The Goldilocks Prime for Enhanced Security (and Riddinghood, too)

Sitting comfortably? Well, once upon a time there were three bears, and they made some porridge. But the porridge was too hot, so they went for a walk in the woods. Blah, blah, blah, and the rest is history.

And so what has Goldilocks and the Three Bears got to do with Cybersecurity? Well, at the core of many of our secure tunnel connections — such as the one you are using now to connect to this article — is a magical little method known as ECDH (Elliptic Curve Diffie Hellman). With this Bob and Alice create their secret values for the session (a and b), and they pick a point on the curve at G. Bob passes bG and Alice passes aG, and they both end up with the same value of abG (and which is a point on the elliptic curve), and then can derive the secret key they will use for their session.

One of the most popular curves for this is Curve 25519, and which is used with Tor, and many other applications. Overall we use a prime number to define the security level of the curve, and for Curve 25519 it is 2²⁵⁵-19 (“did you see what we did there?”). But, there’s a problem, in that although we are using a 256-bit prime number, the security level is only equivalent to a 128-bit key. While this may be okay now for cracking, the power of the Cloud and GPUs could start to approach this, and our key could be cracked within…