Skip to main content


The Curious Case of WebCrypto Diffie-Hellman on Firefox - Small Subgroups Key Recovery Attack on DH

tl;dr Mozilla Firefox prior to version 72 suffers from Small Subgroups Key Recovery Attack on DH in the WebCrypto 's API. The Firefox's team fixed the issue r emoving completely support for DH over finite fields (that is not in the WebCrypto standard). If you find this interesting read further below. Premise In this blog post I assume you are already knowledgeable about Diffie-Hellman over finite fields and related attacks. If not I recommend to read any cryptography book that covers public key cryptography. Here is a really cool simple explanation by David Wong : I found a cooler way to explain Diffie-Hellman :D — David Wong (@cryptodavidw) January 4, 2020 If you want more details about Small Subgroups Key Recovery Attack on DH I covered some background in one of my previous post ( OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) ). There is also an academic pape r where we examine the issue with some more rigors.
Recent posts

Side channel timing attacks against (EC)DSA in RSA BSAFE CVE-2019-3739/CVE-2019-3740 - Project Wycheproof is the AFL for Cryptography

About a year ago I wrote this tweet and now I can finally justify it Project Wycheproof ( ) is the AFL ( ) of #crypto . Thanks a lot @XorNinja and team (notably including Bleichenbacher) for providing such a powerful tool — Antonio Sanso (@asanso) April 9, 2018 it is more or less when I found the vulnerabilities discussed in this short post. Introduction RSA BSAFE is a FIPS 140-2 validated cryptography library offered by RSA Security ( now Dell ). After almost a year they just published an advisory containing two fixes of two vulnerabilities I found in their Java ECDSA ( CVE-2019-3739 ) and DSA ( CVE-2019-3740 ) implementations. But here it comes the sweet part: I shamelessly did not do too much in order to find them. The credits are indeed all for Project Wycheproof: a tests crypto libraries against known attacks developed and maintained by members of Google Security (notably Daniel Bleichenbacher and Thai Duong ). DSA Inf

SIAM Conference on Applied Algebraic Geometry 2019 - Isogenies mini-symposium

So here we are in the nice city of Bern, in the Teutonic Switzerland, for SIAM Conference on Applied Algebraic Geometry 2019 that this year counts more than 750 attendees! The weather is warm enough but the isogenies topic has never been so hot! So for this occurrence of the conference Tanja Lange , Chloe Martindale and Lorenz Panny managed to organise a really great isogenies mini-symposium spread over 4 days. Day #1 Day #1 started strong, after a quick overview of isogenies by Chloe Martindale and Lorenz Panny including  an introduction to SIDH and CSIDH the invited speakers took the stage: Daniel J. Bernstein spoke about one of his recent paper (joint work with Tanja Lange , Chloe Martindale and Lorenz Panny ) where they study quantum evaluation of isogenies with a particular focus on CSIDH - . In the initial part of his talk  he introduced the hidden-shift problem in its isogeny version  and the Kuperberg algorithm. Thomas Decru ha

On Isogenies Verifiable Delay Functions (VDF)

This continues the post from part 1 . In the previous post we discussed about Verifiable Delay Functions . Here is a quick summary of what we discussed in the first part: We covered the definition of  Verifiable Delay Functions (VDF). We have seen a short history of how this idea slowly developed. We hinted the existence of some constructions. We described some application with an eye on the blockchain World. In this post we will switch gear and we will focus on a particular construction: the isogenies VDF (a construction defined by Luca De Feo , Simon Masson , Christophe Petit and myself ). We try to keep the description as easy as possible simplifying many things, without trying not to worry too much about mathematical rigor (that risks to become mathematical rigor mortis :)), so mathematicians out there I beg your pardon! . Isoge WHAT?   Isogeny based cryptography is last baby in the (cryptography) family .   Below you can see a short history of isogeny based cryp