Removable Weak Keys for Discrete Logarithm Based Cryptography

TL;DR

This paper introduces a new class of weak private keys in discrete logarithm cryptosystems caused by parameter choices, and provides algorithms to identify and recover such keys, revealing vulnerabilities in many existing elliptic curves.

Contribution

The paper presents a novel type of weak private keys based on parameter choices and algorithms to detect and recover them, impacting the security of standard elliptic curves.

Findings

Many standard elliptic curves have numerous weak private keys.

Algorithms can efficiently identify and recover weak keys.

None of the Certicom Challenge instances are weak under the proposed criteria.

Abstract

We describe a novel type of weak cryptographic private key that can exist in any discrete logarithm based public-key cryptosystem set in a group of prime order $p$ where $p-1$ has small divisors. Unlike the weak private keys based on \textit{numerical size} (such as smaller private keys, or private keys lying in an interval) that will \textit{always} exist in any DLP cryptosystems, our type of weak private keys occurs purely due to parameter choice of $p$, and hence, can be removed with appropriate value of $p$. Using the theory of implicit group representations, we present algorithms that can determine whether a key is weak, and if so, recover the private key from the corresponding public key. We analyze several elliptic curves proposed in the literature and in various standards, giving counts of the number of keys that can be broken with relatively small amounts of computation. Our results show that many of these curves, including some from standards, have a considerable number of such weak private keys. We also use our methods to show that none of the 14 outstanding Certicom Challenge problem instances are weak in our sense, up to a certain weakness bound.