots on behalf of victims. We coordinated disclosure with the Helios developers and provided fixes for all the vulnerabilities outlined in the thesis. Additionally, this thesis adds to the body of work highlighting the fragility of internet voting applications and discusses the unique challenges faced by internet voting applications

Theory in Perpetual Motion and Translation: Assemblage and Intersectionality in Feminist Studies

This paper engages with the French theoretical concept of agencement developed by Gilles Deleuze and Félix Guattari and its English translation as assemblage which has been widely used in academic inquiries, including feminist analyses as well as philosophical and theoretical work. Although assemblage may be now called on to provide a corrective to intersectionality, not too long ago, intersectionality, with very similar arguments, was viewed to be the most promising alternative to categorical thinking. Résumé Cet article traite du concept théorique français de l’agencement élaboré par Gilles Deleuze et Félix Guattari et de sa traduction en anglais comme assemblage qui a été largement utilisé dans les recherches universitaires, y compris les analyses féministes ainsi que les travaux philosophiques et théoriques. Bien que l’assemblage puisse maintenant être appelé à fournir un correctif à l’intersectionnalité, il n’y a pas si longtemps, l’intersectionnalité, avec des arguments très similaires, était considérée comme l’alternative la plus prometteuse à la pensée catégorique

Cryptographic Group and Semigroup Actions

We consider actions of a group or a semigroup on a set, which generalize the setup of discrete logarithm based cryptosystems. Such cryptographic group actions have gained increasing attention recently in the context of isogeny-based cryptography. We introduce generic algorithms for the semigroup action problem and discuss lower and upper bounds. Also, we investigate Pohlig-Hellman type attacks in a general sense. In particular, we consider reductions provided by non-invertible elements in a semigroup, and we deal with subgroups in the case of group actions

Fooling primality tests on smartcards

We analyse whether the smartcards of the JavaCard platform correctly validate primality of domain parameters. The work is inspired by the paper Prime and prejudice: primality testing under adversarial conditions, where the authors analysed many open-source libraries and constructed pseudoprimes fooling the primality testing functions. However, in the case of smartcards, often there is no way to invoke the primality test directly, so we trigger it by replacing (EC)DSA and (EC)DH prime domain parameters by adversarial composites. Such a replacement results in vulnerability to Pohlig-Hellman style attacks, leading to private key recovery. Out of nine smartcards (produced by five major manufacturers) we tested, all but one have no primality test in parameter validation. As the JavaCard platform provides no public primality testing API, the problem cannot be fixed by an extra parameter check, %an additional check before the parameters are passed to existing (EC)DSA and (EC)DH functions, making it difficult to mitigate in already deployed smartcards

Asymptotic complexities of discrete logarithm algorithms in pairing-relevant finite fields

International audienceWe study the discrete logarithm problem at the boundary case between small and medium characteristic finite fields, which is precisely the area where finite fields used in pairing-based cryptosystems live. In order to evaluate the security of pairing-based protocols, we thoroughly analyze the complexity of all the algorithms that coexist at this boundary case: the Quasi-Polynomial algorithms, the Number Field Sieve and its many variants, and the Function Field Sieve. We adapt the latter to the particular case where the extension degree is composite, and show how to lower the complexity by working in a shifted function field. All this study finally allows us to give precise values for the characteristic asymptotically achieving the highest security level for pairings. Surprisingly enough, there exist special characteristics that are as secure as general ones