<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Parag Mali - tag: diffie-hellman</title><description>Posts tagged diffie-hellman.</description><link>https://paragmali.com/</link><language>en-US</language><lastBuildDate>Sun, 19 Jul 2026 05:08:42 GMT</lastBuildDate><atom:link href="https://paragmali.com/tags/diffie-hellman/rss.xml" rel="self" type="application/rss+xml"/><item><title>How Elliptic Curves and Diffie-Hellman Break in Real Life: The Discrete Log Never Fell</title><link>https://paragmali.com/blog/how-elliptic-curves-and-diffie-hellman-break-in-real-life-th/</link><guid isPermaLink="true">https://paragmali.com/blog/how-elliptic-curves-and-diffie-hellman-break-in-real-life-th/</guid><description>No one has solved the discrete log on a strong curve or a 2048-bit group -- yet PS3, Android wallets, TPMs, CurveBall, and Logjam all fell. Here is exactly how.</description><pubDate>Sat, 18 Jul 2026 00:00:00 GMT</pubDate><content:encoded>
On a strong curve or a 2048-bit group, no one has ever solved the discrete logarithm in the field -- yet PlayStation 3 consoles, Android Bitcoin wallets, tamper-resistant TPMs, Windows certificate validation, and live TLS sessions all fell. Every one of those breaks attacked a layer the discrete-log math depends on but does not control: the per-signature nonce (PS3, Android, Minerva, TPM-Fail, LadderLeak), the curve and certificate parameters (CurveBall), or the negotiated strength (Logjam). A *reused* nonce surrenders the key from just two signatures; a *biased* nonce needs a statistical attack over many. The only discrete log ever computed here was Logjam&apos;s, against a downgrade-forced, export-crippled, shared 512-bit prime -- never a strong deployed curve. The fix is never a bigger curve. It is hedged, constant-time signing, validated parameters, and retiring export and shared groups.
&lt;h2&gt;1. Seven Breaks, One Unbroken Problem&lt;/h2&gt;
&lt;p&gt;On a well-chosen elliptic curve, the best attack anyone has ever fielded against the discrete logarithm is a square-root-time random walk that has barely moved since the 1970s [@hac-ch11][@teske-2001]. No deployed P-256, Curve25519, or secp256k1 key, and no standard 2048-bit Diffie-Hellman group, has ever had its discrete log solved in public. By every measurement we can make, the mathematics is holding.&lt;/p&gt;
&lt;p&gt;And yet. PlayStation 3 consoles were jailbroken [@fail0verflow-ps3-2010]. Android Bitcoin wallets were emptied [@bitcoin-android-2013]. Tamper-resistant TPMs certified to government standards surrendered their signing keys [@tpmfail-2020]. Windows accepted forged certificates that chained to a counterfeit authority [@curveball-cve-2020-0601]. Live TLS sessions were downgraded and decrypted in transit [@logjam-weakdh-2015]. Every one of those systems ran the discrete-log math exactly as specified. The math was never where they broke.&lt;/p&gt;
&lt;p&gt;That is the paradox this article resolves, and the resolution fits in one sentence: none of these attacks solved a discrete logarithm. Each attacked a layer the math &lt;em&gt;depends on but does not control&lt;/em&gt;. There are exactly three such layers, and they organize everything that follows:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;The per-signature nonce&lt;/strong&gt; -- the throwaway secret ECDSA needs for every signature. PS3, Android, Minerva, TPM-Fail, and LadderLeak all landed here.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The curve and certificate parameters&lt;/strong&gt; -- which curve, and whose generator, you are actually talking to. CurveBall landed here.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The negotiated strength&lt;/strong&gt; -- how strong a key exchange two parties agree to use before they exchange anything. Logjam landed here.&lt;/li&gt;
&lt;/ul&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; The discrete-logarithm assumption protects the private key against being &lt;em&gt;directly computed&lt;/em&gt; -- and nothing else. &quot;Nobody solved the discrete log&quot; and &quot;somebody recovered the private key&quot; are not contradictory statements, because the discrete-log &lt;em&gt;problem&lt;/em&gt; (genuinely hard) and a discrete-log &lt;em&gt;deployment&lt;/em&gt; (a nonce, some parameters, a negotiation) are different things. Every real break in this article lives in the gap between them.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;A note on scope. This piece treats the hardness of the elliptic-curve discrete logarithm as a black box: assume it holds, and watch everything around it fail. The structural mathematics of curve choice -- why one curve is weak and another is strong, how the number field sieve and Shor&apos;s algorithm actually work -- belongs to a companion article, &quot;How the Discrete Log Would Break: Elliptic Curves, Finite Fields, and Why Curve Choice Is the Weak Part.&quot; Here, we assume the strongbox is uncrackable and ask how the key kept getting out anyway.&lt;/p&gt;
&lt;p&gt;To see why a hard problem protects so little, you first have to see exactly what it promises -- and what it quietly leaves to the deployment.&lt;/p&gt;
&lt;h2&gt;2. What the Math Actually Promises&lt;/h2&gt;
&lt;p&gt;In 1976, Whitfield Diffie and Martin Hellman reduced the ancient problem of exchanging a secret over an open wire to a single piece of hard arithmetic: the discrete logarithm [@diffie-hellman-1976]. Two parties each pick a private exponent, exchange public powers of a shared generator, and combine them into a key that an eavesdropper cannot reconstruct without solving for one of those exponents.&lt;/p&gt;
&lt;p&gt;Nine years later, Victor Miller and, independently, Neal Koblitz moved the same hard problem onto elliptic curves [@miller-1985][@koblitz-1987]. Koblitz argued the curve version was &quot;likely to be harder than the classical discrete logarithm problem&quot; [@koblitz-1987] -- which is why a 256-bit curve buys security that a finite field needs thousands of bits to match. A clean, triumphant origin. So where did the promise leak?&lt;/p&gt;

Given a generator `G` and a public point `Q = dG` on an elliptic curve (or a base `g` and `g^d` in a finite field), recovering the secret integer `d` is the discrete logarithm problem. The security of ECDSA, ECDH, and Diffie-Hellman rests on the assumption that this recovery is computationally infeasible for well-chosen parameters. It is the one thing the math promises -- and, as we will see, the only thing.
&lt;p&gt;Signatures are where the story starts, because signatures introduce a second secret. The Elliptic Curve Digital Signature Algorithm (ECDSA) signs a message hash &lt;code&gt;z&lt;/code&gt; under a long-term private key &lt;code&gt;d&lt;/code&gt; by generating a fresh random value &lt;code&gt;k&lt;/code&gt;, computing a point &lt;code&gt;kG&lt;/code&gt;, taking its x-coordinate as &lt;code&gt;r&lt;/code&gt;, and producing:&lt;/p&gt;
&lt;p&gt;$$s = k^{-1},(z + r,d) \bmod n$$&lt;/p&gt;
&lt;p&gt;where &lt;code&gt;n&lt;/code&gt; is the order of the group. The verifier only ever sees &lt;code&gt;(r, s)&lt;/code&gt;. The private key &lt;code&gt;d&lt;/code&gt; is buried inside, protected by the discrete-log assumption -- nobody can read &lt;code&gt;d&lt;/code&gt; off the signature. But look at what else is in that equation.&lt;/p&gt;

The `k` in ECDSA is a *nonce*: a number used once. It must be secret, statistically uniform, and unique to each signature. It is not the private key, and it is thrown away the instant the signature is produced. It is also the single most load-bearing prerequisite in the whole scheme -- because `k` and `d` appear together in one linear equation, anything an attacker learns about `k` turns directly into knowledge of `d`.
&lt;p&gt;The discrete-log assumption guards &lt;code&gt;d&lt;/code&gt; against being &lt;em&gt;computed&lt;/em&gt; from the public key. It says nothing whatsoever about three things the assumption quietly depends on but does not itself enforce:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;The nonce &lt;code&gt;k&lt;/code&gt; must be secret, uniform, and unique.&lt;/strong&gt; The math assumes a perfect &lt;code&gt;k&lt;/code&gt; and never checks that you supplied one.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The parameters must be the standard, named ones.&lt;/strong&gt; The math assumes you are on the curve you think you are, with the generator you think you have.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The negotiated strength must not be crippled or shared.&lt;/strong&gt; The math assumes the group you agreed to use is actually strong.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Each of those is the deployment&apos;s responsibility, not the primitive&apos;s. And each one became a pillar of failure.&lt;/p&gt;

flowchart TD
    DLP[&quot;(EC)DLP is hard: d cannot be computed from the public key dG&quot;]
    DLP --&amp;gt; N[&quot;Depends on the per-signature nonce k&quot;]
    DLP --&amp;gt; P[&quot;Depends on the curve and certificate parameters&quot;]
    DLP --&amp;gt; G[&quot;Depends on the negotiated group strength&quot;]
    N --&amp;gt; P1[&quot;Pillar 1 nonce: PS3, Android, Minerva, TPM-Fail, LadderLeak&quot;]
    P --&amp;gt; P2[&quot;Pillar 2 validation: CurveBall&quot;]
    G --&amp;gt; P3[&quot;Pillar 3 downgrade: Logjam&quot;]
&lt;p&gt;The curve migration itself is not our subject.Miller (1985) and Koblitz (1987) are mentioned here only to fix the primitive&apos;s birth. Whether a &lt;em&gt;particular&lt;/em&gt; curve is structurally weak -- anomalous curves, small embedding degrees, the number field sieve, Shor&apos;s algorithm -- is the structural mathematics deferred to the companion article. This article assumes the curve is strong and attacks everything around it. The math guards the key against being computed. It says nothing about the key being &lt;em&gt;handed over&lt;/em&gt;. Three contracts govern that handover, and each one broke.&lt;/p&gt;
&lt;h2&gt;3. Three Contracts the Deployment Signs and Never Reads&lt;/h2&gt;
&lt;p&gt;Every cryptographic deployment signs a contract it never reads. There are three clauses, one for each layer the math leans on, and the fine print on all three is where real products sank.&lt;/p&gt;
&lt;h3&gt;The nonce contract: k must be fresh&lt;/h3&gt;
&lt;p&gt;Take the ECDSA signing equation and ask the cruelest possible question: what if &lt;code&gt;k&lt;/code&gt; is not unique? Suppose two different messages, with hashes &lt;code&gt;z1&lt;/code&gt; and &lt;code&gt;z2&lt;/code&gt;, are signed under the &lt;em&gt;same&lt;/em&gt; nonce &lt;code&gt;k&lt;/code&gt;. Because &lt;code&gt;r&lt;/code&gt; is the x-coordinate of &lt;code&gt;kG&lt;/code&gt;, the same &lt;code&gt;k&lt;/code&gt; produces the same &lt;code&gt;r&lt;/code&gt; in both signatures. Now write them down side by side:&lt;/p&gt;
&lt;p&gt;$$s_1 = k^{-1}(z_1 + r,d), \qquad s_2 = k^{-1}(z_2 + r,d) \pmod n$$&lt;/p&gt;
&lt;p&gt;Subtract. The &lt;code&gt;rd&lt;/code&gt; term is identical in both, so it cancels, and &lt;code&gt;k&lt;/code&gt; falls straight out:&lt;/p&gt;
&lt;p&gt;$$s_1 - s_2 = k^{-1}(z_1 - z_2), \qquad k = \frac{z_1 - z_2}{s_1 - s_2} \bmod n$$&lt;/p&gt;
&lt;p&gt;Once you know &lt;code&gt;k&lt;/code&gt;, the first equation has exactly one unknown left, and you solve for the private key by hand:&lt;/p&gt;
&lt;p&gt;$$d = \frac{s_1,k - z_1}{r} \bmod n$$&lt;/p&gt;
&lt;p&gt;No lattice. No side channel. No discrete log. &lt;a href=&quot;https://paragmali.com/blog/one-number-used-twice-how-a-repeated-nonce-hands-over-your-p/&quot; rel=&quot;noopener&quot;&gt;Two signatures that share a nonce&lt;/a&gt; are two linear equations in two unknowns, and a middle-schooler with modular arithmetic can finish the job.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The discrete-logarithm assumption protects &lt;code&gt;d&lt;/code&gt; against &lt;em&gt;direct computation from the public key&lt;/em&gt; -- and nothing else. It does not protect &lt;code&gt;d&lt;/code&gt; against being algebraically extracted when the nonce misbehaves. The moment two signatures reuse &lt;code&gt;k&lt;/code&gt;, the strongbox is irrelevant, because the deployment left a second door wide open.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The contract, then, is strict: &lt;code&gt;k&lt;/code&gt; must be secret, statistically uniform, and never reused or partially leaked. Break any word of that clause and the algebra above (or its statistical cousin, later) takes your key.&lt;/p&gt;
&lt;h3&gt;The parameter contract: talk to the curve you think you are&lt;/h3&gt;
&lt;p&gt;The second clause is about identity. A &lt;em&gt;named&lt;/em&gt; curve -- &quot;P-256,&quot; &quot;secp256k1&quot; -- is an agreement to use one specific set of domain parameters, and in particular one specific generator, the base point &lt;code&gt;G&lt;/code&gt; that every public key is measured against.&lt;/p&gt;

Every named elliptic curve fixes a single public point `G` from which all key material is derived: a private key `d` corresponds to the public point `dG`. The generator is not a secret -- it is a published constant. But it is load-bearing: &quot;the public key is `dG`&quot; is only meaningful if both sides agree on which `G`.

A certificate can specify its curve two ways. A *named curve* is an object identifier pointing at standardized domain parameters (fixed `a`, `b`, `p`, `G`, `n`). *Explicit parameters* spell out all of those numbers inline, which lets the certificate carry a *custom* generator. Accepting explicit parameters without checking them against a known named curve means trusting an attacker to tell you what `G` is.
&lt;p&gt;The contract: never trust attacker-supplied explicit parameters. A validator that checks a public &lt;em&gt;point&lt;/em&gt; but not the &lt;em&gt;generator&lt;/em&gt; it was measured against has, in effect, let the attacker choose the ruler and then declared the measurement correct. That is precisely the door CurveBall walked through [@curveball-cve-2020-0601].&lt;/p&gt;
&lt;h3&gt;The negotiation contract: agree to strength, not to a museum piece&lt;/h3&gt;
&lt;p&gt;The third clause governs what two parties agree to &lt;em&gt;before&lt;/em&gt; they exchange anything. In &lt;a href=&quot;https://paragmali.com/blog/nobody-broke-the-discrete-log-a-field-guide-to-diffie-hellma/&quot; rel=&quot;noopener&quot;&gt;ephemeral Diffie-Hellman&lt;/a&gt;, each side picks a fresh secret per connection, which is supposed to guarantee that compromising one session cannot retroactively expose others.&lt;/p&gt;

In ephemeral DH, the private exponents are generated fresh for each connection and discarded afterward, so a key recovered later cannot decrypt past sessions. This property is called forward secrecy. It is the reason &quot;just use a fresh ephemeral key&quot; feels like a complete defense -- and, as Logjam showed, the reason that feeling is dangerously incomplete.

In the 1990s, US export regulations capped the strength of cryptography shipped abroad, producing deliberately weakened cipher suites such as 512-bit `DHE_EXPORT` Diffie-Hellman [@logjam-weakdh-2015]. The policy was abandoned, but the code was not: two decades later, servers and libraries still spoke these crippled suites on request.
&lt;p&gt;The contract: the negotiated group must be strong, fresh, and unshared. The fine print that sank it: many servers ship the &lt;em&gt;same&lt;/em&gt; standardized 512-bit prime, so breaking one group breaks all of them at once [@logjam-weakdh-2015]. A fresh ephemeral exponent does not save you when the prime itself is weak and shared.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Contract&lt;/th&gt;
&lt;th&gt;What it requires&lt;/th&gt;
&lt;th&gt;What violates it&lt;/th&gt;
&lt;th&gt;Field break&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Nonce&lt;/td&gt;
&lt;td&gt;&lt;code&gt;k&lt;/code&gt; secret, uniform, unique per signature&lt;/td&gt;
&lt;td&gt;a constant, repeated, or biased &lt;code&gt;k&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;PS3, Android, Minerva, TPM-Fail, LadderLeak&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Parameter&lt;/td&gt;
&lt;td&gt;named curve, standard generator &lt;code&gt;G&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;trusting attacker-supplied explicit parameters&lt;/td&gt;
&lt;td&gt;CurveBall&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Negotiation&lt;/td&gt;
&lt;td&gt;strong, fresh, unshared group&lt;/td&gt;
&lt;td&gt;downgrade to a crippled, shared group&lt;/td&gt;
&lt;td&gt;Logjam&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Three contracts, three clauses of fine print. Over fifteen years, every clause was breached in the field -- and the breaches fall into exactly three piles.&lt;/p&gt;
&lt;h2&gt;4. The Failure Catalog: Seven Breaks, Three Layers, One Shape&lt;/h2&gt;
&lt;p&gt;None of the seven incidents below solved a discrete logarithm. Every one of them recovered a private key or forged a trusted one. Watch where each attack actually landed -- because the landing spot, not the marquee name, is the whole lesson.&lt;/p&gt;

timeline
    title EC and DH in the field, the assumption versus the breaks
    1976 : Diffie-Hellman, the assumption is born
    1985-1987 : Miller and Koblitz, the curve migration
    2010 : PS3 constant nonce, reuse
    2013 : Android SecureRandom, reuse
    2015 : Logjam, downgrade plus shared-prime NFS
    2019-2020 : Minerva and TPM-Fail, lattice bias
    2020 : LadderLeak, Bleichenbacher-Fourier sub-bit : CurveBall, unvalidated generator
&lt;p&gt;Here is the entire corpus on one page. The rightmost column is the thesis in a single word, repeated seven times.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Incident&lt;/th&gt;
&lt;th&gt;Year&lt;/th&gt;
&lt;th&gt;Pillar&lt;/th&gt;
&lt;th&gt;Mechanism&lt;/th&gt;
&lt;th&gt;Effort to break&lt;/th&gt;
&lt;th&gt;What fell&lt;/th&gt;
&lt;th&gt;Discrete log solved?&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;PS3&lt;/td&gt;
&lt;td&gt;2010&lt;/td&gt;
&lt;td&gt;Nonce (reuse)&lt;/td&gt;
&lt;td&gt;a constant &lt;code&gt;k&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;2 signatures&lt;/td&gt;
&lt;td&gt;ECDSA firmware-signing key&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Android wallets&lt;/td&gt;
&lt;td&gt;2013&lt;/td&gt;
&lt;td&gt;Nonce (reuse)&lt;/td&gt;
&lt;td&gt;repeated &lt;code&gt;k&lt;/code&gt; from a broken RNG&lt;/td&gt;
&lt;td&gt;2 reused signatures&lt;/td&gt;
&lt;td&gt;Bitcoin wallet keys&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Logjam&lt;/td&gt;
&lt;td&gt;2015&lt;/td&gt;
&lt;td&gt;Downgrade&lt;/td&gt;
&lt;td&gt;forced 512-bit shared prime&lt;/td&gt;
&lt;td&gt;1 NFS precompute per prime&lt;/td&gt;
&lt;td&gt;TLS session secrecy&lt;/td&gt;
&lt;td&gt;Only a crippled, shared 512-bit export prime&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;TPM-Fail&lt;/td&gt;
&lt;td&gt;2019-2020&lt;/td&gt;
&lt;td&gt;Nonce (bias)&lt;/td&gt;
&lt;td&gt;timing leak of nonce bit-length&lt;/td&gt;
&lt;td&gt;many signatures + lattice&lt;/td&gt;
&lt;td&gt;256-bit TPM keys&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Minerva&lt;/td&gt;
&lt;td&gt;2020&lt;/td&gt;
&lt;td&gt;Nonce (bias)&lt;/td&gt;
&lt;td&gt;timing leak of nonce bit-length&lt;/td&gt;
&lt;td&gt;about 2100 signatures + lattice&lt;/td&gt;
&lt;td&gt;ECDSA key&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;LadderLeak&lt;/td&gt;
&lt;td&gt;2020&lt;/td&gt;
&lt;td&gt;Nonce (bias)&lt;/td&gt;
&lt;td&gt;sub-bit ladder leak&lt;/td&gt;
&lt;td&gt;many signatures + Bleichenbacher/Fourier&lt;/td&gt;
&lt;td&gt;ECDSA key&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CurveBall&lt;/td&gt;
&lt;td&gt;2020&lt;/td&gt;
&lt;td&gt;Validation&lt;/td&gt;
&lt;td&gt;an unchecked generator&lt;/td&gt;
&lt;td&gt;1 forged certificate&lt;/td&gt;
&lt;td&gt;certificate trust itself&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Six &quot;No&quot;s and one heavily qualified &quot;Yes.&quot; Let us walk the three pillars in turn.&lt;/p&gt;
&lt;h3&gt;Pillar 1a: the nonce, reused (certain, from two signatures)&lt;/h3&gt;
&lt;p&gt;In December 2010, at the 27th Chaos Communication Congress, the group fail0verflow presented &quot;Console Hacking 2010&quot; and revealed that Sony had signed PlayStation 3 firmware using ECDSA with a &lt;em&gt;constant&lt;/em&gt; nonce [@fail0verflow-ps3-2010]. Not a weak random &lt;code&gt;k&lt;/code&gt;. The same &lt;code&gt;k&lt;/code&gt;, every time. Every signature Sony ever produced shared a nonce with every other, which means any two of them collapse to the algebra from Section 3.Keep two PS3 events distinct. fail0verflow&apos;s 27C3 talk exposed the constant-nonce &lt;em&gt;mechanism&lt;/em&gt;. George Hotz released a separate PS3 root key weeks later, in January 2011 [@hotz-ps3-2011]. The teaching case -- a hardcoded constant nonce -- is fail0verflow&apos;s. The console&apos;s chain of trust, the thing Sony spent years engineering, came apart because &lt;a href=&quot;https://paragmali.com/blog/predictable-or-repeated-the-only-two-ways-cryptographic-rand/&quot; rel=&quot;noopener&quot;&gt;a random number generator&lt;/a&gt; was told to always return the same number.&lt;/p&gt;

flowchart LR
    A[&quot;Sig 1: s1 = k^-1 (z1 + r d)&quot;] --&amp;gt; C[&quot;Same k means same r&quot;]
    B[&quot;Sig 2: s2 = k^-1 (z2 + r d)&quot;] --&amp;gt; C
    C --&amp;gt; D[&quot;Subtract, k cancels: k = (z1 - z2) / (s1 - s2) mod n&quot;]
    D --&amp;gt; E[&quot;Solve for d = (s1 k - z1) / r mod n&quot;]
    E --&amp;gt; F[&quot;Private key recovered, no discrete log solved&quot;]
&lt;p&gt;This is not a metaphor. Here is the recovery, executable. Two signatures share a nonce, and a dozen lines of BigInt arithmetic reproduce the private key exactly:&lt;/p&gt;
&lt;p&gt;{`
// secp256k1 group order
const n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141n;
const mod = (a, m) =&amp;gt; ((a % m) + m) % m;&lt;/p&gt;
&lt;p&gt;// Modular inverse via the extended Euclidean algorithm
function inv(a, m) {
  let [oldr, r] = [mod(a, m), m];
  let [olds, s] = [1n, 0n];
  while (r !== 0n) {
    const q = oldr / r;
    [oldr, r] = [r, oldr - q * r];
    [olds, s] = [s, olds - q * s];
  }
  return mod(olds, m);
}&lt;/p&gt;
&lt;p&gt;// A victim signs two different messages with the SAME nonce k
const d  = 0x00c0ffee1234567890abcdef00c0ffee1234567890abcdef00c0ffee12345678n; // secret
const k  = 0x0000deadbeef0000feed0000deadbeef0000feed0000deadbeef0000feed0001n; // reused nonce
const r  = mod(0x1122334455667788112233445566778811223344556677881122334455667788n, n);
const z1 = 0x1111111111111111111111111111111111111111111111111111111111111111n;
const z2 = 0x2222222222222222222222222222222222222222222222222222222222222222n;
const s1 = mod(inv(k, n) * mod(z1 + mod(r * d, n), n), n);
const s2 = mod(inv(k, n) * mod(z2 + mod(r * d, n), n), n);&lt;/p&gt;
&lt;p&gt;// The attacker sees only (r, s1, z1) and (r, s2, z2). Recover k, then d.
const kRec = mod((z1 - z2) * inv(mod(s1 - s2, n), n), n);
const dRec = mod((mod(s1 * kRec, n) - z1) * inv(r, n), n);
console.log(&apos;recovered nonce matches:  &apos; + (kRec === k));
console.log(&apos;recovered private key:    &apos; + (dRec === d));
console.log(&apos;d = 0x&apos; + dRec.toString(16));
`}&lt;/p&gt;
&lt;p&gt;Three years later, the same algebra emptied wallets. In August 2013, an advisory on bitcoin.org warned that &quot;a component of Android responsible for generating secure random numbers contains critical weaknesses&quot; that rendered &quot;all Android wallets&quot; vulnerable to theft [@bitcoin-android-2013]. The root cause, per Google&apos;s own postmortem, was that the platform&apos;s &lt;code&gt;SecureRandom&lt;/code&gt; &quot;may not receive cryptographically strong values&quot; because the underlying PRNG was improperly initialized [@android-securerandom-2013].&lt;/p&gt;
&lt;p&gt;The consequence was nonce &lt;em&gt;repetition&lt;/em&gt; across transactions. And because every Bitcoin signature is broadcast to a public ledger, anyone could scan the chain for two signatures sharing an &lt;code&gt;r&lt;/code&gt; and drain the wallet behind them.The bitcoin.org advisory names the flaw and the affected wallets but states no total loss figure [@bitcoin-android-2013]. Any &quot;coins stolen&quot; number you have seen is reported, not established -- treat it accordingly.&lt;/p&gt;
&lt;p&gt;The detector that would have caught both PS3 and Android is embarrassingly short. Group public signatures by &lt;code&gt;r&lt;/code&gt;; any collision is an exposed key:&lt;/p&gt;
&lt;p&gt;{`
const n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141n;
const mod = (a, m) =&amp;gt; ((a % m) + m) % m;
function inv(a, m) {
  let [oldr, r] = [mod(a, m), m];
  let [olds, s] = [1n, 0n];
  while (r !== 0n) { const q = oldr / r; [oldr, r] = [r, oldr - q * r]; [olds, s] = [s, olds - q * s]; }
  return mod(olds, m);
}
// Build a public feed in which one signer reused a nonce, then forget the secret
const dSecret = 777n, kReused = 424242n, rReused = 987654321n;
const mk = (z) =&amp;gt; ({ r: rReused, s: mod(inv(kReused, n) * mod(z + mod(rReused * dSecret, n), n), n), z });
const feed = [ { r: 111n, s: 22n, z: 5n }, mk(1001n), { r: 222n, s: 44n, z: 9n }, mk(2002n), { r: 333n, s: 66n, z: 12n } ];&lt;/p&gt;
&lt;p&gt;const seen = new Map();
for (const g of feed) {
  const key = g.r.toString();
  if (seen.has(key)) {
    const a = seen.get(key), b = g;
    const k = mod((a.z - b.z) * inv(mod(a.s - b.s, n), n), n);
    const d = mod((mod(a.s * k, n) - a.z) * inv(a.r, n), n);
    console.log(&apos;NONCE REUSE at r = &apos; + key + &apos;  -&amp;gt;  private key d = &apos; + d.toString());
  } else {
    seen.set(key, g);
  }
}
`}&lt;/p&gt;
&lt;p&gt;Two incidents, two different root causes -- a hardcoded constant and a starved RNG -- and one identical, certain outcome. This is the crudest form of the whole thesis: the deployment lost the key while the discrete log stood untouched.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; A &lt;em&gt;repeated&lt;/em&gt; nonce is certain key recovery from just two signatures, by elementary algebra. A &lt;em&gt;biased&lt;/em&gt; nonce -- one that merely leans, statistically, toward certain values -- leaks only a partial statistic and requires a statistical attack over many signatures. &quot;One biased signature leaks your key&quot; is false. The distinction is the difference between the next two subsections, and blurring it is the single most common error in this area.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dimension&lt;/th&gt;
&lt;th&gt;Reused nonce&lt;/th&gt;
&lt;th&gt;Biased nonce&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;What leaks&lt;/td&gt;
&lt;td&gt;the whole nonce (it repeats)&lt;/td&gt;
&lt;td&gt;a partial statistic about the nonce&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Signatures needed&lt;/td&gt;
&lt;td&gt;exactly 2&lt;/td&gt;
&lt;td&gt;many (Minerva about 2100; PuTTY about 60 [@putty-cve-2024-31497])&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Attack&lt;/td&gt;
&lt;td&gt;elementary algebra&lt;/td&gt;
&lt;td&gt;Hidden Number Problem (lattice or Fourier)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Certainty&lt;/td&gt;
&lt;td&gt;certain&lt;/td&gt;
&lt;td&gt;statistical&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Examples&lt;/td&gt;
&lt;td&gt;PS3, Android&lt;/td&gt;
&lt;td&gt;Minerva, TPM-Fail, LadderLeak, PuTTY&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;h3&gt;Pillar 1b: the nonce, biased (statistical, over many signatures)&lt;/h3&gt;
&lt;p&gt;Reuse is loud. The subtler failure is a nonce that never repeats but is not quite uniform -- one whose top bit is a little too often zero, say. It turns out that even this surrenders the key, and the theory predicting it predates the exploits by two decades.&lt;/p&gt;

Given many samples that each leak a few of the most-significant bits of `k`, together with the public signature data, recover the fixed secret `d`. Boneh and Venkatesan defined this problem in 1996 and proved it tractable [@boneh-venkatesan-1996]. Every biased-nonce attack in this article -- Minerva, TPM-Fail, LadderLeak, PuTTY -- is an instance of it.
&lt;p&gt;Nguyen and Shparlinski turned the abstract HNP into a concrete lattice attack on (EC)DSA with partially known nonces [@nguyen-shparlinski-2003], and Brumley and Tuveri showed in 2011 that the necessary bit-leak could be harvested &lt;em&gt;remotely&lt;/em&gt;, over a network, from an OpenSSL implementation whose scalar multiplication was not constant-time [@brumley-tuveri-2011]. Then the field split into two solver regimes, and telling them apart is essential.&lt;/p&gt;
&lt;p&gt;When the &lt;a href=&quot;https://paragmali.com/blog/correct-constant-time-and-still-owned-a-field-guide-to-side-/&quot; rel=&quot;noopener&quot;&gt;timing channel&lt;/a&gt; leaks a &lt;em&gt;few bits&lt;/em&gt; of the nonce -- typically its exact bit-length -- the HNP is solved by &lt;strong&gt;lattice reduction&lt;/strong&gt;. Minerva (CHES 2020) demonstrated this against smartcards and libraries whose scalar multiplication ran in time correlated with the nonce&apos;s length, reporting roughly &quot;2100 signatures to recover the private key on the standard secp256r1 curve&quot; [@minerva-2020].&lt;/p&gt;
&lt;p&gt;TPM-Fail (USENIX Security 2020) carried the same idea into hardware roots of trust. A timing leak in Intel firmware TPMs (CVE-2019-11090 [@cve-2019-11090]) and STMicroelectronics ST33 chips (CVE-2019-16863 [@cve-2019-16863]) recovered a 256-bit ECDSA key from an Intel fTPM in 4 to 20 minutes, and a VPN authentication key remotely in about five hours [@tpmfail-2020].Two honesty notes. Minerva&apos;s project page retracted its original EdDSA claim; the confirmed result is ECDSA-only [@minerva-2020]. And the TPM-Fail targets were not toys -- they held Common Criteria EAL4+ and FIPS 140-2 certification, and the leak survived that scrutiny [@tpmfail-2020].&lt;/p&gt;

flowchart TD
    L[&quot;A timing channel leaks partial information about the nonce k&quot;] --&amp;gt; Q{&quot;How much leaks per signature?&quot;}
    Q --&amp;gt;|&quot;at least 2 bits&quot;| LAT[&quot;Lattice reduction of the HNP: Minerva, TPM-Fail&quot;]
    Q --&amp;gt;|&quot;under 1 bit&quot;| FFT[&quot;Bleichenbacher and Fourier HNP: LadderLeak&quot;]
    LAT --&amp;gt; R[&quot;Private key d recovered over MANY signatures&quot;]
    FFT --&amp;gt; R
&lt;p&gt;The second regime is where people get it wrong. When the leak drops &lt;em&gt;below a single bit&lt;/em&gt; -- LadderLeak revealed the most-significant bit of the nonce &quot;but with probability less than one&quot; -- lattices become intractable, and the attack instead revives a Fourier-analysis method the paper credits to Daniel Bleichenbacher [@ladderleak-2020].&lt;/p&gt;
&lt;p&gt;The LadderLeak authors note that &quot;most of the attacks so far have relied on at least two bits of nonce bias,&quot; precisely the lattice regime. Their contribution was to break below it, over curves sect163r1 and NIST P-192, using the Fourier solver rather than a lattice [@ladderleak-2020]. Calling LadderLeak a lattice attack is the field&apos;s classic mistake.&lt;/p&gt;

&quot;Breaking ECDSA With Less Than One Bit Of Nonce Leakage&quot; -- the title of the LadderLeak paper, and the most compact statement of how little a nonce must betray before the key is gone.
&lt;p&gt;Notice what happened across this subsection. Every one of these attacks beat a signer that had already removed the reuse bug. The leak had moved from how the nonce was &lt;em&gt;generated&lt;/em&gt; to how it was &lt;em&gt;used&lt;/em&gt; -- a variable-time scalar multiplication -- and the cure had to move with it. Hold that thought; it is the pivot of the entire article. But reuse or bias, lattice or Fourier, two signatures or two thousand, the outcome is the same and the discrete logarithm is never touched: the deployment hands over &lt;code&gt;d&lt;/code&gt;, and the strongbox stays locked.&lt;/p&gt;
&lt;h3&gt;Pillar 2: the parameters, unvalidated (CurveBall)&lt;/h3&gt;
&lt;p&gt;The nonce pillar is about a secret the deployment mishandles. The second pillar is about an identity the deployment fails to check. On 14 January 2020, Microsoft patched CVE-2020-0601, reported by the NSA: &quot;a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates&quot; [@curveball-cve-2020-0601]. It became known as CurveBall, and it is the cleanest example in the whole corpus of a break that has nothing to do with the mathematics of ECC.&lt;/p&gt;
&lt;p&gt;Recall the parameter contract. A public key is the point &lt;code&gt;dG&lt;/code&gt; -- meaningful only if everyone agrees on &lt;code&gt;G&lt;/code&gt;. CryptoAPI, when handed a certificate that specified its curve with &lt;em&gt;explicit&lt;/em&gt; parameters, checked that the certificate&apos;s public &lt;em&gt;point&lt;/em&gt; matched a trusted root&apos;s public key. What it did not check was the &lt;em&gt;generator&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;So an attacker could craft a curve with a custom generator &lt;code&gt;G&apos;&lt;/code&gt;, pick any private key &lt;code&gt;d&apos;&lt;/code&gt; they liked, and compute &lt;code&gt;G&apos;&lt;/code&gt; such that &lt;code&gt;d&apos; * G&apos;&lt;/code&gt; equals the exact public point of a &lt;a href=&quot;https://paragmali.com/blog/a-perfect-signature-for-a-certificate-that-should-never-have/&quot; rel=&quot;noopener&quot;&gt;trusted root certificate authority&lt;/a&gt;. The forged certificate then presents the right public point on the wrong curve. Windows, comparing only the point, accepts it -- while a library that pins named curves rejects it instantly, because &lt;code&gt;G&apos;&lt;/code&gt; is not the standard base point.&lt;/p&gt;

flowchart TD
    A[&quot;Attacker picks explicit curve parameters with a custom generator G-prime&quot;] --&amp;gt; B[&quot;Chooses private key d-prime so that d-prime times G-prime equals a trusted root public point Q&quot;]
    B --&amp;gt; C[&quot;Forged certificate presents point Q on the attacker curve&quot;]
    C --&amp;gt; D{&quot;Windows CryptoAPI validation&quot;}
    D --&amp;gt;|&quot;Public point matches a trusted root? YES&quot;| E[&quot;Accepted, but the generator was never checked&quot;]
    D -.-&amp;gt;|&quot;A named-curve-pinning library also checks G&quot;| F[&quot;Rejected, G-prime is not the standard base point&quot;]
    E --&amp;gt; G[&quot;Forged code-signing or TLS certificate chains to a trusted root&quot;]
&lt;p&gt;The ECDLP was never in play. The attacker chose their own private key; they never had to recover anyone&apos;s. The failure is a single missing comparison -- generator against named curve -- buried in a certificate validation stack that a billion machines trusted. CurveBall is a validation bug, not a curve break, and the fix is exactly what the missing check would have been: reject explicit parameters, or fully re-validate them against the claimed named curve.&lt;/p&gt;
&lt;h3&gt;Pillar 3: the negotiation, downgraded (Logjam)&lt;/h3&gt;
&lt;p&gt;The third pillar is the one honest exception, and handled carelessly it looks like a refutation of the whole thesis. In 2015, the Logjam team (CVE-2015-4000) showed that a man-in-the-middle could rewrite a TLS handshake -- &quot;rewriting a ClientHello with DHE replaced by DHE_EXPORT&quot; -- to force the connection onto a 512-bit export-grade Diffie-Hellman group [@cve-2015-4000]. And here, unlike everywhere else, the attacker really does compute a discrete logarithm.&lt;/p&gt;
&lt;p&gt;The trick is that the expensive part of the number field sieve has to be done only once per prime, and servers share primes.&lt;/p&gt;

The fastest known classical algorithm for the finite-field discrete logarithm (and for integer factoring). Its decisive feature here: its costly first stage depends only on the *prime* being attacked, not on any particular exchanged key. Precompute once per prime, and every session under that prime becomes cheap to break. The internals belong to the companion article; what matters here is that one structural fact.
&lt;p&gt;The Logjam researchers found that &quot;8.4% of the Top 1 Million domains were initially vulnerable,&quot; and that because so many servers reused a handful of standardized 512-bit primes, &quot;the first step in the number field sieve ... is dependent only on this prime&quot; [@logjam-weakdh-2015]. One precomputation, amortized across every server that shipped that prime.&lt;/p&gt;

&quot;The first step in the number field sieve ... is dependent only on this prime.&quot; One precomputation breaks every server that shares the group.

sequenceDiagram
    participant C as Client
    participant M as MITM
    participant S as Server
    Note over M: One-time NFS precomputation per shared 512-bit prime
    C-&amp;gt;&amp;gt;M: ClientHello offering DHE
    M-&amp;gt;&amp;gt;S: ClientHello rewritten to DHE_EXPORT
    S-&amp;gt;&amp;gt;M: 512-bit export DH parameters, a shared standardized prime
    M-&amp;gt;&amp;gt;C: forwards the weak parameters
    Note over M: Precomputation done, so this connection solves fast
    M--&amp;gt;&amp;gt;C: session decrypted in near real time

The 512-bit `DHE_EXPORT` groups existed because 1990s US export regulations forbade shipping strong cryptography abroad, mandating deliberately breakable key exchange for foreign markets [@logjam-weakdh-2015]. The policy was abandoned by the early 2000s, but the cipher suites were never removed from server software. Logjam, in 2015, exploited a legal compromise that had been dead for over a decade and a codebase that never got the memo. The math did not decay -- the deployment simply kept a museum piece plugged in.
&lt;p&gt;Read carefully, Logjam is not a counterexample; it is the thesis in its most literal form. A discrete log &lt;em&gt;was&lt;/em&gt; computed, but only against a 512-bit prime that a downgrade forced the connection onto and that policy had left crippled and shared. The deployment set the weak, shared group on the table; the number field sieve merely finished the job. No strong, standard-sized group ever fell. The fix is the same shape as the break: remove export ciphers, negotiate vetted named groups (RFC 7919 [@rfc7919]), and adopt TLS 1.3, which removes static Diffie-Hellman entirely [@rfc8446].&lt;/p&gt;
&lt;p&gt;Three pillars, seven breaks, one shape: every attack hit a layer the discrete-log math depends on but does not control. Name the shape, and you have the whole discipline.&lt;/p&gt;
&lt;h2&gt;5. The Realization: Fix the Contracts, Not the Curve&lt;/h2&gt;
&lt;p&gt;There was no single eureka here. The insight accumulated across fifteen years of incidents and then snapped into one sentence: every field break attacked a layer the discrete-log math &lt;em&gt;depends on but does not control&lt;/em&gt; -- the nonce, then the parameters, then the negotiated strength -- and every fix changed &lt;em&gt;how the primitive is generated, used, validated, or negotiated&lt;/em&gt;, never the curve and never the log.&lt;/p&gt;
&lt;p&gt;The sharpest crystallization hides inside the word &quot;bias.&quot; For years it was treated as one problem with one fix: remove the random number generator, derive the nonce deterministically (RFC 6979 [@rfc6979], later blessed by FIPS 186-5 [@fips-186-5]), and the biased-nonce class is solved. But Minerva, TPM-Fail, and LadderLeak all recovered keys from signers that had &lt;em&gt;already&lt;/em&gt; done that. The reason is that &quot;bias&quot; was concealing two distinct root causes with two distinct cures.&lt;/p&gt;

flowchart TD
    B[&quot;One word: nonce bias&quot;] --&amp;gt; G[&quot;Generation defect: the RNG returns a constant, repeated, or predictable k&quot;]
    B --&amp;gt; U[&quot;Usage defect: variable-time scalar multiplication leaks the bit-length of k&quot;]
    G --&amp;gt; GC[&quot;Cure: deterministic and hedged nonces, RFC 6979 and FIPS 186-5&quot;]
    U --&amp;gt; UC[&quot;Cure: constant-time, exception-free scalar multiplication&quot;]
    GC --&amp;gt; BOTH[&quot;You need BOTH, they are orthogonal&quot;]
    UC --&amp;gt; BOTH
&lt;p&gt;A &lt;em&gt;generation&lt;/em&gt; defect is a bad nonce coming out of the sampler -- a constant (PS3), a repeat (Android), a predictable value. Determinism and hedging cure it. A &lt;em&gt;usage&lt;/em&gt; defect is a perfectly good nonce leaking through the &lt;em&gt;timing&lt;/em&gt; of the scalar multiplication that consumes it -- the bit-length falling out through a side channel (Minerva, TPM-Fail) or a sub-bit correlation (LadderLeak). Only constant-time code cures that. The two cures are orthogonal, and you need both.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Generalize the two-cures fork and you get the entire discipline of this field: four contracts, not one curve. &lt;em&gt;Generate&lt;/em&gt; the nonce so it cannot be predicted or repeated; &lt;em&gt;use&lt;/em&gt; it in constant time so it cannot leak; &lt;em&gt;validate&lt;/em&gt; your parameters so no attacker chooses your generator; &lt;em&gt;negotiate&lt;/em&gt; only strong, unshared groups so no downgrade can strand you. Every documented break is a breach of one of those four. No break in the corpus is a break of the discrete logarithm.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;This also dissolves the apparent contradiction the article opened with. &quot;Nobody solved the discrete log&quot; and &quot;somebody recovered the key&quot; only sound incompatible if you conflate the discrete-log &lt;em&gt;problem&lt;/em&gt; with a discrete-log &lt;em&gt;deployment&lt;/em&gt;. The problem is a statement about computational hardness; the deployment is a nonce, a set of parameters, and a negotiation, wrapped around that hardness. The problem stayed hard. The wrapping tore.&lt;/p&gt;

If you remember one operational thing from this article, make it this: deterministic ECDSA and constant-time scalar multiplication are not two names for the same safeguard. A team can adopt RFC 6979, check the box marked &quot;nonce,&quot; and still ship a signer that a co-located attacker times to death. Ask both questions separately -- how is the nonce generated, and how is it used -- because they have separate answers.
&lt;p&gt;If the discipline is &quot;honor the four contracts, not the curve,&quot; what does a deployment that honors all four actually look like in 2026?&lt;/p&gt;
&lt;h2&gt;6. What Correct EC/DH Deployment Looks Like in 2026&lt;/h2&gt;
&lt;p&gt;The state of the art in this field is not a better discrete-log solver -- no such thing exists. It is a &lt;em&gt;deployment discipline&lt;/em&gt; at the three layers the math never controlled. Here it is, pillar by pillar.&lt;/p&gt;
&lt;h3&gt;Nonce: two orthogonal cures, and a primitive that folds in both&lt;/h3&gt;

Derive the nonce `k` deterministically from the private key and the message hash via an HMAC-based construction, so the signer &quot;do[es] not need access to a source of high-quality randomness&quot; [@rfc6979]. Identical key-and-message pairs always yield the same `k`; distinct messages yield unrelated nonces. This closes the *generation* defect -- the PS3 and Android reuse classes cannot occur.
&lt;p&gt;RFC 6979 also quietly records the deeper lesson. It insists on comparing each candidate nonce against the group order rather than reducing it modulo the order, warning that a &quot;simple modular reduction would induce biases that would be detrimental to signature security&quot; [@rfc6979]. That is a standards document, in 2013, acknowledging that &lt;em&gt;bias&lt;/em&gt;, not just reuse, is fatal. You can watch the effect yourself:&lt;/p&gt;
&lt;p&gt;{&lt;code&gt;// A raw sampler emits values in [0, 256). We need a nonce in [0, q). const q = 200n, B = 256n, trials = 400000; const raw = () =&amp;gt; BigInt(Math.floor(Number(B) * Math.random())); let biasedHigh = 0, fairHigh = 0; const half = q / 2n; for (let i = 0; i &amp;lt; trials; i++) {   const reduced = raw() % q;              // reduce mod q -&amp;gt; BIASED   if (reduced &amp;gt;= half) biasedHigh++;   let fair; do { fair = raw(); } while (fair &amp;gt;= q);  // compare to q, retry -&amp;gt; FAIR   if (fair &amp;gt;= half) fairHigh++; } console.log(&apos;reduce mod q -&amp;gt; P(nonce in top half): &apos; + (biasedHigh / trials).toFixed(4)); console.log(&apos;compare to q -&amp;gt; P(nonce in top half): &apos; + (fairHigh / trials).toFixed(4)); console.log(&apos;That gap from 0.5 is a free bit for a Hidden Number Problem attacker.&apos;);&lt;/code&gt;}&lt;/p&gt;
&lt;p&gt;Determinism, though, fixes only generation. On hardware it also &lt;em&gt;adds&lt;/em&gt; a risk.&lt;/p&gt;

Compute the nonce from the private key, the message hash, *and* a few bytes of fresh randomness. A dead RNG falls back to the safe deterministic core; a differential fault, which needs two identical signings to differ, is defeated by the fresh input. FIPS 186-5 recommends this for hardware because bare determinism is &quot;of particular concern for ... deterministic signature schemes, as well as embedded or IoT devices and smartcards&quot; [@fips-186-5].

Compute `kG` with a data-independent trace of instructions, branches, and memory accesses, so the runtime never depends on the bit-length or value of `k`. This is the *usage* cure -- the only defense against Minerva, TPM-Fail, and LadderLeak, whose leaks all live in the multiplication, not the sampler. Its precursor is Brumley and Tuveri&apos;s 2011 remote attack on a non-constant-time OpenSSL ladder [@brumley-tuveri-2011].
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Hedged signing and constant-time multiplication are the two cures of the fork, and they do not substitute for each other. A hardware signer needs &lt;em&gt;both&lt;/em&gt;: hedge the generation, and make the usage constant-time. Checking one box leaves the other break wide open.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;New designs can sidestep the whole fork by choosing a misuse-resistant primitive. Ed25519 (RFC 8032) derives its nonce as a hash of the secret and message -- deterministic by construction, no per-signature RNG -- and signs with a single &lt;em&gt;complete&lt;/em&gt;, constant-time addition law that has no exceptional cases to mishandle [@rfc8032]. It folds both cures into the primitive and removes the dangerous choices from the caller&apos;s hands.Misuse-resistant is not misuse-proof. PuTTY derived P-521 ECDSA nonces such that &quot;the first 9 bits of each ECDSA nonce are zero,&quot; allowing &quot;full secret key recovery in roughly 60 signatures&quot; (CVE-2024-31497) [@putty-cve-2024-31497]. Determinism implemented carelessly re-introduced exactly the bias it was meant to prevent.&lt;/p&gt;
&lt;h3&gt;Validation: reject what you cannot vouch for&lt;/h3&gt;
&lt;p&gt;The CurveBall cure is direct: bind a certificate&apos;s curve to the standard parameters of its named curve, and reject explicit parameters or fully re-validate them. The January 2020 patch made &lt;code&gt;crypt32.dll&lt;/code&gt; check the generator, not merely the point [@curveball-cve-2020-0601].&lt;/p&gt;
&lt;p&gt;For key &lt;em&gt;exchange&lt;/em&gt; with static keys, the discipline is fuller. Before using a received point, confirm it is not the identity, lies on the curve, and sits in the correct prime-order subgroup -- the full public-key validation of NIST SP 800-56A, which blocks &lt;a href=&quot;https://paragmali.com/blog/the-curve-was-hard-the-gap-was-soft-a-field-guide-to-using-e/&quot; rel=&quot;noopener&quot;&gt;invalid-curve and small-subgroup attacks&lt;/a&gt; that would otherwise bleed a static key out one query at a time [@sp-800-56a-r3].&lt;/p&gt;
&lt;p&gt;The most durable answer is to make invalid inputs unrepresentable. X25519 works on a Montgomery curve chosen so that &lt;em&gt;every&lt;/em&gt; 32-byte string is an acceptable public key; the RFC even instructs implementations to &quot;accept non-canonical values,&quot; and to run the conditional swap &quot;in constant time&quot; [@rfc7748]. There is no explicit-parameter path to abuse and no on-curve check to forget.This is the &quot;make invalid states unrepresentable&quot; principle applied to cryptography: the safest validation code is the code you deleted because the type system already guarantees the property. But note the boundary carefully.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; X25519&apos;s scalar &quot;clamping&quot; fixes the cofactor and twist problems for ephemeral key exchange. It does &lt;em&gt;not&lt;/em&gt; replace named-curve pinning in the X.509 world, and some protocols still need a contributory-behavior check on the shared secret. Twist-secure curves solve the problems they were designed for -- not every parameter problem.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h3&gt;Negotiation: remove the weak option entirely&lt;/h3&gt;
&lt;p&gt;The downgrade pillar&apos;s fix is structural. RFC 7919 replaced ad-hoc, shared Diffie-Hellman primes with a menu of vetted named groups negotiated like curves [@rfc7919]. TLS 1.3 went further and deleted the weak options outright, so there is nothing to downgrade &lt;em&gt;to&lt;/em&gt;.&lt;/p&gt;

&quot;Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy.&quot; -- RFC 8446, the TLS 1.3 specification [@rfc8446].
&lt;p&gt;Because TLS 1.3 permits only strong ephemeral groups and binds the negotiation into the handshake transcript, the Logjam rewrite is not merely discouraged -- it is structurally impossible [@rfc8446]. The end state of the negotiation pillar is a protocol in which the crippled, shared 512-bit group Logjam relied on simply cannot be selected.&lt;/p&gt;
&lt;p&gt;Each of these is a choice, and where there is a choice, engineers argue. Which discipline actually wins in which threat model?&lt;/p&gt;
&lt;h2&gt;7. Competing Approaches: Which Defense Answers Which Adversary&lt;/h2&gt;
&lt;p&gt;These defenses are not rungs on one ladder. They are answers to different adversaries, and the honest way to compare them is one pillar at a time.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; A constant-time multiplier and a named-curve pin do not compete -- they defend different layers, and a real system needs one from each pillar. The comparisons below rank options &lt;em&gt;within&lt;/em&gt; a pillar. Picking the best nonce discipline does nothing for your parameter validation.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h3&gt;Nonce: which signing discipline stops which adversary&lt;/h3&gt;
&lt;p&gt;The load-bearing insight is that no single column stops every row. Generation cures (deterministic [@rfc6979], hedged [@fips-186-5]) and the usage cure (constant-time) are orthogonal, which is why hedged-plus-constant-time became the practitioner default and why Ed25519 [@rfc8032] folds most of both into the primitive.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Adversary / failure&lt;/th&gt;
&lt;th&gt;Randomized (bare RNG)&lt;/th&gt;
&lt;th&gt;Deterministic (RFC 6979)&lt;/th&gt;
&lt;th&gt;Hedged (FIPS 186-5)&lt;/th&gt;
&lt;th&gt;Constant-time mult&lt;/th&gt;
&lt;th&gt;Ed25519&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;RNG returns constant or repeat (PS3, Android)&lt;/td&gt;
&lt;td&gt;fails&lt;/td&gt;
&lt;td&gt;stops&lt;/td&gt;
&lt;td&gt;stops&lt;/td&gt;
&lt;td&gt;orthogonal&lt;/td&gt;
&lt;td&gt;stops&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Differential fault on a deterministic signer&lt;/td&gt;
&lt;td&gt;randomness helps&lt;/td&gt;
&lt;td&gt;fails&lt;/td&gt;
&lt;td&gt;stops&lt;/td&gt;
&lt;td&gt;orthogonal&lt;/td&gt;
&lt;td&gt;inherits the caveat&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Timing leak of nonce bit-length (Minerva, TPM-Fail)&lt;/td&gt;
&lt;td&gt;fails&lt;/td&gt;
&lt;td&gt;fails&lt;/td&gt;
&lt;td&gt;fails&lt;/td&gt;
&lt;td&gt;stops&lt;/td&gt;
&lt;td&gt;stops (uniform ladder)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Sub-bit ladder leak (LadderLeak)&lt;/td&gt;
&lt;td&gt;fails&lt;/td&gt;
&lt;td&gt;fails&lt;/td&gt;
&lt;td&gt;fails&lt;/td&gt;
&lt;td&gt;stops&lt;/td&gt;
&lt;td&gt;stops (uniform ladder)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Read the rows, not the columns: reuse fails only the first row and is certain from two signatures; the timing leaks fail three of the five columns and are cured on a different axis entirely. That is the two-cures fork, rendered as a matrix.&lt;/p&gt;
&lt;h3&gt;Validation: three philosophies of not trusting your input&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dimension&lt;/th&gt;
&lt;th&gt;Named-curve pinning&lt;/th&gt;
&lt;th&gt;Full validation (SP 800-56A)&lt;/th&gt;
&lt;th&gt;All-inputs-valid (X25519)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Philosophy&lt;/td&gt;
&lt;td&gt;reject non-standard parameters&lt;/td&gt;
&lt;td&gt;validate every received input&lt;/td&gt;
&lt;td&gt;make invalid inputs unrepresentable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Stops CurveBall (unvalidated generator)&lt;/td&gt;
&lt;td&gt;yes, its exact fix&lt;/td&gt;
&lt;td&gt;yes, re-derives the generator&lt;/td&gt;
&lt;td&gt;yes, no explicit-parameter path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Stops invalid-curve / small-subgroup&lt;/td&gt;
&lt;td&gt;partial&lt;/td&gt;
&lt;td&gt;yes, on-curve plus subgroup&lt;/td&gt;
&lt;td&gt;yes, twist-secure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Per-operation cost&lt;/td&gt;
&lt;td&gt;O(1) table compare&lt;/td&gt;
&lt;td&gt;O(1) up to one scalar mult&lt;/td&gt;
&lt;td&gt;one constant-time ladder&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Best suited for&lt;/td&gt;
&lt;td&gt;X.509, code-signing, PKI&lt;/td&gt;
&lt;td&gt;static-key ECDH, HSMs&lt;/td&gt;
&lt;td&gt;ephemeral ECDH&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Named-curve pinning is the precise CurveBall fix [@curveball-cve-2020-0601]; SP 800-56A validation is the belt-and-suspenders choice for static keys [@sp-800-56a-r3]; X25519 deletes the problem by construction [@rfc7748]. They converge on stopping CurveBall and diverge on everything else.&lt;/p&gt;
&lt;h3&gt;Downgrade: hardening, deletion, or hedging against tomorrow&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dimension&lt;/th&gt;
&lt;th&gt;Config hardening + FFDHE&lt;/th&gt;
&lt;th&gt;TLS 1.3&lt;/th&gt;
&lt;th&gt;Hybrid post-quantum&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Removes the 512-bit export rung&lt;/td&gt;
&lt;td&gt;yes, within FFDHE&lt;/td&gt;
&lt;td&gt;yes, structurally&lt;/td&gt;
&lt;td&gt;yes, inherits 1.3&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Removes shared or unknown primes&lt;/td&gt;
&lt;td&gt;yes, named menu&lt;/td&gt;
&lt;td&gt;yes, fixed groups&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Downgrade protection in the handshake&lt;/td&gt;
&lt;td&gt;no, still in-band&lt;/td&gt;
&lt;td&gt;yes, transcript-bound&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defends against a future Shor adversary&lt;/td&gt;
&lt;td&gt;no&lt;/td&gt;
&lt;td&gt;no&lt;/td&gt;
&lt;td&gt;yes, if ML-KEM holds&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Residual weakness&lt;/td&gt;
&lt;td&gt;the legacy long tail&lt;/td&gt;
&lt;td&gt;non-TLS 1024-bit primes&lt;/td&gt;
&lt;td&gt;a KEM is not a NIKE, young PQC&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;RFC 7919 named groups [@rfc7919] are the transitional hardening for TLS 1.2; TLS 1.3 is the structural end state [@rfc8446]; hybrid X25519 with &lt;a href=&quot;https://paragmali.com/blog/one-event-three-assumptions-five-answers-a-field-guide-to-th/&quot; rel=&quot;noopener&quot;&gt;ML-KEM&lt;/a&gt; (RFC 9954 [@rfc9954], ML-KEM standardized as FIPS 203 [@fips-203]) is the forward hedge against a quantum adversary. Only the last column defends against a break that would be genuine mathematics rather than a deployment slip.&lt;/p&gt;
&lt;p&gt;Every column in every table changed the deployment, not the curve. So is the discrete log itself simply unbreakable? Almost -- and the &quot;almost&quot; is the most honest paragraph in this article.&lt;/p&gt;
&lt;h2&gt;8. Theoretical Limits: What Is Provably True on Both Sides&lt;/h2&gt;
&lt;p&gt;This is the honest concession the thesis has been earning the right to make. There are two provable sides here, and the argument needs both.&lt;/p&gt;
&lt;h3&gt;The hardness side: no room for a strong curve to fall&lt;/h3&gt;
&lt;p&gt;On a well-chosen group, the discrete logarithm is genuinely hard, and we can say so with unusual precision. The best classical attack is Pollard&apos;s rho, a square-root-time random walk that needs negligible memory [@teske-2001]. In the strict generic model its expected cost is about $\sqrt{\pi n/2}$, roughly 1.25 times $\sqrt{n}$ group operations; on an elliptic curve, the negation map (where $P$ and $-P$ share an x-coordinate) trims that to about 0.886 times $\sqrt{n}$. Either way the exponent is the same, matching baby-step giant-step&apos;s $O(\sqrt{n})$ time [@hac-ch11].&lt;/p&gt;
&lt;p&gt;Against that upper bound, Shoup proved a generic &lt;em&gt;lower&lt;/em&gt; bound of $\Omega(\sqrt{p})$: no algorithm restricted to the group operation can do better [@shoup-1997]. The two meet at $\Theta(\sqrt{n})$. The generic gap is essentially closed -- which is exactly why a 256-bit curve delivers around 128-bit security, and why no strong deployed curve&apos;s discrete log has fallen.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Quantity&lt;/th&gt;
&lt;th&gt;Value&lt;/th&gt;
&lt;th&gt;Note&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Best classical DL attack&lt;/td&gt;
&lt;td&gt;Pollard&apos;s rho, about 1.25 times sqrt(n) generic; 0.886 times sqrt(n) on curves&lt;/td&gt;
&lt;td&gt;negligible space&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Baby-step giant-step&lt;/td&gt;
&lt;td&gt;O(sqrt(n)) time and O(sqrt(n)) space&lt;/td&gt;
&lt;td&gt;the space-heavy twin&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Generic lower bound&lt;/td&gt;
&lt;td&gt;Omega(sqrt(p)), provably no faster generic algorithm&lt;/td&gt;
&lt;td&gt;Shoup 1997&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Finite-field DH (non-generic)&lt;/td&gt;
&lt;td&gt;sub-exponential via the number field sieve&lt;/td&gt;
&lt;td&gt;why DH needs about 3072-bit primes (2048-bit minimum)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Strong deployed curve or standard group ever solved&lt;/td&gt;
&lt;td&gt;none, only Logjam&apos;s crippled shared 512-bit prime&lt;/td&gt;
&lt;td&gt;the thesis in one row&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;The last two rows carry the concession. Finite-field Diffie-Hellman is &lt;em&gt;not&lt;/em&gt; generic: the number field sieve solves it in sub-exponential time, which is why finite-field DH needs primes of about 3072 bits to match the security a 256-bit curve gives (2048 bits is the absolute minimum), and why Logjam&apos;s downgrade to 512 bits was finishable at all [@logjam-weakdh-2015]. The number-field-sieve mathematics belongs to the companion article.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Logjam is the only break in this corpus that reached the mathematics, and the reason is structural, not accidental. A finite field carries extra arithmetic structure that a generic group lacks, which lets the number field sieve run in sub-exponential time, faster than the square-root barrier that protects a strong elliptic curve. That structural gap is the sole opening the discrete log ever offered, and even it was not enough alone: the computation became feasible only after the prime was cut to 512 export-grade bits. Raise the group back to a standard 2048-bit prime, or move to a curve where no such shortcut exists, and the opening closes.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h3&gt;The leakage side: no room to hide a little bias&lt;/h3&gt;
&lt;p&gt;The other provable side indicts the deployment just as sharply. The Hidden Number Problem makes partial leakage fatal by construction: Boneh and Venkatesan proved that recovering a secret from many small most-significant-bit leaks is tractable [@boneh-venkatesan-1996], and Nguyen and Shparlinski turned that into a working lattice attack on (EC)DSA with partial nonces [@nguyen-shparlinski-2003].&lt;/p&gt;
&lt;p&gt;There is no &quot;a little bias is tolerable&quot; regime: any &lt;em&gt;consistent&lt;/em&gt; partial leak of &lt;code&gt;k&lt;/code&gt;, integrated over enough signatures, provably recovers &lt;code&gt;d&lt;/code&gt;. Two or more leaked bits fall to a lattice; a sub-bit leak falls to Bleichenbacher&apos;s Fourier method [@ladderleak-2020]. &quot;&lt;code&gt;k&lt;/code&gt; is secret, uniform, and unique&quot; is not a best practice -- it is a hard boundary.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The math is safe at the sizes we deploy (the generic gap is closed), and leakage is fatal at any size (the HNP admits no safe margin). Both proofs point the same way: the primitive is not the weak part. The nonce, the parameters, and the negotiation are.&lt;/p&gt;
&lt;/blockquote&gt;

Two clouds sit on the horizon. First, the shared-prime structure Logjam exploited at 512 bits revives at 1024. The Logjam team estimated that precomputing the single most common 1024-bit prime would expose roughly 18% of the top HTTPS sites; a second common prime would reach about 66% of IPsec VPNs and around 26% of SSH servers [@logjam-weakdh-2015] -- the same trick, resized, and a resourced adversary&apos;s project. Second, a large fault-tolerant quantum computer running Shor&apos;s algorithm would break the discrete logarithm outright, curve and finite field alike. That is the one future break that *is* the mathematics, and it is the subject of the companion article, not this one. The deployment answer, already shipping, is hybrid key exchange.
&lt;p&gt;So where, concretely, does EC and DH still break tomorrow?&lt;/p&gt;
&lt;h2&gt;9. Where EC and DH Still Break in the Field&lt;/h2&gt;
&lt;p&gt;The incidents are settled. The &lt;em&gt;classes&lt;/em&gt; are not. Every open problem below is a documented pattern waiting for its next instance, and each one maps to a pillar you have already met.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The next SecureRandom (nonce generation, Pillar 1).&lt;/strong&gt; A signer needs a unique, secret nonce at the exact moment its entropy is weakest: first boot, a headless IoT device with no entropy events, or a freshly cloned virtual machine carrying a duplicated seed. This is the mechanism behind Android 2013 [@android-securerandom-2013], and it recurs whenever hardware is provisioned faster than it can gather randomness.Cloned-VM state duplication is an especially nasty modern form: two hosts that never coordinated can emit the &lt;em&gt;same&lt;/em&gt; &quot;random&quot; nonce because they booted from one snapshot. The signing path can be hedged [@fips-186-5], but key generation and ephemeral key exchange still need a live, well-seeded source.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The next Minerva or LadderLeak (nonce usage, Pillar 1).&lt;/strong&gt; Constant-time scalar multiplication must be re-established against every new microarchitecture -- caches, execution ports, prefetchers, simultaneous multithreading -- and on every fragile incomplete-addition curve. The bit-length leak of Minerva [@minerva-2020] and the sub-bit leak of LadderLeak [@ladderleak-2020] both post-date deterministic nonces precisely because the leak had moved to usage. Formally verified primitives close the &lt;em&gt;known&lt;/em&gt; channels on the &lt;em&gt;chosen&lt;/em&gt; curve; FIPS-mandated P-curves and secp256k1 keep hand-written code in production.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The long tail of shared primes (downgrade, Pillar 3).&lt;/strong&gt; TLS 1.3 closes the web protocol layer, but export-grade and shared standardized primes outlived their policy elsewhere. IKEv1 VPNs and older SSH still ship shared 1024-bit Diffie-Hellman groups, and a single precomputation per shared prime amortizes across every server using it [@logjam-weakdh-2015]. The consensus recommendation is blunt: retire 1024-bit DH now.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;The next CurveBall (validation, Pillar 2).&lt;/strong&gt; CurveBall was one unchecked generator in one library [@curveball-cve-2020-0601]; the class is &quot;somewhere in a large validation stack, attacker-supplied parameters are trusted.&quot; Every new parser, certificate profile, or post-quantum key format reopens the class, and a single such bug in a widely embedded validator forges trust across everything that depends on it.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Post-quantum migration ahead of Shor (cross-pillar).&lt;/strong&gt; Hybrid key exchange -- running X25519 alongside ML-KEM so the session stays secure if either component holds -- is standardized (RFC 9954 [@rfc9954]; concrete groups such as X25519MLKEM768 in the ongoing ECDHE-MLKEM work [@draft-ietf-tls-ecdhe-mlkem]; ML-KEM standardized as FIPS 203 [@fips-203]) and is already deployed at scale: it protected a majority of the human web traffic Cloudflare measured by late 2025 [@cloudflare-pq-radar]. But the migration carries a trap that has nothing to do with the discrete log.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; ML-KEM is a key-&lt;em&gt;encapsulation&lt;/em&gt; mechanism, not a non-interactive key agreement. It does not reproduce X25519&apos;s static Diffie-Hellman semantics, where two long-term public keys combine without any live exchange. Systems that quietly assume &quot;post-quantum DH&quot; is a drop-in replacement for classical DH will find the shape of the primitive has changed underneath them. Migrate deliberately, not by search-and-replace.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;None of these needs new mathematics to break you. Each needs exactly one deployment mistake. Here is how not to make it.&lt;/p&gt;
&lt;h2&gt;10. What to Do on Monday&lt;/h2&gt;
&lt;p&gt;Every item below maps to a specific incident in this article. Do these, and you do not ship the next one.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Never put a bare runtime RNG in the signing path.&lt;/strong&gt; Use deterministic (RFC 6979 [@rfc6979]) or, on hardware, hedged (FIPS 186-5 [@fips-186-5]) nonces. &lt;em&gt;Prevents:&lt;/em&gt; PS3, Android.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Demand constant-time, exception-free scalar multiplication.&lt;/strong&gt; This is a separate control from the nonce discipline, not a duplicate of it. &lt;em&gt;Prevents:&lt;/em&gt; Minerva, TPM-Fail, LadderLeak.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Prefer misuse-resistant primitives.&lt;/strong&gt; Ed25519 for new signing [@rfc8032], X25519 for ephemeral key exchange [@rfc7748]; for static-key ECDH, run full public-key validation per SP 800-56A [@sp-800-56a-r3]. &lt;em&gt;Prevents:&lt;/em&gt; whole classes of implementer error.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reject explicit curve parameters; require named curves.&lt;/strong&gt; Pin the curve, and the generator with it. &lt;em&gt;Prevents:&lt;/em&gt; CurveBall [@curveball-cve-2020-0601].&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Disable export ciphers and use vetted groups.&lt;/strong&gt; RFC 7919 named groups [@rfc7919] for residual TLS 1.2 DHE, or move to TLS 1.3 [@rfc8446]. &lt;em&gt;Prevents:&lt;/em&gt; Logjam.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Never assume a fresh ephemeral rescues a shared prime.&lt;/strong&gt; The number-field-sieve precomputation is per-prime, not per-connection [@logjam-weakdh-2015]. &lt;em&gt;Prevents:&lt;/em&gt; the subtle half of Logjam.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Plan the post-quantum migration as hybrid, not pure.&lt;/strong&gt; Run a classical curve alongside ML-KEM (RFC 9954 [@rfc9954]); remember a KEM is not a NIKE. &lt;em&gt;Prevents:&lt;/em&gt; harvest-now-decrypt-later exposure.&lt;/li&gt;
&lt;/ul&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; New signing design, free to pick the curve: Ed25519. Must use ECDSA on a NIST or secp256k1 curve: hedged RFC 6979 &lt;em&gt;and&lt;/em&gt; a vetted constant-time multiply. Hardware or embedded signer: hedged, never bare-deterministic. Ephemeral key exchange: X25519. Static-key ECDH: full SP 800-56A validation. Certificate or PKI validation: pin named curves. Any TLS: version 1.3, and if you are stuck on 1.2 DHE, RFC 7919 groups with export ciphers off. Long-lived confidentiality: hybrid X25519 with ML-KEM.&lt;/p&gt;
&lt;/blockquote&gt;

1. **Nonce:** For every signature, can you show the nonce is both unpredictable (hedged or deterministic) *and* consumed in constant time? If you can only answer one half, you are exposed to the other.
2. **Parameters:** Does your certificate and key-exchange path reject attacker-supplied explicit parameters and validate every received point against the named curve?
3. **Negotiation:** Can a man-in-the-middle force any weaker group or version than you intend? If you cannot prove &quot;no,&quot; assume &quot;yes.&quot;
&lt;p&gt;Notice that not one item on this list is &quot;use a bigger curve.&quot; For every break except Logjam&apos;s downgrade, key size is irrelevant -- a 384-bit curve reuses a nonce exactly as fatally as a 256-bit one. The controls are about generation, usage, validation, and negotiation, because those are the four contracts, and the contracts are where reality broke.&lt;/p&gt;
&lt;p&gt;Two questions decide whether you got this right, and they happen to be the two most-repeated errors in the field.&lt;/p&gt;
&lt;h2&gt;11. FAQ: Misconceptions, Precisely Corrected&lt;/h2&gt;

Once, and only against a deliberately crippled target. Logjam computed discrete logarithms against a 512-bit export-grade Diffie-Hellman prime -- one that a man-in-the-middle downgrade could select and that many servers had in common [@logjam-weakdh-2015][@cve-2015-4000]. No strong deployed curve -- P-256, Curve25519, secp256k1 -- and no standard-sized group of 2048 bits or more has ever had its discrete log solved in public. The ceiling of the entire corpus is a 512-bit prime that policy left broken.

No, and this is the most common error. A *repeated* nonce recovers the key with certainty from exactly two signatures, by elementary algebra. A merely *biased* nonce emits only a faint statistical signal per signature, so recovery takes many of them plus a dedicated lattice or Fourier attack -- about 2100 for Minerva on secp256r1 [@minerva-2020], roughly 60 for PuTTY&apos;s nine-zero-bit bias [@putty-cve-2024-31497]. One biased signature leaks almost nothing.

No. LadderLeak&apos;s leak is under a single bit per signature, which lattice methods cannot exploit; it revives Bleichenbacher&apos;s Fourier-analysis solver instead [@ladderleak-2020]. The lattice regime is Minerva and TPM-Fail, whose leaks are two bits or more [@minerva-2020][@tpmfail-2020]. Calling all three &quot;lattice attacks&quot; collapses a distinction the attacks themselves are built on.

No. Padding oracles are an RSA and CBC-mode phenomenon; there is no elliptic-curve or Diffie-Hellman padding-oracle exemplar, and you should not go looking to manufacture one. The EC and DH attack surface is exactly the three pillars here -- the nonce, parameter validation, and downgrade. RSA&apos;s padding oracles, and the fact that RSA signing has no per-signature secret nonce to reuse, are covered in the companion piece &quot;How RSA Breaks in Real Life.&quot;

Only against half the problem. RFC 6979 removes the random number generator from the signing path and eliminates the reuse class [@rfc6979], but it does nothing about a timing leak during nonce *usage* -- which is exactly how Minerva, TPM-Fail, and LadderLeak recovered keys from deterministic signers. The complete answer is hedged signing plus constant-time scalar multiplication [@fips-186-5], the two orthogonal cures.

Almost never. The nonce, validation, and downgrade defects are all indifferent to key size: a forged CurveBall certificate is accepted no matter how large the curve is, because the flaw is a skipped generator check rather than a hard curve [@curveball-cve-2020-0601], and a reused or leaked nonce surrenders the private key whether that key is 256 or 384 bits. The one place size mattered was the export-group downgrade, and there the fix was to stop negotiating the 512-bit group at all [@logjam-weakdh-2015], not to enlarge it.

The primitive, no. The discrete logarithm on a strong group remains as hard as it was in the 1970s. What broke, repeatedly, was the deployment around it. Fix the nonce path, validate your parameters against named curves, and retire export and shared groups, and you have closed every break in this article. CurveBall was a validation bug, not a curve break [@curveball-cve-2020-0601] -- and that distinction is the whole point.
&lt;p&gt;Half a century after Diffie and Hellman reduced key exchange to one hard problem, the scoreboard is unambiguous: seven documented field breaks across three deployment layers, and a discrete-log ceiling that only ever reached a deliberately crippled, shared 512-bit export group -- never a strong deployed curve, never a standard-sized group. The mathematics kept its promise. The deployments did not.&lt;/p&gt;

The discrete log never fell. The nonce did, the parameters did, and the negotiation did -- and every one of those is the deployment&apos;s job, not the curve&apos;s.
&lt;p&gt;For the other half of the story -- how a curve itself could be structurally weak, how the number field sieve and Shor&apos;s algorithm actually break the math -- see the structural companion, &quot;How the Discrete Log Would Break.&quot; For the primitive that has no per-signature nonce to reuse and its own &lt;a href=&quot;https://paragmali.com/blog/rsa-is-a-trapdoor-not-a-cryptosystem-oaep-pss-and-the-25-yea/&quot; rel=&quot;noopener&quot;&gt;padding-oracle history&lt;/a&gt;, see the series sibling, &quot;How RSA Breaks in Real Life.&quot; This article was about the gap between a hard problem and a shipped product. That gap is where the keys keep getting out.&lt;/p&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;how-ecc-and-dh-break-in-real-life&quot; keyTerms={[
  { term: &quot;Per-signature nonce (k)&quot;, definition: &quot;The once-used secret in ECDSA that must be secret, uniform, and unique per signature; the load-bearing prerequisite behind PS3, Android, Minerva, TPM-Fail, and LadderLeak.&quot; },
  { term: &quot;Nonce reuse vs. bias&quot;, definition: &quot;A repeated nonce recovers the key with certainty from two signatures; a biased nonce needs a statistical Hidden Number Problem attack over many signatures.&quot; },
  { term: &quot;Hidden Number Problem&quot;, definition: &quot;Recovering a fixed secret from many samples that each leak a few most-significant bits; the framework behind every biased-nonce attack.&quot; },
  { term: &quot;Two-cures fork&quot;, definition: &quot;Determinism and hedging fix nonce generation; constant-time scalar multiplication fixes nonce usage. The two are orthogonal and both are required.&quot; },
  { term: &quot;CurveBall (CVE-2020-0601)&quot;, definition: &quot;A Windows CryptoAPI bug that matched a certificate public point but never checked the generator against the named curve; a validation bug, not a curve break.&quot; },
  { term: &quot;Logjam (CVE-2015-4000)&quot;, definition: &quot;A TLS downgrade to a shared 512-bit export Diffie-Hellman prime, breakable because the number field sieve precomputes once per prime; the only discrete log in the corpus.&quot; },
  { term: &quot;Named curve vs. explicit parameters&quot;, definition: &quot;Referencing standardized domain parameters by identifier versus trusting attacker-supplied inline parameters, including a custom generator.&quot; }
]} questions={[
  { q: &quot;Why does a reused nonce recover the key from only two signatures?&quot;, a: &quot;Two signatures with the same nonce share r; subtracting the signing equations cancels the private-key term, yielding the nonce, and one equation then solves for the key.&quot; },
  { q: &quot;Why is LadderLeak not a lattice attack?&quot;, a: &quot;Its leak is under one bit per signature, which lattices cannot exploit, so it uses Bleichenbacher&apos;s Fourier method instead. Lattices are the Minerva and TPM-Fail regime.&quot; },
  { q: &quot;Is Logjam a counterexample to the thesis?&quot;, a: &quot;No. The only discrete log computed landed on a downgrade-forced, crippled, shared 512-bit prime; no strong or standard-sized group ever fell.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>elliptic-curve-cryptography</category><category>ecdsa</category><category>diffie-hellman</category><category>nonce-reuse</category><category>side-channel-attacks</category><category>tls-security</category><category>post-quantum</category><category>applied-cryptography</category><author>noreply@paragmali.com (Parag Mali)</author></item><item><title>How Q-Day Breaks Everything: Shor&apos;s Algorithm and the Simultaneous Fall of RSA, Diffie-Hellman, and ECC</title><link>https://paragmali.com/blog/how-q-day-breaks-everything-shors-algorithm-and-the-simultan/</link><guid isPermaLink="true">https://paragmali.com/blog/how-q-day-breaks-everything-shors-algorithm-and-the-simultan/</guid><description>RSA, Diffie-Hellman, DSA, and elliptic curves share one abelian period. A single quantum computer running Shor&apos;s algorithm reads it and breaks all four at once.</description><pubDate>Sat, 18 Jul 2026 00:00:00 GMT</pubDate><content:encoded>
RSA, Diffie-Hellman, DSA, and elliptic-curve cryptography look like four independent security systems, but they secretly rest on one structure: a hidden period in a finite abelian group. A single fault-tolerant quantum computer running Shor&apos;s algorithm reads that period directly with the quantum Fourier transform, breaking all four in polynomial time -- and enlarging keys does not help, because Shor scales with the logarithm of the key. Symmetric cryptography (AES, SHA-2/3) survives Q-Day intact because it hides no such period, so it faces only Grover&apos;s quadratic speedup, which doubling the key size neutralizes. No such machine exists in 2026 -- the best hardware runs about one below-threshold logical qubit -- but &quot;harvest now, decrypt later&quot; means the migration to post-quantum cryptography cannot wait for it to arrive.
&lt;h2&gt;1. One Break, Four Falls&lt;/h2&gt;
&lt;p&gt;Four cryptographers, working in four different decades on four different branches of mathematics, built the fortresses that guard almost every secret you have ever sent: a 2048-bit RSA key, a 2048-bit Diffie-Hellman group, a DSA signature, and a 256-bit elliptic curve. They look nothing alike -- different keys, different math, different inventors -- so we deployed them side by side and called it diversity.&lt;/p&gt;
&lt;p&gt;This article is about the afternoon a single machine running a single idea knocks all four down at once, while AES-256 in the field next door barely looks up -- and about why the reason those four fall together is exactly the reason the fifth survives.&lt;/p&gt;
&lt;p&gt;Here is the thesis, stated plainly before any mathematics arrives to defend it: the four are not four problems. They are one. Underneath RSA&apos;s factoring, Diffie-Hellman&apos;s discrete logarithm, DSA&apos;s signatures, and elliptic-curve cryptography&apos;s smaller keys lies a single shared object -- a hidden period in a finite abelian group. A quantum computer running Peter Shor&apos;s 1994 algorithm reads that period more or less in one shot, and when the period falls, all four fortresses built on top of it fall with it [@shor-1994].&lt;/p&gt;
&lt;p&gt;Symmetric cryptography survives for the mirror-image reason: a well-built cipher hides no period at all, so there is nothing for the same machine to read.&lt;/p&gt;
&lt;p&gt;The event has a name.&lt;/p&gt;

Q-Day is the hypothetical day a cryptographically relevant quantum computer first runs Shor&apos;s algorithm at scale against deployed keys, breaking the public-key cryptography (RSA, Diffie-Hellman, DSA, and elliptic-curve schemes) that secures most of the internet. It is a threshold, not a gradual slope: the same machine that cannot break a 2048-bit key at all on Monday can break it in hours once it crosses the fault-tolerance threshold.
&lt;p&gt;Two questions organize everything that follows, and the whole article is their answer: &lt;em&gt;why do these four fall together?&lt;/em&gt; and &lt;em&gt;why not AES?&lt;/em&gt; Hold both in your head. The first is a story about a hidden unity nobody designed on purpose. The second is a story about a boundary so sharp it can be stated as a theorem -- and that same boundary turns out to be the entire design premise of the cryptography we are now scrambling to deploy.&lt;/p&gt;

RSA, Diffie-Hellman, DSA, and elliptic curves were never four independent bets. They are one bet -- that a hidden period in a finite abelian group is hard to find -- made four times in four disguises. Shor&apos;s algorithm collects on all four at once.
&lt;p&gt;One honesty flag, planted here and never lowered: no such machine exists in 2026. Not almost, not in a lab somewhere -- none. The best error-corrected hardware yet demonstrated encodes about one reliable logical qubit [@google-willow-2025], and a real attack needs on the order of a thousand of them holding still for hours. So this is a loaded gun on the table, not a fired one. That gap between a proven algorithm and an unbuilt machine is not a reason to relax; as we will see, it is precisely the deadline.&lt;/p&gt;
&lt;p&gt;The journey runs in seven moves: how the world came to trust just two hard problems, the one quantum trick that matters, the breakthrough that turned factoring into period-finding, the same trick applied three more times, the asymmetry that spares AES, the machine&apos;s true price tag, the limits of the blast radius, and why one proven fact already forces a global migration. To see why one machine breaks four fortresses, you first have to see how the world ended up trusting just two hard problems in the first place.&lt;/p&gt;
&lt;h2&gt;2. Two Problems the Whole World Rested On&lt;/h2&gt;
&lt;p&gt;Rewind to 1976. Two strangers want to agree on a shared secret while an eavesdropper records every bit that passes between them. For millennia this was considered impossible: to share a secret you first had to share a secret. Then Whitfield Diffie and Martin Hellman published a construction that let the two strangers mix public numbers into a private one the eavesdropper could not reconstruct, and modern cryptography was born [@diffie-hellman-1976]. Its security rested on a new assumption -- that one specific arithmetic operation is easy forward and hard backward.&lt;/p&gt;

In a cyclic group generated by an element $g$, exponentiation is easy: given $g$ and $x$, computing $h = g^x$ is fast. The discrete logarithm problem is the reverse: given $g$ and $h$, recover the exponent $x$. In the multiplicative group of integers modulo a large prime -- and, later, in the group of points on an elliptic curve -- recovering $x$ is believed to require super-polynomial classical effort. That belief is the security assumption beneath Diffie-Hellman, DSA, and elliptic-curve cryptography.
&lt;p&gt;A year later, Ron Rivest, Adi Shamir, and Leonard Adleman turned a different one-way asymmetry into a full encryption-and-signature system: multiplying two large primes is easy, but factoring their product back into those primes is hard [@rsa-1978]. &lt;a href=&quot;https://paragmali.com/blog/how-rsa-would-break-why-factoring-is-the-slow-path-and-coppe/&quot; rel=&quot;noopener&quot;&gt;RSA&lt;/a&gt; bet its life on integer factoring; &lt;a href=&quot;https://paragmali.com/blog/nobody-broke-the-discrete-log-a-field-guide-to-diffie-hellma/&quot; rel=&quot;noopener&quot;&gt;Diffie-Hellman&lt;/a&gt; had bet on the discrete logarithm. Two bets, two problems.&lt;/p&gt;
&lt;p&gt;Then the bets consolidated. In 1985 Victor Miller, and independently in 1987 Neal Koblitz, moved the discrete logarithm onto elliptic curves, where the best known classical attacks are far weaker and so the keys can be dramatically smaller for the same classical security [@miller-1986][@koblitz-1987]. &lt;a href=&quot;https://paragmali.com/blog/the-curve-was-hard-the-gap-was-soft-a-field-guide-to-using-e/&quot; rel=&quot;noopener&quot;&gt;Elliptic-curve cryptography&lt;/a&gt; was not a new hard problem -- it was the &lt;em&gt;same&lt;/em&gt; discrete logarithm relocated to a group where classical attackers had less traction.This is the seed of a cruel irony we will harvest in Section 5. ECC&apos;s whole selling point is that it achieves equal classical security with smaller keys, because no sub-exponential attack like index calculus applies to well-chosen curves [@koblitz-1987]. Against a quantum computer, &quot;smaller keys&quot; means &quot;fewer qubits to attack,&quot; so the classical strength inverts into a quantum liability.&lt;/p&gt;
&lt;p&gt;By the 1990s the accounting was stark. Strip away the packaging and essentially &lt;em&gt;all&lt;/em&gt; deployed public-key cryptography reduced to exactly two hard problems: integer factoring and the discrete logarithm. The classical attacks that calibrate their key sizes -- the general number field sieve for factoring, index calculus for finite-field discrete logs, Pollard&apos;s rho for elliptic curves -- are the subject of this series&apos; earlier posts on RSA and the discrete logarithm, and I will not re-derive them here [@bernstein-lange-2017].&lt;/p&gt;
&lt;p&gt;What matters is the structural fact: the entire public-key world put all its eggs in two baskets, and nobody chose those two baskets because they were secretly connected. They looked like independent bets.&lt;/p&gt;

Nobody chose factoring and the discrete logarithm because they were related. They looked like two independent bets. They were the same bet.
&lt;p&gt;While the defense lineage was consolidating, a second, unrelated lineage was quietly assembling the machine that would read both. In 1982 Richard Feynman observed that simulating quantum physics on a classical computer seems to require exponential resources, and proposed turning the problem around: build a computer that &lt;em&gt;is&lt;/em&gt; quantum-mechanical and let physics do the bookkeeping [@feynman-1982]. In 1985 David Deutsch made the idea rigorous, defining the universal quantum computer and the principle that it could simulate any physical process [@deutsch-1985].&lt;/p&gt;
&lt;p&gt;This was pure physics and computability theory. Nobody in 1985 thought it had anything to do with RSA. The two lineages were on tracks that had not yet touched.&lt;/p&gt;

flowchart LR
    subgraph Defense[&quot;Defense lineage -- the fortresses&quot;]
        DH[&quot;1976 Diffie-Hellman: discrete log assumption&quot;]
        RSA[&quot;1977 RSA: integer factoring&quot;]
        ECC[&quot;1985 to 1987 Miller and Koblitz: elliptic curves&quot;]
    end
    subgraph Attack[&quot;Attack lineage -- the machine&quot;]
        FEY[&quot;1982 Feynman: simulate physics with a quantum computer&quot;]
        DEU[&quot;1985 Deutsch: universal quantum computer&quot;]
        SIM[&quot;1994 Simon: period-finding template&quot;]
    end
    DH --&amp;gt; SHOR[&quot;1994 Shor: period-finding topples all four&quot;]
    RSA --&amp;gt; SHOR
    ECC --&amp;gt; SHOR
    FEY --&amp;gt; DEU
    DEU --&amp;gt; SIM
    SIM --&amp;gt; SHOR
    SHOR --&amp;gt; GID[&quot;2021 to 2025 Gidney: concrete qubit bill&quot;]
&lt;p&gt;Two problems, one machine, a decades-long collision course -- and in 1994 a single person connected them. The bridge between the two lineages started as one strange little algorithm about a hidden XOR mask, and to understand how it grew into the break, you have to understand the one quantum trick that makes all of this work.&lt;/p&gt;
&lt;h2&gt;3. The One Trick That Matters&lt;/h2&gt;
&lt;p&gt;Before we can watch four fortresses fall, we have to kill a myth, because the myth predicts the wrong outcome. The popular story says a quantum computer &quot;tries all the keys at once and reads out the winner.&quot; If that were true, it would break AES just as easily as RSA -- every symmetric cipher would fall too, and the entire second half of this article would be wrong. It is not true. A quantum computer does something far stranger and far more specific, and the specificity is the whole point.&lt;/p&gt;
&lt;p&gt;Start with the one genuinely non-classical resource.&lt;/p&gt;

A register of $n$ qubits can occupy a weighted combination of all $2^n$ basis states at once, written $\sum_x \alpha_x |x\rangle$ where each complex number $\alpha_x$ is an amplitude. Applying a function to that register evaluates it on every input simultaneously. But the result is an internal state, not a readable list: when you measure, you get exactly one outcome $x$, drawn at random with probability $|\alpha_x|^2$, and the rest of the superposition vanishes.
&lt;p&gt;This is where the myth breaks. Yes, you can evaluate a function on all $2^n$ inputs at once. No, you cannot read the answers. Measurement hands you a single random input-output pair, which is no better than guessing. Superposition alone buys you nothing. The art -- the entire art of quantum algorithms -- is what you do to the amplitudes &lt;em&gt;before&lt;/em&gt; you measure.&lt;/p&gt;
&lt;p&gt;The tool for that is interference. Amplitudes are complex numbers, and like waves they can add or cancel. If you can arrange the computation so that every path leading to a wrong answer is met by another path of opposite sign, the wrong answers cancel to near-zero amplitude, while the right answers reinforce. Measurement then returns a useful outcome with high probability -- not because you searched, but because you sculpted the wavefunction so that only the structure you care about is left standing.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; &quot;A quantum computer tries every key in parallel and reads the winner&quot; is wrong, and the error is not a detail. Parallel evaluation produces a superposition you cannot read; a single measurement collapses it to one random result. Every real quantum speedup comes from interference that cancels wrong answers -- and interference only helps when the problem has structure to exploit. Unstructured problems, like guessing an AES key, expose no such structure, which is exactly why they resist.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;So which structure can interference exploit? The most powerful answer known is &lt;em&gt;periodicity&lt;/em&gt;. Suppose a function $f$ is periodic: it repeats with some hidden period $r$, so that $f(x)$ and $f(x + r)$ always agree. Evaluate $f$ over a superposition of all inputs, and the state quietly organizes itself around that period. The instrument that reads it is the quantum Fourier transform.&lt;/p&gt;

The QFT is the quantum analogue of the discrete Fourier transform, applied to the amplitudes of a quantum state rather than to a list of numbers. Fed a state whose amplitudes repeat with a hidden period $r$, it concentrates the total amplitude onto the frequencies that match $r$, so that measuring the transformed state returns a multiple of $1/r$ with high probability. On an $n$-qubit register it runs in about $O(n^2)$ elementary gates [@nielsen-chuang-2010].
&lt;p&gt;Put those pieces together and you have a machine that does exactly one magical thing: it takes a function with a hidden period and hands you that period. Superpose over all inputs, evaluate the function, and the act of computing it entangles the input register with the output so that the input register&apos;s amplitudes now repeat with the function&apos;s period. Apply the QFT, and interference collapses that repeating pattern onto its frequency. Measure, and you read out information about $r$ -- the period no classical observer could see without effectively checking the inputs one by one.&lt;/p&gt;

flowchart TD
    A[&quot;Superpose over all inputs x&quot;] --&amp;gt; B[&quot;Evaluate f(x) into a second register&quot;]
    B --&amp;gt; C[&quot;Measuring or entangling leaves the input register repeating with period r&quot;]
    C --&amp;gt; D[&quot;Quantum Fourier transform concentrates amplitude on multiples of 1 over r&quot;]
    D --&amp;gt; E[&quot;Measure: read a multiple of the hidden frequency&quot;]
    E --&amp;gt; F[&quot;Classical post-processing recovers r&quot;]
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; A quantum computer does not search in parallel and read the winner. It engineers interference so that wrong answers cancel and only a function&apos;s hidden period survives measurement. No period, no exponential speedup -- which is precisely why the same machine that shatters RSA cannot touch a well-built symmetric cipher.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The first person to turn this into a concrete algorithm was Daniel Simon. In 1994 he built a toy problem -- a function that secretly satisfies $f(x) = f(x \oplus s)$ for a hidden bit-string $s$ -- and showed that quantum interference recovers $s$ exponentially faster than any classical method possibly could [@simon-1994].Simon&apos;s algorithm is the direct ancestor Shor read. Its &quot;period&quot; is a hidden XOR mask in a group of bit-strings, which breaks nothing anyone deployed. Shor&apos;s leap was to see the same template hiding inside a problem the entire economy depended on, and to swap Simon&apos;s simple transform for the QFT over the integers modulo $N$ [@simon-1994].&lt;/p&gt;
&lt;p&gt;Simon&apos;s hidden period lived in a toy group and broke nothing real. But it proved the template: encode a secret as the period of a function, then let interference read it. The question that ended an era was the obvious next one -- what &lt;em&gt;real&lt;/em&gt;, deployed, load-bearing problem is secretly period-finding in disguise?&lt;/p&gt;
&lt;h2&gt;4. The Breakthrough: Factoring Is Period-Finding&lt;/h2&gt;
&lt;p&gt;In 1994, at Bell Labs, Peter Shor answered that question with a move so clean it still reads like sleight of hand. Factoring -- the problem RSA stakes its life on -- is secretly a period-finding problem. Watch the reduction before the machinery, because the reduction is the whole trick.&lt;/p&gt;
&lt;p&gt;To factor a large number $N$, pick a random integer $a$ with no common factor with $N$. Now consider the innocent-looking function $f(x) = a^x \bmod N$. Because there are only finitely many residues modulo $N$, this function must eventually repeat, and it repeats with a period: the smallest $r$ for which $a^r \equiv 1 \pmod N$. That period has a name.&lt;/p&gt;

The multiplicative order of $a$ modulo $N$ is the smallest positive integer $r$ such that $a^r \equiv 1 \pmod N$. It is exactly the period of the function $f(x) = a^x \bmod N$. Classically, finding $r$ appears about as hard as factoring $N$ itself. Quantumly, it is the one thing the QFT does well.
&lt;p&gt;Here is why the order cracks the factorization. Suppose $r$ is even. Then $a^r - 1 = (a^{r/2} - 1)(a^{r/2} + 1)$ is divisible by $N$. Unless $a^{r/2} \equiv -1 \pmod N$ (a case you detect and retry), neither factor on the right is a multiple of $N$ by itself, so each shares only &lt;em&gt;part&lt;/em&gt; of $N$&apos;s prime structure. Computing $\gcd(a^{r/2} \pm 1,, N)$ with Euclid&apos;s ancient algorithm then hands you a non-trivial factor. For a random $a$, this works with probability at least one-half, so a couple of tries suffice [@shor-1994].&lt;/p&gt;
&lt;p&gt;Every step in that paragraph is classical arithmetic you can run right now -- except one: finding the order $r$. That single sub-problem is where the quantum computer earns its keep, and it is period-finding exactly as Section 3 described it.&lt;/p&gt;
&lt;p&gt;Superpose over all exponents $x$, compute $a^x \bmod N$ reversibly into a second register (this modular exponentiation is the dominant cost of the whole circuit), and the first register is left repeating with period $r$. Apply the QFT, and amplitude concentrates on multiples of $1/r$; measure, and you get an estimate of some $k/r$. A classical continued-fraction expansion then recovers $r$ from that estimate.&lt;/p&gt;

flowchart TD
    A[&quot;Pick random a in the range 2 to N minus 1&quot;] --&amp;gt; B{&quot;a coprime to N?&quot;}
    B --&amp;gt;|no| Z[&quot;gcd(a, N) is already a factor -- lucky&quot;]
    B --&amp;gt;|yes| C[&quot;Quantum step: find the order r of a mod N by QFT period-finding&quot;]
    C --&amp;gt; D[&quot;Classical step: continued fractions recover r from the measured fraction&quot;]
    D --&amp;gt; E{&quot;r even and a^(r/2) not -1 mod N?&quot;}
    E --&amp;gt;|no| A
    E --&amp;gt;|yes| F[&quot;Classical step: gcd(a^(r/2) +/- 1, N) yields a non-trivial factor&quot;]
&lt;p&gt;You do not need a quantum computer to see the reduction work, because only the order-finding is quantum. Compute the order by brute force on a small $N$, feed it into the same greatest-common-divisor step Shor uses, and a real factor drops out.&lt;/p&gt;
&lt;p&gt;{`
from math import gcd&lt;/p&gt;
&lt;p&gt;def find_order(a, N):
    # multiplicative order of a mod N: smallest r &amp;gt;= 1 with a^r = 1 (mod N)
    x = a % N
    r = 1
    while x != 1:
        x = (x * a) % N
        r += 1
        if r &amp;gt; N:                # safety: a was not coprime to N
            return None
    return r&lt;/p&gt;
&lt;p&gt;def factor_via_order(N, a):
    if gcd(a, N) != 1:
        return gcd(a, N), N // gcd(a, N)     # lucky: a already shares a factor
    r = find_order(a, N)
    if r is None or r % 2 != 0:
        return None                           # r odd -&amp;gt; pick another a and retry
    y = pow(a, r // 2, N)
    if y == N - 1:
        return None                           # a^(r/2) = -1 mod N -&amp;gt; retry
    return gcd(y - 1, N), gcd(y + 1, N)&lt;/p&gt;
&lt;p&gt;for (N, a) in [(15, 7), (21, 2), (2047, 5)]:
    print(&quot;N =&quot;, N, &quot; a =&quot;, a,
          &quot; order r =&quot;, find_order(a, N),
          &quot; factors =&quot;, factor_via_order(N, a))&lt;/p&gt;
N = 15  a = 7  order r = 4  factors = (3, 5)
N = 21  a = 2  order r = 6  factors = (7, 3)
N = 2047 a = 5  order r = 44 factors = (23, 89)
&lt;p&gt;`}&lt;/p&gt;

Add `(3233, 3)` to the list and it factors $3233 = 61 \times 53$ cleanly. Now add `(3233, 2)` and it returns `None`: with $a = 2$ the order is even but $a^{r/2} \equiv -1 \pmod{3233}$, the one case the reduction cannot use, so it must retry with a fresh $a$. That single `None` is the &quot;probability at least one-half&quot; caveat made concrete -- some choices of $a$ simply do not yield a factor, which is exactly why Shor picks $a$ at random and expects to need a couple of attempts.
&lt;p&gt;The classical order search above is exponential in the number of digits -- run it on a 2048-bit $N$ and it never returns. Shor&apos;s contribution is to replace that one line with a quantum circuit that finds the same $r$ in polynomial time.Alexei Kitaev reformulated the quantum step in 1995 as phase estimation on the operator that multiplies by $a$, recovering $r$ from the eigenvalue&apos;s phase. It is mathematically equivalent to Shor&apos;s order-finding and is how most modern textbooks present the algorithm [@kitaev-1995]. How polynomial? The whole circuit is about $O((\log N)^3)$ gates, dominated by the modular exponentiation; the QFT itself is only $O((\log N)^2)$ [@nielsen-chuang-2010].&lt;/p&gt;
&lt;p&gt;One precision point, flagged loudly because it will haunt Sections 7 and 8: that $O((\log N)^3)$ is a &lt;em&gt;circuit size&lt;/em&gt; on a perfect, noiseless, fault-tolerant machine. It counts logical gates, not seconds. The distance between &quot;a polynomial-size circuit exists&quot; and &quot;a machine ran it before lunch&quot; is measured in millions of physical qubits, and we will pay that bill in full later.&lt;/p&gt;
&lt;p&gt;Now the consequence that inverts fifty years of defensive instinct.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Every classical attack on RSA gets exponentially harder as the key grows, so the entire history of the field has been &quot;when the attacker catches up, add bits.&quot; Shor breaks that reflex. Its cost is polynomial in the &lt;em&gt;number of bits&lt;/em&gt; $n = \log N$. Going from RSA-2048 to RSA-4096 roughly doubles $n$, so it multiplies the qubit and gate counts by a small constant -- not the exponential wall classical attackers slam into. The first move everyone reaches for is worthless here.&lt;/p&gt;
&lt;/blockquote&gt;

Shor&apos;s cost grows with the logarithm of the key, not the key. Against this attack, RSA-4096 is not meaningfully safer than RSA-2048 -- it is a rounding error safer.
&lt;p&gt;Factoring was the first fortress to fall. But Shor&apos;s 1994 paper had a second half that almost nobody quotes, and it is the reason Diffie-Hellman, DSA, and elliptic curves fall too -- not by coincidence, but by the same mechanism running one dimension higher.&lt;/p&gt;
&lt;h2&gt;5. The Same Trick, Three More Times&lt;/h2&gt;
&lt;p&gt;If factoring is secretly period-finding, the natural question is: what else is? The answer is the entire argument of this article. Almost everything the deployed public-key world rests on is period-finding in disguise -- and Shor&apos;s own 1994 paper proved the second case himself.&lt;/p&gt;
&lt;p&gt;Recall the discrete logarithm: given $g$ and $h = g^s$ in a cyclic group of order $r$, recover the exponent $s$. Shor&apos;s insight was that $s$ is also hidden inside a periodicity, only now the period lives in two dimensions instead of one. Here is the mechanism in full, because it is the load-bearing step and hand-waving it would cheat you of the aha.&lt;/p&gt;
&lt;p&gt;Define the two-variable function&lt;/p&gt;
&lt;p&gt;$$f(x, y) = g^x , h^y = g^{,x + s y}.$$&lt;/p&gt;
&lt;p&gt;This function takes the same value whenever the exponent $x + s y$ is unchanged modulo $r$. So the set of shifts that leave $f$ invariant -- its hidden period, now a &lt;em&gt;lattice&lt;/em&gt; of vectors rather than a single number -- is&lt;/p&gt;
&lt;p&gt;$$L = {(x, y) \in \mathbb{Z}^2 : x + s y \equiv 0 \pmod{r}}.$$&lt;/p&gt;
&lt;p&gt;That lattice encodes the secret $s$ directly in its slope. To read it, Shor superposes over both exponent registers and applies a two-dimensional QFT. Interference concentrates the amplitude onto the dual frequency vectors $(k_1, k_2)$ satisfying $k_1 + s,k_2 \equiv 0 \pmod{r}$. A single measurement returns one such pair, and whenever $\gcd(k_2, r) = 1$ you solve for the secret in one line of classical arithmetic:&lt;/p&gt;
&lt;p&gt;$$s \equiv -,k_1 , k_2^{-1} \pmod{r}.$$&lt;/p&gt;
&lt;p&gt;Look at what just happened. This is the &lt;em&gt;exact&lt;/em&gt; same period-extraction that factored $N$ in Section 4 -- superpose, evaluate, transform, measure, post-process -- run in two dimensions instead of one [@shor-1994]. The discrete logarithm does not resist Shor any harder than factoring does; it surrenders the secret exponent directly. Finite-field Diffie-Hellman, DSA, and ElGamal all rest on precisely this discrete logarithm, so all three fall in the same stroke.&lt;/p&gt;
&lt;p&gt;Elliptic curves are the same story one more time. The points on an elliptic curve form a finite abelian group under a geometric addition law, and &quot;discrete logarithm&quot; there means recovering the integer $s$ with $Q = sP$ for public points $P$ and $Q$. It is the same $f(x,y)$, the same two-dimensional period, the same 2-D QFT -- only the group operation changes. John Proos and Christof Zalka worked out the elliptic-curve version explicitly in 2003, and with it ECDH, ECDSA, and EdDSA join the list [@proos-zalka-2003].&lt;/p&gt;
&lt;p&gt;Now the unification that turns three coincidences into one sentence.&lt;/p&gt;

Given a finite abelian group $G$ and a function $f$ on $G$ that is constant on the cosets of some hidden subgroup $H$ (and takes different values on different cosets), the abelian hidden subgroup problem is to find $H$. Order-finding, the finite-field discrete logarithm, and the elliptic-curve discrete logarithm are all special cases -- and the QFT with phase estimation solves every abelian instance in polynomial time [@kitaev-1995].
&lt;p&gt;Alexei Kitaev supplied this abstraction in 1995 [@kitaev-1995]. Before it, &quot;Shor breaks RSA&quot; and &quot;Shor breaks Diffie-Hellman&quot; looked like two separate results that happened to use the same author&apos;s trick. After it, they are two instances of a single mathematical fact: &lt;em&gt;the quantum Fourier transform reads a hidden period in any finite abelian group.&lt;/em&gt; Factoring hides its period in one dimension; both discrete logs hide theirs in two; the machine does not care which.&lt;/p&gt;

flowchart TD
    F1[&quot;Integer factoring -- RSA&quot;] --&amp;gt; HSP[&quot;Abelian hidden subgroup problem: f is constant on the cosets of a hidden subgroup&quot;]
    F2[&quot;Finite-field discrete log -- DH and DSA&quot;] --&amp;gt; HSP
    F3[&quot;Elliptic-curve discrete log -- ECDH and ECDSA&quot;] --&amp;gt; HSP
    HSP --&amp;gt; QFT[&quot;Quantum Fourier transform reads the hidden period&quot;]
    QFT --&amp;gt; O1[&quot;RSA falls&quot;]
    QFT --&amp;gt; O2[&quot;Diffie-Hellman and DSA fall&quot;]
    QFT --&amp;gt; O3[&quot;ECDH and ECDSA fall&quot;]
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; The four are not four security problems. They are one -- a hidden abelian period -- wearing four disguises. Factoring hides it in one dimension; the two discrete logs hide it in two. One machine, one idea, four falls.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Two precautions before the table. First, &quot;together&quot; means the same machine class and the same breakthrough, not one identical circuit pressing a single button. RSA, a finite field, and an elliptic curve need different arithmetic units compiled into the machine; what they share is that each reduces to the abelian HSP, so one fault-tolerant quantum computer running Shor&apos;s family of circuits dispatches all of them. Second -- and this is the counterintuitive kicker -- the four do not fall in the order their reputations suggest. Elliptic-curve cryptography, the &lt;em&gt;strongest&lt;/em&gt; of the four against classical attack, falls &lt;em&gt;first&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;Why? Because ECC&apos;s classical strength is small keys. No sub-exponential attack applies to a well-chosen curve, so a 256-bit elliptic key matches the classical security of a 3072-bit RSA key [@nist-sp800-57]. Against Shor, &quot;fewer bits&quot; simply means &quot;fewer logical qubits to build.&quot;&lt;/p&gt;
&lt;p&gt;Martin Roetteler and colleagues estimated in 2017 that breaking the NIST P-256 curve needs about 2330 logical qubits [@roetteler-2017] -- materially fewer than the roughly 6200 logical qubits (about $3n$) a 2048-bit RSA break requires [@gidney-ekera-2021]. Proos and Zalka had already found the same inversion in 2003: about 1000 qubits for 160-bit ECC versus about 2000 for the security-equivalent 1024-bit RSA [@proos-zalka-2003].Those small keys also pay a purely classical dividend that has nothing to do with quantum computers: at equal classical security an ECC certificate and its handshake messages are a fraction of the size of the RSA equivalent, which trims bandwidth and storage on every connection they protect.&lt;/p&gt;

&quot;ECC is an easier target than RSA.&quot; -- Roetteler, Naehrig, Svore, and Lauter, 2017
&lt;p&gt;The full ledger, with the survivor included so the contrast is unmissable:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Primitive&lt;/th&gt;
&lt;th&gt;Underlying hard problem&lt;/th&gt;
&lt;th&gt;Hidden abelian period?&lt;/th&gt;
&lt;th&gt;Quantum attack&lt;/th&gt;
&lt;th&gt;Do bigger keys help?&lt;/th&gt;
&lt;th&gt;Logical-qubit estimate&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;RSA-2048&lt;/td&gt;
&lt;td&gt;Integer factoring&lt;/td&gt;
&lt;td&gt;Yes -- one-dimensional order&lt;/td&gt;
&lt;td&gt;Shor order-finding&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;~6200 (about $3n$) [@gidney-ekera-2021]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Finite-field DH / DSA-2048&lt;/td&gt;
&lt;td&gt;Discrete log modulo a prime&lt;/td&gt;
&lt;td&gt;Yes -- two-dimensional period&lt;/td&gt;
&lt;td&gt;Shor DLP variant&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Comparable to RSA-2048 [@gidney-ekera-2021]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ECDH / ECDSA (P-256)&lt;/td&gt;
&lt;td&gt;Elliptic-curve discrete log&lt;/td&gt;
&lt;td&gt;Yes -- two-dimensional period&lt;/td&gt;
&lt;td&gt;Shor via Proos-Zalka&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;~2330 -- falls first [@roetteler-2017]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AES-256&lt;/td&gt;
&lt;td&gt;None -- unstructured key&lt;/td&gt;
&lt;td&gt;No period at all&lt;/td&gt;
&lt;td&gt;Grover only (quadratic)&lt;/td&gt;
&lt;td&gt;Yes -- doubling suffices&lt;/td&gt;
&lt;td&gt;Not applicable [@bbbv-1997]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Three rows share the &quot;yes&quot; column, and that shared &quot;yes&quot; is the entire vulnerability. One machine, one idea, four falls -- and yet AES-256 in the field next door survives untouched. That survival is not luck, and it is not a gap someone will patch next year. It is the second half of the thesis, and it has a proof.&lt;/p&gt;
&lt;h2&gt;6. Why Symmetric Crypto Only Loses a Square Root&lt;/h2&gt;
&lt;p&gt;Return to &lt;a href=&quot;https://paragmali.com/blog/the-fortress-and-the-afterthought-how-aes-would-break-at-its/&quot; rel=&quot;noopener&quot;&gt;AES-256&lt;/a&gt;, standing untouched in the next field. The same machine that reads RSA&apos;s period in polynomial time barely dents it. The reason is exactly the reason RSA falls: AES hides no period. There is no abelian structure inside a well-designed cipher for the QFT to grab, so the exponential engine has nothing to bite on. What is left is the generic attack that works on &lt;em&gt;any&lt;/em&gt; search problem, structured or not.&lt;/p&gt;

Grover&apos;s algorithm finds a marked item in an unstructured space of $N$ candidates using about $\sqrt{N}$ evaluations of a test function, a quadratic speedup over the roughly $N/2$ a classical search expects [@grover-1996]. For an $n$-bit key there are $N = 2^n$ candidates, so Grover&apos;s query count is about $2^{n/2}$: AES-128 drops to about $2^{64}$ queries, AES-256 to about $2^{128}$.
&lt;p&gt;At a glance that looks alarming -- $2^{64}$ sounds within reach. Hold that thought; it is the most misunderstood number in the field, and we will dismantle it in a moment. First, the structural point, because it is what makes the symmetric world safe by design rather than by luck.&lt;/p&gt;
&lt;p&gt;The quadratic speedup is not a weak version of Shor&apos;s exponential one. It is a &lt;em&gt;different kind&lt;/em&gt; of thing, and its weakness is provable. Bennett, Bernstein, Brassard, and Vazirani proved in 1997 that any quantum algorithm searching an unstructured space needs at least on the order of $\sqrt{N}$ queries -- the $\Omega(\sqrt{N})$ lower bound [@bbbv-1997]. Grover is optimal; you cannot do better against a structureless target.&lt;/p&gt;
&lt;p&gt;This is the single most important bound in the article, because it converts &quot;we do not know a better attack on AES&quot; into &quot;there provably is no better generic attack.&quot; Shor exists because factoring has structure. Grover is the best you can ever do precisely when there is none.&lt;/p&gt;
&lt;p&gt;{`
// Classical brute force is 2^n; Grover&apos;s floor is 2^(n/2).
// This compares EXPONENTS -- it is a query lower bound, not a runtime.
function keyStrength(nBits) {
  return { classical: nBits, grover: nBits / 2 };  // log2 of each cost
}&lt;/p&gt;
&lt;p&gt;for (const n of [128, 192, 256]) {
  const s = keyStrength(n);
  console.log(&quot;AES-&quot; + n + &quot;: classical 2^&quot; + s.classical + &quot; vs Grover floor 2^&quot; + s.grover);
}&lt;/p&gt;
&lt;p&gt;// Doubling the key restores the pre-quantum margin:
const groverAes256 = keyStrength(256).grover;      // 2^128
const classicalAes128 = keyStrength(128).classical; // 2^128
console.log(&quot;AES-256&apos;s Grover floor 2^&quot; + groverAes256 +
            &quot; equals AES-128&apos;s old classical margin 2^&quot; + classicalAes128);
// AES-128: classical 2^128 vs Grover floor 2^64
// AES-256: classical 2^256 vs Grover floor 2^128
`}&lt;/p&gt;
&lt;p&gt;So doubling the key exactly undoes Grover: AES-256&apos;s $2^{128}$ Grover floor restores the $2^{128}$ margin AES-128 used to enjoy classically. But &quot;double the key&quot; undersells how safe AES-128 already is, and here is where the popular $2^{64}$ falls apart.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;That $2^{64}$ is a floor on operations, not a feasible runtime.&lt;/strong&gt; Three facts, each independently decisive, separate the number from any real attack. First, Grover is inherently &lt;em&gt;sequential&lt;/em&gt;: its roughly $2^{n/2}$ iterations must be applied one after another, and each iteration contains a full evaluation of AES as a reversible quantum circuit -- a deep block of gates, not a single step [@grassl-2015]. You cannot collapse the iterations into a shallow parallel circuit.&lt;/p&gt;
&lt;p&gt;Second, it barely parallelizes: split the search across $P$ machines and each one&apos;s work drops by only $\sqrt{P}$, not $P$. Christof Zalka proved this is fundamental -- quantum searching &quot;cannot be parallelized better than by assigning different parts of the search space to independent quantum computers&quot; [@zalka-1999]. Throwing a thousand quantum computers at AES-128 buys a factor of about 31, not 1000.&lt;/p&gt;
&lt;p&gt;Third, and most concrete: real machines have a maximum circuit depth. NIST&apos;s post-quantum call formalized this as MAXDEPTH, with plausible values of ${2^{40}, 2^{64}, 2^{96}}$ serial logical gates -- roughly a year, a decade, and a millennium of continuous computation. Under that constraint, NIST estimated the cost of a Grover key search on AES-128 at about $2^{170}/\text{MAXDEPTH}$ quantum gates, versus $2^{143}$ classical gates -- because &quot;one has to run many smaller instances of the algorithm in parallel, which makes the quantum speedup less dramatic&quot; [@nist-cfp-2016].&lt;/p&gt;
&lt;p&gt;Even with MAXDEPTH at a decade ($2^{64}$), that is about $2^{106}$ gates. Depth-restricted analyses of explicit AES Grover oracles confirm the picture and underpin NIST&apos;s security categories [@jaques-2020]. The clean $2^{64}$ was always a lower bound on abstract queries, never a wall-clock estimate.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Symmetric cryptography survives not by being stronger than RSA but by being structureless: no hidden period, so no Shor, only a provably quadratic nibble -- and even that nibble is a floor on operations under a depth limit, not a runtime. AES-256 is not a nervous hope. It is a proof-backed hedge.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The comparison, side by side:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Property&lt;/th&gt;
&lt;th&gt;Symmetric (AES-256, SHA-384)&lt;/th&gt;
&lt;th&gt;Asymmetric (RSA, DH, DSA, ECC)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Exploitable abelian period?&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Best quantum attack&lt;/td&gt;
&lt;td&gt;Grover search&lt;/td&gt;
&lt;td&gt;Shor period-finding&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Speedup over classical&lt;/td&gt;
&lt;td&gt;Quadratic (square-root)&lt;/td&gt;
&lt;td&gt;Exponential&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Provably optimal attack?&lt;/td&gt;
&lt;td&gt;Yes -- $\Omega(\sqrt{N})$ [@bbbv-1997]&lt;/td&gt;
&lt;td&gt;Not applicable -- structure gives it away&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Effect of doubling the key&lt;/td&gt;
&lt;td&gt;Restores the full margin&lt;/td&gt;
&lt;td&gt;Negligible&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Survives Q-Day?&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; For symmetric primitives the fix is boring and effective: prefer AES-256 over AES-128, and SHA-384 or SHA-512 over SHA-256. Because Grover is only quadratic -- and, under a depth limit, far weaker than even that -- doubling the security parameter is not just adequate, it is sufficient with margin to spare [@nist-cfp-2016]. No new mathematics, no migration project. The hard problem is entirely on the public-key side.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;One honest fence marks the edge of that &quot;only Grover&quot; claim.&lt;/p&gt;

There is a model in which symmetric constructions fall exponentially, not quadratically. In the superposition-query (Q2) model, where an attacker can query a secret-keyed device on a superposition of inputs, Kaplan and colleagues showed in 2016 that Simon&apos;s algorithm breaks specific *modes* -- Even-Mansour, CBC-MAC, GMAC -- in polynomial time [@kaplan-2016]. This is real and important, but note what it requires: physical access to a keyed oracle that will accept quantum superpositions as input, an implementation-and-protocol assumption, not a structural weakness of the AES primitive. This article&apos;s contract is structural-only, and under the realistic classical-query model the &quot;symmetric loses just a square root&quot; claim holds. The Q2 mode attacks belong to the sibling post on how cryptography breaks in real life, alongside side channels and fault attacks.
&lt;p&gt;So the break is real, the boundary is sharp, and the algorithm has been proven on paper for thirty years. Only one thing still stands between the mathematics and your ciphertext: a machine that does not yet exist. Building it is where the story turns from algorithms to engineering -- and where the price tag appears.&lt;/p&gt;
&lt;h2&gt;7. From Algorithm to Machine: Fault Tolerance and the Qubit Bill&lt;/h2&gt;
&lt;p&gt;A polynomial-time algorithm is not a polynomial-time afternoon. Shor&apos;s circuit is small on paper, but &quot;on paper&quot; assumes qubits that never make a mistake and never forget. Real qubits do both, constantly. Run a bare Shor circuit on today&apos;s noisy hardware and it dissolves into random noise long before the modular exponentiation finishes. Closing the gap between the proof and the machine is an engineering problem measured in millions of qubits, and it has a structure worth understanding, because that structure is where the cost estimates come from -- and where they are falling.&lt;/p&gt;
&lt;p&gt;Begin with the distinction the whole field turns on.&lt;/p&gt;

A physical qubit is one noisy device -- a superconducting transmon, a trapped ion, a neutral atom -- with an error rate around $10^{-3}$ per operation. A logical qubit is an error-corrected qubit assembled from many physical ones, whose effective error rate can be pushed arbitrarily low by adding more physical qubits, provided each is already below a threshold error rate. Shor&apos;s circuit counts logical qubits and logical gates; the machine must manufacture them out of vastly more physical hardware.
&lt;p&gt;The manufacturing method is quantum error correction, and the workhorse is the surface code.&lt;/p&gt;

The surface code lays physical qubits on a two-dimensional grid and repeatedly measures local parity checks that reveal where errors occurred without measuring -- and thus destroying -- the stored quantum information. Its defining property: the logical error rate falls exponentially as the code distance $d$ (roughly the grid width) grows, as long as physical errors stay below about $1\%$. It is the code behind every concrete Shor resource estimate [@google-willow-2025].
&lt;p&gt;Error correction handles the memory and the easy gates, but Shor also needs &quot;non-Clifford&quot; gates -- the T and Toffoli operations that do the genuinely quantum arithmetic -- and those cannot be done directly on surface-code qubits. They are supplied through a separate factory that distills noisy inputs into clean &quot;magic states.&quot;The modern version of that factory is magic-state cultivation, which reaches logical error rates as low as $2 \times 10^{-9}$ under $10^{-3}$ circuit noise and, in its authors&apos; words, hints that &quot;further magic state distillation may never be needed in practice&quot; -- shaving one of the largest overheads in the whole bill [@magic-state-cultivation-2024]. Stack it all together and you get the fault-tolerance pyramid every estimate rests on.&lt;/p&gt;

flowchart TD
    P[&quot;Thousands of noisy physical qubits, about 1 percent error each&quot;] --&amp;gt; S[&quot;Surface-code patch: parity checks suppress errors exponentially in code distance&quot;]
    S --&amp;gt; L[&quot;One reliable logical qubit&quot;]
    M[&quot;Magic-state cultivation: clean T and Toffoli states&quot;] --&amp;gt; G[&quot;Non-Clifford gates that Shor requires&quot;]
    L --&amp;gt; G
    G --&amp;gt; SHOR[&quot;Fault-tolerant Shor circuit: about 3n logical qubits, billions of gates&quot;]
&lt;p&gt;Now the part that reframes the entire threat. Line up the resource estimates chronologically and hold the hardware assumptions fixed, and you see the price of Q-Day &lt;em&gt;collapsing&lt;/em&gt; -- not because anyone built a better qubit, but because the algorithms kept improving.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Year&lt;/th&gt;
&lt;th&gt;Target&lt;/th&gt;
&lt;th&gt;Qubits&lt;/th&gt;
&lt;th&gt;Runtime&lt;/th&gt;
&lt;th&gt;What changed&lt;/th&gt;
&lt;th&gt;Source&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;2003&lt;/td&gt;
&lt;td&gt;160-bit ECC&lt;/td&gt;
&lt;td&gt;~1000 logical&lt;/td&gt;
&lt;td&gt;--&lt;/td&gt;
&lt;td&gt;First elliptic-curve estimate&lt;/td&gt;
&lt;td&gt;Proos-Zalka [@proos-zalka-2003]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2017&lt;/td&gt;
&lt;td&gt;P-256 ECC&lt;/td&gt;
&lt;td&gt;2330 logical&lt;/td&gt;
&lt;td&gt;--&lt;/td&gt;
&lt;td&gt;Simulation-backed qubit formula&lt;/td&gt;
&lt;td&gt;Roetteler et al. [@roetteler-2017]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2020&lt;/td&gt;
&lt;td&gt;ECC curves&lt;/td&gt;
&lt;td&gt;fewer logical gates&lt;/td&gt;
&lt;td&gt;--&lt;/td&gt;
&lt;td&gt;Optimized ECDLP circuits&lt;/td&gt;
&lt;td&gt;Haner et al. [@haner-2020]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2021&lt;/td&gt;
&lt;td&gt;RSA-2048&lt;/td&gt;
&lt;td&gt;20 million physical&lt;/td&gt;
&lt;td&gt;8 hours&lt;/td&gt;
&lt;td&gt;First full fault-tolerant bill&lt;/td&gt;
&lt;td&gt;Gidney-Ekera [@gidney-ekera-2021]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2023&lt;/td&gt;
&lt;td&gt;RSA-2048&lt;/td&gt;
&lt;td&gt;asymptotic&lt;/td&gt;
&lt;td&gt;~$O(n^{3/2})$ gates&lt;/td&gt;
&lt;td&gt;First asymptotic gate win in ~30 years&lt;/td&gt;
&lt;td&gt;Regev [@regev-2023]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2025&lt;/td&gt;
&lt;td&gt;RSA-2048&lt;/td&gt;
&lt;td&gt;under 1 million physical&lt;/td&gt;
&lt;td&gt;under a week&lt;/td&gt;
&lt;td&gt;Better algorithms, same 2019 hardware&lt;/td&gt;
&lt;td&gt;Gidney [@gidney-2025]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Read the last three rows slowly. In 2021 Craig Gidney and Martin Ekera published the first end-to-end physical estimate: about 20 million noisy physical qubits, 8 hours, assuming a surface code with $10^{-3}$ gate error, a microsecond cycle time,A surface-code cycle is one full round of parity measurement across the patch; the estimate assumes roughly one microsecond per round, so an 8-hour run is on the order of tens of billions of rounds. and short-discrete-log refinements from Ekera and Hastad folded in [@gidney-ekera-2021][@ekera-hastad-2017].&lt;/p&gt;
&lt;p&gt;In 2023 Oded Regev found the first asymptotic reduction in Shor&apos;s gate count in three decades -- roughly $O(n^{3/2})$ gates -- though he flagged it as resting on a heuristic and not clearly practical, and its variant trades gate count for extra space whose real-world cost is still unsettled [@regev-2023]. Then in 2025 Gidney returned with a new estimate: fewer than one million physical qubits, under a week -- and, in a line worth pausing on, &lt;em&gt;the same 2019 hardware assumptions he used in the 20-million estimate&lt;/em&gt; [@gidney-2025].&lt;/p&gt;

Twenty million qubits to under one million in six years -- same author, same hardware assumptions, one-twentieth the machine. The mathematics improved, not the metal.
&lt;p&gt;That drop happened with no improvement in the underlying qubits at all: the estimate, not the machine, was the moving part, which means the cost of Q-Day keeps falling on the strength of pure algorithm design, independent of when good hardware arrives. That is the uncomfortable dynamic hiding behind every &quot;quantum is decades away&quot; headline: the target keeps moving toward us on the math axis while we wait for the hardware axis. The algorithm&apos;s price tag is collapsing on its own schedule. So the only question left is the one everyone actually asks -- how close is the machine itself?&lt;/p&gt;
&lt;h2&gt;8. Where the Hardware Actually Is (and Isn&apos;t)&lt;/h2&gt;
&lt;p&gt;State the honesty anchor flatly, because everything downstream depends on it: as of 2026, no cryptographically relevant quantum computer exists. Not &quot;almost,&quot; not &quot;in a classified lab somewhere.&quot; None. The public state of the art is three to four orders of magnitude short of a Shor attack, and it helps to see exactly how short, because the headlines and the reality use the same words to mean different things.&lt;/p&gt;

A CRQC is a quantum computer large and reliable enough to run Shor&apos;s algorithm against real deployed keys -- on the order of a few thousand logical qubits held coherent through billions of gates, which with today&apos;s overheads means roughly a million physical qubits. It is a specific threshold. A 100-qubit noisy processor, however valuable for physics, is not a small CRQC and cannot be scaled into one without error correction.
&lt;p&gt;The state of the art splits cleanly into two regimes, and conflating them is the source of most confusion. The first is &lt;em&gt;fully below-threshold error correction&lt;/em&gt; -- the hard, scalable kind, where adding qubits genuinely drives the error down.&lt;/p&gt;
&lt;p&gt;Google&apos;s Willow is the reference point: a distance-7 surface-code patch, a 7-by-7 array of 49 data qubits totaling 101 physical qubits, encoding exactly &lt;em&gt;one&lt;/em&gt; logical qubit. The logical error is suppressed by a factor $\Lambda = 2.14 \pm 0.02$ for each two-step increase in code distance, and its lifetime beats its best physical qubit by 2.4 times [@google-willow-2025].That $\Lambda$ greater than 1 is the whole result: it is the first convincing demonstration that a real surface code operates &lt;em&gt;below&lt;/em&gt; threshold, so that making the patch bigger makes the logical qubit better rather than worse. The number to remember is the ratio: about 100 physical qubits for one good logical qubit, today [@google-willow-2025]. So the scalable frontier stands at roughly one logical qubit built from about a hundred physical ones.&lt;/p&gt;
&lt;p&gt;The second regime is &lt;em&gt;error detection&lt;/em&gt; at low code distance, and it is where the &quot;tens of logical qubits&quot; headlines come from. A neutral-atom processor from a Harvard, MIT, and QuEra collaboration entangled up to 48 logical qubits using small &lt;code&gt;[[8,3,2]]&lt;/code&gt; code blocks (alongside 40 color-code qubits and a surface-code logical operation scaled across code distances) on up to 280 physical qubits [@bluvstein-2024]. That is a genuine milestone -- but these are transversal, post-selected error-&lt;em&gt;detection&lt;/em&gt; demonstrations, which throw away runs where an error is spotted, not a scalable below-threshold memory that can run for billions of gates.&lt;/p&gt;
&lt;p&gt;On the trapped-ion side, Quantinuum ran a handful of logical qubits with full &lt;em&gt;repeated&lt;/em&gt; error correction: a &lt;code&gt;[[7,1,3]]&lt;/code&gt; code and a &lt;code&gt;[[12,2,4]]&lt;/code&gt; code based on Knill&apos;s C4/C6 scheme (two logical qubits), the first reaching error rates 9.8 to 500 times below the physical rate and the second 4.7 to 800 times below it [@quantinuum-2024].&lt;/p&gt;
&lt;p&gt;Put the three numbers next to the requirement and the chasm is obvious. Fully below-threshold correction reaches about one logical qubit on superconducting hardware and a couple on trapped ions; error detection reaches a few tens on neutral atoms.&lt;/p&gt;
&lt;p&gt;A CRQC needs about 2330 logical qubits for the P-256 curve [@roetteler-2017], or roughly $3n$ -- at least 6200 -- for RSA-2048, backed by fewer than a million physical qubits [@gidney-2025]. Between &quot;48 post-selected logical qubits in a detection demo&quot; and &quot;a few thousand fully corrected logical qubits running Shor for hours&quot; lie three to four orders of magnitude and several unsolved engineering problems.&lt;/p&gt;
&lt;p&gt;When, then? The honest answer is a window, not a date. Expert judgment clusters the arrival of a CRQC in roughly the 2030 to 2035 range with wide uncertainty on both sides. The most-cited proxy, the Global Risk Institute and evolutionQ expert-survey timeline, reports figures on the order of 28 to 49 percent probability within ten years [@quantum-threat-timeline] -- but that number must be quoted with its qualifier: it is a &lt;em&gt;survey of expert opinion&lt;/em&gt;, not a measured or primary-verified quantity, and the defensible claim is the qualitative window, not any single percentage.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The absence of a machine today would be comforting if secrets expired the moment they were sent. They do not. An adversary can record your encrypted traffic now and store it until a CRQC arrives, then decrypt it retroactively. For any data whose confidentiality must outlive the 2030s, &quot;no quantum computer exists yet&quot; provides exactly zero protection. The clock started when the ciphertext was first captured, not when the machine boots.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The gun is loaded and sitting on the table. Its trigger is an engineering trajectory, not a delivered capability, and the timeline is a judgment rather than a promise -- but a judgment that says &quot;sometime in the next decade&quot; is not a judgment you can safely ignore for data that must stay secret into the 2040s. Before we talk about who has to move first, one question decides everything downstream: what, exactly, does this machine &lt;em&gt;not&lt;/em&gt; break?&lt;/p&gt;
&lt;h2&gt;9. What Q-Day Does Not Break&lt;/h2&gt;
&lt;p&gt;The blast radius is bounded, and the boundary is the thesis restated as a theorem: Shor breaks &lt;em&gt;exactly&lt;/em&gt; the abelian-hidden-subgroup primitives, and nothing else structurally. Everything on the safe side of that line survives Q-Day, and a whole field of cryptography was deliberately built there.&lt;/p&gt;
&lt;p&gt;Start the inventory. Symmetric ciphers and hashes survive with only Grover&apos;s quadratic nibble, as Section 6 proved. Hash-based signatures such as SLH-DSA rest on nothing but the preimage and collision resistance of a hash function, so they inherit that same square-root safety and no more [@fips-205]. And the new public-key families -- lattices, codes, isogenies, multivariate systems -- survive because not one of them is an abelian hidden-subgroup problem. The QFT has no period to read.&lt;/p&gt;
&lt;p&gt;The sharpest way to say why is to name the structure lattices actually touch.&lt;/p&gt;

The dihedral group is non-abelian: its elements do not all commute. The hidden subgroup problem over it is the natural non-abelian cousin of the one the QFT dispatches so easily -- but the Fourier machinery that concentrates amplitude so neatly in the abelian case does not do so here. Despite two decades of effort, the best known quantum algorithm is Kuperberg&apos;s, running in sub-exponential but still super-polynomial time $2^{O(\sqrt{\log N})}$ [@kuperberg-2003]. Certain lattice problems relate to it, which is one reason lattice cryptography is believed quantum-resistant.
&lt;p&gt;Notice the symmetry. The abstraction that &lt;em&gt;unifies&lt;/em&gt; the attack -- the abelian HSP -- is the very same abstraction that &lt;em&gt;bounds&lt;/em&gt; it. Cross from abelian to non-abelian structure and the QFT stops working, Shor&apos;s polynomial-time guarantee evaporates, and the best anyone has managed in twenty years is sub-exponential. That single conceptual line is the design premise of post-quantum cryptography.&lt;/p&gt;
&lt;p&gt;But here precision matters more than anywhere else in the article, because the most natural way to summarize this is &lt;em&gt;wrong&lt;/em&gt; and plants a misconception. It is tempting to write that the best quantum attack on lattice schemes is Kuperberg&apos;s sub-exponential algorithm. It is not, for three reasons worth stating explicitly.&lt;/p&gt;
&lt;p&gt;First, the attack that actually sets lattice key sizes is not a hidden-subgroup attack at all. It is lattice sieving -- quantum-accelerated BKZ -- and it is &lt;em&gt;exponential&lt;/em&gt;. Heuristic quantum sieving for the shortest-vector problem runs in about $2^{0.312n + o(n)}$, against the classical $2^{0.384n + o(n)}$ [@laarhoven-2013]. Quantum search shaves the constant in the exponent; it never reaches sub-exponential. Lattice parameters are chosen against that exponential wall.&lt;/p&gt;
&lt;p&gt;Second, the famous link between lattices and the dihedral HSP is a &lt;em&gt;one-directional reduction, not a usable attack&lt;/em&gt;. Regev showed in 2004 that a dihedral-HSP solver &lt;em&gt;by coset sampling&lt;/em&gt; would break the unique shortest-vector problem [@regev-2004] -- but there is no known way to prepare the required dihedral coset states from an actual lattice instance. The implication runs from &quot;hypothetical dihedral solver&quot; to &quot;broken lattice,&quot; not the other way, so you cannot feed a real lattice problem into Kuperberg&apos;s algorithm and get an attack out.&lt;/p&gt;
&lt;p&gt;Third, Kuperberg&apos;s sub-exponential algorithm genuinely is the best known attack -- but for a &lt;em&gt;different&lt;/em&gt; family. Commutative-isogeny schemes like CSIDH are built on an abelian group action, a hidden-shift problem, and there Kuperberg&apos;s algorithm really does set the parameters [@csidh-2018][@kuperberg-2003]. The &quot;Kuperberg&quot; label belongs on a CSIDH row, never on the lattice row. With that fixed, here is the honest ledger of what falls and what stands.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Primitive&lt;/th&gt;
&lt;th&gt;Underlying problem&lt;/th&gt;
&lt;th&gt;Abelian HSP?&lt;/th&gt;
&lt;th&gt;Best known quantum attack&lt;/th&gt;
&lt;th&gt;Verdict&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;RSA / DH / DSA / ECC&lt;/td&gt;
&lt;td&gt;Factoring, discrete log&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;Shor -- polynomial&lt;/td&gt;
&lt;td&gt;Broken&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AES-256, SHA-384/512&lt;/td&gt;
&lt;td&gt;Unstructured key or preimage&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Grover -- quadratic (optimal)&lt;/td&gt;
&lt;td&gt;Safe: double the parameter [@bbbv-1997]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SLH-DSA (hash signatures)&lt;/td&gt;
&lt;td&gt;Hash preimage and collision&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Grover -- quadratic&lt;/td&gt;
&lt;td&gt;Safe [@fips-205]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ML-KEM / ML-DSA (lattice)&lt;/td&gt;
&lt;td&gt;Module-LWE&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Exponential lattice sieving $2^{\Theta(n)}$&lt;/td&gt;
&lt;td&gt;Believed safe [@laarhoven-2013]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CSIDH (commutative isogeny)&lt;/td&gt;
&lt;td&gt;Abelian group action, hidden shift&lt;/td&gt;
&lt;td&gt;Group action&lt;/td&gt;
&lt;td&gt;Kuperberg -- sub-exponential&lt;/td&gt;
&lt;td&gt;Sized against Kuperberg [@kuperberg-2003]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; The line Shor cannot cross is the line between abelian and non-abelian structure -- and that single line is the entire design premise of post-quantum cryptography. Lattice schemes are not &quot;probably too hard to bother with&quot;; they sit provably on the far side of the abstraction that makes Shor work.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Two counterweights keep this from becoming triumphalism, and they cut in opposite directions.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Nobody has ever proven that factoring or the discrete logarithm is classically hard. Factoring&apos;s decision version sits in NP intersect co-NP and is not believed NP-complete, so Shor exploits &lt;em&gt;special structure&lt;/em&gt;, not raw NP-hardness. That means Shor is &lt;em&gt;the known&lt;/em&gt; structural break -- not a proof that no classical shortcut exists. The public-key world was never standing on proven ground; it was standing on ground nobody had found a way through yet.&lt;/p&gt;
&lt;/blockquote&gt;

In 2022 Wouter Castryck and Thomas Decru broke SIDH, a leading isogeny-based candidate, recovering the key of SIKEp434 in about ten minutes on a single classical core [@castryck-decru-2022]. No quantum computer was involved. Two lessons follow. First, do not conflate &quot;elliptic-curve&quot; with &quot;Shor target&quot;: SIDH is isogeny-based, a different hard problem, and it fell to classical mathematics, not to Q-Day. Second, the post-quantum assumptions are themselves young and unproven, and SIDH is proof that a scheme can be quantum-immune and still catastrophically broken. Note also that SIDH is not CSIDH: one collapsed classically, the other still stands, sized against Kuperberg.
&lt;p&gt;So Shor is a scalpel, not a bomb. It cuts exactly one structure -- the abelian hidden period -- and a whole field of cryptography was engineered to live on the parts it cannot reach. That field exists for exactly one reason, and with every piece now on the table, it is time to name it.&lt;/p&gt;
&lt;h2&gt;10. Why This One Event Is the Whole Reason PQC Exists&lt;/h2&gt;
&lt;p&gt;Assemble the pieces and one sentence follows that you now have every reason to accept. Because RSA, Diffie-Hellman, DSA, and elliptic-curve cryptography share exactly one crack -- the abelian period the QFT reads -- that crack is not four separate vulnerabilities. It is a &lt;em&gt;single point of failure&lt;/em&gt; for nearly the entire deployed public-key world. And a single point of failure of that magnitude does not get patched. It gets routed around, by building a replacement on the far side of the abelian line.&lt;/p&gt;

One shared crack under four fortresses is not four vulnerabilities. It is one -- a single point of failure for nearly all deployed public-key cryptography. Post-quantum cryptography is the world&apos;s response to that one fact.
&lt;p&gt;That response is already machinery, and every gear traces back to Shor. In 2016 NIST opened a public competition to standardize quantum-resistant algorithms [@nist-pqc-project]; on 13 August 2024 it published the first three standards -- FIPS 203 (ML-KEM) for key establishment, FIPS 204 (ML-DSA) for signatures, and FIPS 205 (SLH-DSA) for hash-based signatures [@fips-203][@fips-204][@fips-205].&lt;/p&gt;
&lt;p&gt;The NSA&apos;s CNSA 2.0 suite sets a national-security transition timeline and, tellingly, keeps AES-256 and &lt;a href=&quot;https://paragmali.com/blog/how-sha-2-and-sha-3-would-break-merkle-damgard-collisions-le/&quot; rel=&quot;noopener&quot;&gt;SHA-384/512&lt;/a&gt; on the symmetric side because those need no replacement [@nsa-cnsa-2.0]. And in 2026 the United States made it binding: Executive Order 14412 requires high-value systems to adopt post-quantum key establishment by 31 December 2030 and post-quantum signatures by 31 December 2031 [@eo-14412].&lt;/p&gt;
&lt;p&gt;There is a quiet revival buried in that timeline. The lattice hardness now anchoring ML-KEM and ML-DSA is not new: Miklos Ajtai put worst-case lattice hardness on a rigorous footing in 1996, and NTRU shipped a ring-based lattice cryptosystem in 1998 [@ajtai-1996][@ntru-1998]. Both sat in a niche for two decades. What changed their fortunes was not a new theorem -- it was Shor turning &quot;hardness the quantum Fourier transform cannot read&quot; into the single most valuable property a cryptosystem can have, and a generation of survey work mapping out the lattice, code, hash, and isogeny families that possess it [@bernstein-lange-2017].&lt;/p&gt;
&lt;p&gt;But standards and deadlines only matter if they beat the clock, and the clock is subtle, because it started ticking before the machine exists. Michele Mosca captured the logic in a single inequality.&lt;/p&gt;

Let $X$ be the years your organization needs to migrate to quantum-safe cryptography, $Y$ the years your data must stay confidential, and $Z$ the years until a CRQC exists. If $X + Y &amp;gt; Z$, then data you protect today will still be sensitive when the machine arrives -- so you are already exposed, no matter how far off Q-Day turns out to be [@mosca-2018].

flowchart LR
    X[&quot;X: years to migrate&quot;] --&amp;gt; SUM[&quot;X + Y&quot;]
    Y[&quot;Y: years data must stay secret&quot;] --&amp;gt; SUM
    Z[&quot;Z: years until a CRQC exists&quot;] --&amp;gt; CMP{&quot;X + Y greater than Z?&quot;}
    SUM --&amp;gt; CMP
    CMP --&amp;gt;|yes| EXP[&quot;Already exposed: harvested ciphertext will be readable&quot;]
    CMP --&amp;gt;|no| OK[&quot;Safe, for this data, for now&quot;]
&lt;p&gt;The inequality has teeth because of the harvesting strategy that makes $Z$ irrelevant for confidentiality.&lt;/p&gt;

Harvest-now-decrypt-later is the practice of recording encrypted traffic today and storing it until a quantum computer can decrypt it. It converts a future capability into a present threat: the confidentiality of a long-lived secret is compromised the moment its ciphertext is captured, not the moment Q-Day arrives.
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; If an adversary is recording your encrypted traffic now -- and for high-value targets it is safe to assume someone is -- then every secret with a shelf life into the 2030s is effectively in the open already. You cannot un-send the ciphertext. This is the reason the migration cannot wait for proof that a CRQC exists: by the time the proof arrives, the harvested data is decades into its exposure. The empirical side of this -- who is harvesting, what is already at risk, and what the captured traffic looks like -- is the subject of the companion post, &quot;How Q-Day Is Already Breaking Things: Harvest Now, Decrypt Later.&quot;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;This is the hinge of the whole series, so state it without hedging. The post-quantum migration is not a bet on when quantum computers will arrive. It is a response to one already-proven mathematical fact -- that Shor&apos;s algorithm reads the shared abelian period under RSA, Diffie-Hellman, DSA, and ECC -- combined with one strategic fact, that adversaries can harvest today and decrypt later. Neither of those facts depends on a machine booting up. Which means the work starts now, not on Q-Day. So what, concretely, do you do before the machine that does not yet exist finally does?&lt;/p&gt;
&lt;h2&gt;11. What To Do Before Q-Day&lt;/h2&gt;
&lt;p&gt;You cannot buy a cryptographically relevant quantum computer, and you cannot wait for one to appear before acting -- harvest-now-decrypt-later has already seen to that. The good news is that the pre-Q-Day checklist follows directly from the thesis, and every item on it is doable today with shipping standards.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;1. Inventory every use of RSA, DH, DSA, ECDH, and ECDSA.&lt;/strong&gt; Build a cryptographic bill of materials: where each algorithm lives, which keys protect what, and how long each secret must last. This is not busywork. Because all four primitives share one crack, &lt;em&gt;nothing&lt;/em&gt; on that list is safe by virtue of key size, curve choice, or obscurity -- the inventory is the map of your entire exposure.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;2. Triage by secrecy lifetime.&lt;/strong&gt; Run Mosca&apos;s inequality on each data class. Anything whose confidentiality must outlive the CRQC window -- health records, state secrets, long-lived credentials, genomic data -- migrates first, because for that data $X + Y &amp;gt; Z$ already holds [@mosca-2018]. You can compute the gap directly.&lt;/p&gt;
&lt;p&gt;{`
// If migration time X + secrecy lifetime Y exceeds time-to-CRQC Z, you are exposed.
function mosca(X, Y, Z) {
  const exposed = (X + Y) &amp;gt; Z;
  const gap = (X + Y) - Z;   // positive gap = years of exposure
  return { exposed, gap };
}&lt;/p&gt;
&lt;p&gt;const cases = [
  { label: &quot;Long-lived health records&quot;, X: 5, Y: 25, Z: 12 },
  { label: &quot;Short-lived session key&quot;,   X: 2, Y: 1,  Z: 12 },
];
for (const c of cases) {
  const r = mosca(c.X, c.Y, c.Z);
  console.log(c.label + &quot;: X=&quot; + c.X + &quot; Y=&quot; + c.Y + &quot; Z=&quot; + c.Z + &quot; -&amp;gt; &quot; +
    (r.exposed ? &quot;EXPOSED by &quot; + r.gap + &quot; years&quot; : &quot;safe by &quot; + (-r.gap) + &quot; years&quot;));
}
// Long-lived health records: X=5 Y=25 Z=12 -&amp;gt; EXPOSED by 18 years
// Short-lived session key: X=2 Y=1 Z=12 -&amp;gt; safe by 9 years
`}&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;3. Deploy hybrid key establishment now.&lt;/strong&gt; Combine a classical exchange with a lattice one -- for example the &lt;code&gt;X25519MLKEM768&lt;/code&gt; hybrid -- so that a future CRQC cannot decrypt today&apos;s captured sessions, while a flaw in the young post-quantum scheme still leaves the classical layer standing [@fips-203]. Hybrids are the pragmatic answer to &quot;the abelian period is readable&quot; and &quot;the new assumptions are unproven&quot; at the same time.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;4. Migrate signatures on their own timeline.&lt;/strong&gt; Move to ML-DSA or SLH-DSA, but recognize the urgency differs from confidentiality [@fips-204][@fips-205]. A forged signature requires a CRQC at signing time; there is nothing an adversary can harvest today and forge later. Confidentiality is the harvestable asset, so it leads.&lt;/p&gt;

Harvest-now-decrypt-later threatens *confidentiality*: recorded ciphertext sits waiting for the machine. Signatures are different -- forgery needs a CRQC while the signing key is still trusted, so there is no equivalent of a stored capture that becomes forgeable in hindsight. This is why key establishment carries the earlier deadline in Executive Order 14412 than signatures do. The exception is long-lived roots of trust -- certificate-authority roots, firmware-signing keys valid for a decade or more -- whose validity windows reach into the CRQC era and so deserve early attention.
&lt;p&gt;&lt;strong&gt;5. Take the cheap symmetric hedge.&lt;/strong&gt; Prefer AES-256 over AES-128 and SHA-384 or SHA-512 over SHA-256. As Section 6 established, Grover is only quadratic -- and under a realistic depth limit, far weaker than even that -- so doubling the security parameter is sufficient, not merely hopeful [@bbbv-1997]. This is the one part of the migration that costs almost nothing.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;6. Build crypto-agility.&lt;/strong&gt; Design so the algorithm can be swapped without re-architecting the protocol, so the next transition is a configuration change rather than another decade-long project.&lt;/p&gt;

Crypto-agility is building systems so a cryptographic algorithm can be replaced without redesigning the protocol or application around it. It turns a future migration from a rebuild into a swap.
&lt;p&gt;Crypto-agility is doubly warranted here, because the destination assumptions are young. SIDH&apos;s classical collapse in 2022 is the standing reminder that a scheme can look quantum-safe and still fail for reasons no one anticipated [@castryck-decru-2022]. Agility is how you survive being wrong about the replacement.&lt;/p&gt;
&lt;p&gt;For the details of &lt;em&gt;what&lt;/em&gt; to migrate to -- parameter sets, performance trade-offs, and deployment patterns -- this series&apos; &lt;a href=&quot;https://paragmali.com/blog/one-event-three-assumptions-five-answers-a-field-guide-to-th/&quot; rel=&quot;noopener&quot;&gt;post-quantum-toolkit&lt;/a&gt; and &lt;a href=&quot;https://paragmali.com/blog/you-cannot-rotate-what-you-cannot-see-crypto-agility-and-the/&quot; rel=&quot;noopener&quot;&gt;crypto-agility&lt;/a&gt; installments carry the load, and the implementation-hardening questions (side channels, fault attacks, and the rest) belong to the empirical sibling, per this article&apos;s structural-only contract. None of it waits for the machine. That is the whole point -- and it is why the last few questions people always ask deserve straight, mechanism-grounded answers.&lt;/p&gt;
&lt;h2&gt;12. Sharp Questions, Straight Answers&lt;/h2&gt;


No. The threat to confidentiality is already live through harvest-now-decrypt-later: an adversary records your encrypted traffic today and decrypts it once a CRQC exists [@mosca-2018]. If your data must stay secret into the 2030s, the absence of a machine in 2026 protects nothing -- the ciphertext is already captured, and you cannot un-send it.


No. Symmetric primitives expose no abelian period, so Shor does not apply; they face only Grover&apos;s quadratic speedup, which is provably the best any quantum attacker can do against unstructured search [@bbbv-1997]. And even that is a floor on operations, not a runtime: under NIST&apos;s MAXDEPTH depth limit, an AES-128 key search costs about $2^{170}/\text{MAXDEPTH}$ quantum gates [@nist-cfp-2016]. Prefer AES-256 and SHA-384/512 and the problem is closed.


No, and this is the counterintuitive part. Shor&apos;s cost is polynomial in the number of key bits, so going from RSA-2048 to RSA-4096 buys a small constant, not security [@shor-1994]. Worse for the intuition: elliptic curves use *smaller* keys, so they need *fewer* logical qubits and fall first -- about 2330 logical qubits for P-256 versus roughly 6200 for RSA-2048 [@roetteler-2017][@gidney-ekera-2021].


Same machine class and same breakthrough, not one identical circuit. RSA, a finite field, and an elliptic curve need different arithmetic compiled into the machine, but each reduces to the abelian hidden-subgroup problem, so one CRQC running Shor&apos;s family dispatches all of them [@kitaev-1995]. If anything, elliptic-curve schemes fall a step ahead because they need the fewest qubits [@roetteler-2017].


No -- and this conflation is a common trap. The broken isogeny scheme SIDH was not defeated by Shor at all; Castryck and Decru broke it with classical mathematics in about ten minutes on one core [@castryck-decru-2022]. &quot;Elliptic-curve&quot; is not the same as &quot;Shor target.&quot; Isogeny problems are a different structure, and their risks (as SIDH showed) can be entirely classical.


The migration is not a bet on hardware timing. Mosca&apos;s inequality shows that if migration time plus secrecy lifetime exceeds time-to-CRQC, you are already exposed [@mosca-2018]. Meanwhile the cost estimates keep falling on algorithmic progress alone -- 20 million qubits to under a million in six years, same hardware assumptions [@gidney-ekera-2021][@gidney-2025] -- and the underlying algorithm has been proven for three decades. The proof is not in doubt; only the schedule is.

&lt;p&gt;Step back to the single image the whole article was built to earn. Four cryptographers, four decades, four branches of mathematics -- and one hidden period beneath all of them. RSA, Diffie-Hellman, DSA, and elliptic curves were never four independent bets. They were one bet, that a hidden abelian period is hard to find, made four times in four disguises.&lt;/p&gt;
&lt;p&gt;Shor&apos;s algorithm reads that period with the quantum Fourier transform and collects on all four at once, while AES-256 in the next field survives for the mirror-image reason: it hides no period, so the same machine can do no better than a provably quadratic nibble. That asymmetry -- abelian falls, non-abelian stands -- is not a footnote. It is the exact line post-quantum cryptography was engineered to live behind.&lt;/p&gt;
&lt;p&gt;The shared quantum vulnerability of RSA, Diffie-Hellman, DSA, and elliptic curves is a single point of failure, and that single point is the whole reason post-quantum cryptography exists. The algorithm is proven; the machine is not here yet; and the distance between those two facts is not your safety margin -- it is your deadline.&lt;/p&gt;
&lt;p&gt;The gun is loaded and on the table. No one has fired it, and no one can say precisely when someone will. But the mathematics that makes it fire was settled in 1994, the price of ammunition is falling every year, and some of the secrets it will read are being recorded right now. That is why the work does not start on Q-Day. It starts today.&lt;/p&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;how-q-day-breaks-everything&quot; keyTerms={[
  { term: &quot;Q-Day&quot;, definition: &quot;The day a cryptographically relevant quantum computer first runs Shor&apos;s algorithm against deployed keys, breaking RSA, Diffie-Hellman, DSA, and elliptic-curve cryptography.&quot; },
  { term: &quot;Discrete Logarithm Problem&quot;, definition: &quot;Recovering the exponent x from g and h = g^x in a finite group; the assumption under Diffie-Hellman, DSA, and ECC.&quot; },
  { term: &quot;Superposition&quot;, definition: &quot;A quantum register occupying a weighted combination of all basis states at once; measuring returns just one outcome at random.&quot; },
  { term: &quot;Quantum Fourier Transform&quot;, definition: &quot;The instrument that concentrates a quantum state&apos;s amplitude onto the frequency of a hidden period, so measurement reveals the period.&quot; },
  { term: &quot;Order of a mod N&quot;, definition: &quot;The smallest positive r with a to the r congruent to 1 mod N; the period of a to the x mod N and the key to factoring.&quot; },
  { term: &quot;Abelian Hidden Subgroup Problem&quot;, definition: &quot;Finding a hidden subgroup of a finite abelian group from a function constant on its cosets; solved by the QFT in polynomial time and shared by factoring and both discrete logs.&quot; },
  { term: &quot;Grover&apos;s algorithm&quot;, definition: &quot;A generic unstructured search in about the square root of the space; a quadratic, provably optimal, non-structural speedup.&quot; },
  { term: &quot;Logical vs physical qubit&quot;, definition: &quot;A logical qubit is an error-corrected qubit built from many noisy physical qubits; Shor&apos;s circuit counts logical qubits and gates.&quot; },
  { term: &quot;Surface code&quot;, definition: &quot;A two-dimensional error-correcting code whose logical error falls exponentially with code distance when physical errors stay below about one percent.&quot; },
  { term: &quot;CRQC&quot;, definition: &quot;A cryptographically relevant quantum computer: enough logical qubits held coherent through billions of gates to run Shor against real keys, roughly a million physical qubits today.&quot; },
  { term: &quot;Dihedral (non-abelian) HSP&quot;, definition: &quot;The non-abelian hidden-subgroup problem lattice problems relate to; the best known quantum algorithm is only sub-exponential, which is why lattice cryptography resists Shor.&quot; },
  { term: &quot;Mosca&apos;s inequality&quot;, definition: &quot;If migration time plus data secrecy lifetime exceeds time-to-CRQC, your data is already exposed to harvest-now-decrypt-later.&quot; }
]} questions={[
  { q: &quot;Why does enlarging an RSA or ECC key fail to defend against Shor?&quot;, a: &quot;Shor&apos;s cost is polynomial in the number of key bits, so more bits add only a small constant; ECC&apos;s smaller keys even make it fall first.&quot; },
  { q: &quot;Why does AES-256 survive Q-Day when RSA does not?&quot;, a: &quot;AES hides no abelian period for the QFT to read, so it faces only Grover&apos;s quadratic speedup, which the BBBV bound proves is optimal; doubling the key restores the margin.&quot; },
  { q: &quot;In what sense are RSA, DH, DSA, and ECC the same problem?&quot;, a: &quot;All three underlying problems are instances of the abelian hidden-subgroup problem, which the quantum Fourier transform solves in polynomial time.&quot; },
  { q: &quot;Why is the best quantum attack on ML-KEM exponential rather than Kuperberg&apos;s sub-exponential algorithm?&quot;, a: &quot;Lattice parameters are set by exponential sieving; the lattice-to-dihedral-HSP link is a one-directional reduction, and Kuperberg&apos;s algorithm actually applies to commutative-isogeny schemes like CSIDH.&quot; },
  { q: &quot;Why must migration start before a quantum computer exists?&quot;, a: &quot;Harvest-now-decrypt-later means data captured today can be decrypted after Q-Day, so Mosca&apos;s inequality can already be violated for long-lived secrets.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>quantum-computing</category><category>shors-algorithm</category><category>post-quantum-cryptography</category><category>cryptanalysis</category><category>rsa</category><category>elliptic-curve-cryptography</category><category>diffie-hellman</category><category>hidden-subgroup-problem</category><author>noreply@paragmali.com (Parag Mali)</author></item><item><title>The Log Was Never the Weak Part: How Discrete-Log Cryptography Actually Breaks</title><link>https://paragmali.com/blog/the-log-was-never-the-weak-part-how-discrete-log-cryptograph/</link><guid isPermaLink="true">https://paragmali.com/blog/the-log-was-never-the-weak-part-how-discrete-log-cryptograph/</guid><description>For a well-chosen group the discrete log is optimally hard. Every faster break exploits the group&apos;s structure, not the log -- only Shor survives a clean one.</description><pubDate>Fri, 17 Jul 2026 00:00:00 GMT</pubDate><content:encoded>
For a well-chosen group the discrete logarithm is essentially as hard as it can be: the best generic attack is Pollard&apos;s rho at about $0.886\sqrt{\ell}$ steps, and Shoup proved no *generic* algorithm does better. So every faster classical break -- anomalous curves, MOV and Frey-Ruck pairing transfers, weak twists, invalid-curve shadow groups, Weil descent, the Number Field Sieve, Logjam&apos;s shared-prime precomputation, and small-characteristic quasi-polynomial descent -- is never a cleverer logarithm; it is a receipt for a structural property of the *group that was chosen*. Strip every such property away and only one known break remains, and it changes the machine: Shor&apos;s quantum algorithm -- &quot;as far as is known,&quot; since the elliptic-curve discrete-log problem is still unproven to be hard.
&lt;h2&gt;1. The 256-Bit Paradox&lt;/h2&gt;
&lt;p&gt;Four cryptographic groups walk onto the internet. NIST P-256 and Curve25519 -- both 256 bits wide -- each advertise roughly $2^{128}$ security, and after two decades of public scrutiny neither has been broken [@safecurves]. A &lt;em&gt;third&lt;/em&gt; 256-bit curve, differing from the first two only in a hidden arithmetic property, can be broken on a laptop in polynomial time [@smart-1999]. And a 1024-bit finite-field group -- four times the bit length of the curves -- is a realistic target for a well-funded adversary [@logjam-adrian-2015]. The operation an attacker has to invert is the &lt;em&gt;same discrete logarithm&lt;/em&gt; in all four groups.&lt;/p&gt;
&lt;p&gt;The variable that decided their fates was never the logarithm. It was the group.&lt;/p&gt;
&lt;p&gt;That sentence runs against the way most of us first meet the subject. We are taught that a one-way function is hard, that a bigger key makes it harder, and that &quot;solving the discrete log&quot; is a single monolithic feat an attacker either can or cannot perform. This article argues the opposite, and it argues it as a claim you should not yet believe: &lt;strong&gt;the discrete logarithm is essentially never the weak part. The weak part is always the group&lt;/strong&gt; -- some extra structure it carries, or the wrong group quietly substituted for the right one.&lt;/p&gt;
&lt;p&gt;Two settings recur throughout. The first is the multiplicative group of a prime field, written $\mathbb{F}_p^*$, the home of classic finite-field Diffie-Hellman, DSA, and ElGamal. The second is the group of points on an elliptic curve over a finite field, the home of ECDH, ECDSA, and EdDSA. The plan is a guided tour of every known way the discrete log &quot;breaks.&quot; Each stop will turn out to exploit a structural property of a &lt;em&gt;chosen&lt;/em&gt; group rather than compute a faster logarithm, and the tour ends at the one break that survives even a flawless group: Shor&apos;s quantum algorithm.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; This is a structural cryptanalysis -- an argument about the mathematics of the group itself. Side-channel leaks, fault and power attacks, implementation bugs, weak random-number generators, and protocol misuse are out of scope, named only to mark the boundary. Those failures are real and often more common in practice, but they belong to the empirical sibling of this piece, &quot;How Elliptic Curves and Diffie-Hellman Break in Real Life: PS3, CurveBall, Logjam, and Biased Nonces.&quot; When a break here has an implementation trigger, this article hands that trigger to the sibling and keeps only the group mathematics.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;By the end you will be able to look at any of the ten attacks in the literature and name, in one phrase, the structural property of the group it needs -- and see that a well-chosen group simply does not have it. To understand why the group is the variable, we have to go back to the moment the discrete log became something worth attacking at all.&lt;/p&gt;
&lt;h2&gt;2. What the Discrete Log Actually Is, and Where It Lives&lt;/h2&gt;
&lt;p&gt;In November 1976, Whitfield Diffie and Martin Hellman published &quot;New Directions in Cryptography&quot; and handed two strangers a way to agree on a shared secret over a wiretapped line without ever having met [@diffie-hellman-1976]. Their construction is simple enough to state in a sentence, and in stating it they turned an obscure number-theoretic puzzle into the thing standing between an eavesdropper and your traffic.&lt;/p&gt;

Fix a cyclic group with a public generator $g$. Alice picks a secret $a$ and publishes $g^a$; Bob picks a secret $b$ and publishes $g^b$. Each raises the other&apos;s value to their own secret, so both compute $g^{ab}$ -- the shared key. An eavesdropper sees $g$, $g^a$, and $g^b$, and must find $g^{ab}$. The obvious route is to recover $a$ from $g^a$, which is exactly the discrete logarithm.

Given a cyclic group generated by $g$ and an element $h = g^x$, find the exponent $x$. In the integers this is easy -- it is just division on a logarithmic scale. Inside a finite group the exponent &quot;wraps around&quot; unpredictably, and no efficient general method to recover $x$ is known. The security of Diffie-Hellman, DSA, ElGamal, ECDH, ECDSA, and EdDSA all rest on this one problem being hard in the group they use.
&lt;p&gt;The instant the DLP became a security assumption, a very old question acquired stakes: how hard is it, actually? And the first answer was unsettling, because it showed that the difficulty had nothing to do with the size of the numbers involved.&lt;/p&gt;
&lt;p&gt;Priority is disputed. At GCHQ, James Ellis, Clifford Cocks, and Malcolm Williamson developed classified &quot;non-secret encryption&quot; and a key-exchange analogue between 1969 and 1974, work declassified only in 1997 [@ellis-1997]. The public invention, and the framing of the discrete log as a security assumption, are Diffie and Hellman&apos;s.&lt;/p&gt;

timeline
    title Fifty years of attacking the discrete logarithm
    section The problem and its floor
      1976 : Diffie-Hellman make the discrete log a security assumption
      1978 : Pohlig-Hellman shatters smooth-order groups : Pollard rho sets the sqrt-time floor
    section The escape to curves
      1985 : Miller and Koblitz move the log onto elliptic curves
      1993 : MOV pairing transfer : Gordon adapts the Number Field Sieve to prime fields
      1994 : Shor reduces the discrete log to quantum period-finding
    section Structure strikes back
      1998 : Anomalous trace-one curves fall in polynomial time
      2002 : Weil descent breaks special binary curves
    section Records and frontiers
      2015 : Logjam weaponizes shared-prime precomputation
      2019 : A 795-bit prime-field record : quasi-polynomial small-characteristic descent proven
&lt;h3&gt;The first structural lesson: Pohlig-Hellman&lt;/h3&gt;
&lt;p&gt;In January 1978, Stephen Pohlig and Martin Hellman proved something that should have set the tone for the entire field [@pohlig-hellman-1978]. Suppose the order of the group -- the number of elements -- factors into small primes, $n = p_1^{e_1} p_2^{e_2} \cdots p_r^{e_r}$. Then the discrete log does not have to be solved in the big group at all. It can be solved separately in each prime-power piece, where the numbers are tiny, and the answers glued back together with the Chinese Remainder Theorem.&lt;/p&gt;
&lt;p&gt;The total work is on the order of $\sum_i e_i(\log n + \sqrt{p_i})$ -- dominated by the &lt;em&gt;largest&lt;/em&gt; prime factor, not by the size of $n$.&lt;/p&gt;
&lt;p&gt;Read that again with the thesis in mind. A group can be astronomically large and still offer no security, if its order happens to be a product of small primes. A 4096-bit group whose order is smooth falls instantly.&lt;/p&gt;
&lt;p&gt;Security was never a property of &quot;the log&quot; or of the key length. It was a property of the &lt;em&gt;group&apos;s order&lt;/em&gt; -- specifically, whether that order contains a large prime factor. The first thing anyone proved about the discrete log moved the weakness off the logarithm and onto a structural feature of the chosen group. Everything that follows is a variation on that move.&lt;/p&gt;
&lt;h3&gt;The escape that defines the rest of the article&lt;/h3&gt;
&lt;p&gt;By the mid-1980s, the multiplicative group $\mathbb{F}_p^*$ had a second problem beyond smooth orders: it admitted &lt;em&gt;index calculus&lt;/em&gt;, a family of sub-exponential attacks we will meet in Section 6. The response, arriving independently from two directions, was not a better logarithm algorithm. It was a change of group.&lt;/p&gt;
&lt;p&gt;In 1985, Victor Miller [@miller-1986] and, independently, Neal Koblitz [@koblitz-1987] proposed replacing $\mathbb{F}_p^*$ with the group of points on an elliptic curve over a finite field. Their motivation was explicit and structural: the multiplicative group hands index calculus something to grip, and a general elliptic curve does not, so the same security should be reachable with far smaller keys.&lt;/p&gt;
&lt;p&gt;This is the thesis in its constructive form -- &lt;em&gt;when a group is weak, do not sharpen the attack, choose a group with less structure&lt;/em&gt; -- and it introduces the lens we will look through for the rest of the article: the distinction between a &lt;strong&gt;generic&lt;/strong&gt; group, whose elements are opaque handles you can only combine with the group operation, and a &lt;strong&gt;structured&lt;/strong&gt; group, whose elements leak extra arithmetic an attacker can exploit.&lt;/p&gt;
&lt;p&gt;Miller and Koblitz had escaped one kind of structure. The question their move raised -- and the one the next section answers -- is what an attacker can do against a group that has &lt;em&gt;nothing&lt;/em&gt; wrong with it. If Pohlig-Hellman is defeated by a large prime order, how hard is the log then?&lt;/p&gt;
&lt;h2&gt;3. The Generic Floor: Why Square-Root Time Is the Best You Can Do&lt;/h2&gt;
&lt;p&gt;Here is a number that has barely moved in fifty years. Against a well-chosen group, the best known generic attack on the discrete log runs in about $0.886\sqrt{\ell}$ steps, where $\ell$ is the largest prime factor of the group&apos;s order. Not only is that the best anyone has found -- there is a &lt;em&gt;proof&lt;/em&gt; you cannot do fundamentally better generically. To see why that floor exists, and why it is a floor and not a ceiling waiting to be lowered, start with the simplest attack that hits it.&lt;/p&gt;
&lt;h3&gt;Baby-step giant-step: sorting your way to the log&lt;/h3&gt;
&lt;p&gt;In 1971 Daniel Shanks described a deterministic method that trades memory for time [@shanks-1971]. To solve $h = g^x$ with $x$ below some bound $N$, precompute and store the &quot;baby steps&quot; $g^0, g^1, \ldots, g^{m-1}$ for $m \approx \sqrt{N}$, then take &quot;giant steps&quot; $h \cdot g^{-jm}$ for $j = 0, 1, 2, \ldots$ until one lands in the stored table. A match pins down $x = i + jm$. The running time is $O(\sqrt{N})$ and so is the memory -- and remarkably, this square-root cost is essentially the same one that still bounds the state of the art.&lt;/p&gt;
&lt;p&gt;The clean &quot;given $g$ and $h$, find $x$&quot; statement of the DLP that every textbook now opens with is partly a later reconstruction; Shanks&apos;s 1971 paper framed the computation in the language of class numbers and genera, and the crisp cryptographic phrasing was settled in references like the Handbook of Applied Cryptography [@hac-1996].&lt;/p&gt;
&lt;p&gt;The memory is the problem. Storing $\sqrt{\ell}$ group elements is fine for a 40-bit group and impossible for a 256-bit one. The breakthrough was getting the same square-root &lt;em&gt;time&lt;/em&gt; with almost no memory at all.&lt;/p&gt;

A *generic* algorithm treats group elements as opaque tokens: it can multiply them, invert them, and test equality, but it cannot read anything from their representation -- no bits, no size, no factorization. A group is effectively *generic* for an attacker when no such extra structure is exposed. The whole thesis of this article lives in this word: the square-root floor is proven only for *generic* algorithms, and every faster attack works precisely by treating the group as *non*-generic.
&lt;h3&gt;Pollard&apos;s rho: a random walk that traps itself&lt;/h3&gt;

Walk pseudo-randomly through the group with a function $f$ that also tracks how each point is built from the generator $g$ and the target $Q$, as $g^a Q^b$. Because the group is finite, the walk must eventually revisit a point, and the birthday bound makes that first self-collision appear after only about $\sqrt{\ell}$ steps. When it does, two different expressions $g^{a_1}Q^{b_1}$ and $g^{a_2}Q^{b_2}$ name the same element, which rearranges into $(a_1 - a_2) \equiv x\,(b_2 - b_1) \pmod{\ell}$ -- and the log $x$ drops out.
&lt;p&gt;John Pollard published this in 1978 [@pollard-rho-1978]. Its beauty is the memory: using Floyd&apos;s or Brent&apos;s cycle-finding, you need to remember only a couple of points, so the cost is about $0.886\sqrt{\ell} = \sqrt{\pi/4},\sqrt{\ell}$ group operations at $O(1)$ space. The name comes from the shape the walk traces -- a tail that runs into a loop, like the Greek letter rho.&lt;/p&gt;

Two effects stack. A pseudo-random walk through a set of $\ell$ elements is expected to run into its own past after on the order of $\sqrt{\ell}$ steps, and working that expected value through the birthday integral gives $\sqrt{\pi/2}\,\sqrt{\ell} \approx 1.2533\sqrt{\ell}$ -- the pure birthday constant. On an elliptic curve a second, curve-specific discount then applies: because $P$ and $-P$ share an $x$-coordinate, the walk can run on equivalence classes under point negation, a $\sqrt{2}$ speedup that pulls the constant down to $\sqrt{\pi/4}\,\sqrt{\ell} \approx 0.886\sqrt{\ell}$ -- the figure SafeCurves quotes for the elliptic-curve discrete log [@safecurves]. Half a century of refinement -- distinguished points, that negation map, better step functions -- has improved the constant but never the exponent. The square root is the wall.

flowchart TD
    A[Start at a known element, tracking exponents a and b] --&amp;gt; B[Apply the pseudo-random step f]
    B --&amp;gt; C[Land on the next element of the walk]
    C --&amp;gt; D{&quot;Element seen before?&quot;}
    D --&amp;gt;|No, keep walking| B
    D --&amp;gt;|Yes, collision| E[Two products in g and Q name the same element]
    E --&amp;gt; F[The collision becomes a linear equation in the unknown x]
    F --&amp;gt; G[Read off the discrete log x]
&lt;p&gt;You can watch the birthday collision happen on a toy group. The subgroup below has prime order $\ell = 509$, so $\sqrt{\ell} \approx 23$; the walk finds its self-collision in a few dozen steps and reads off the secret exponent.&lt;/p&gt;
&lt;p&gt;{`&lt;/p&gt;
Group: the order-509 subgroup of the integers mod 1019. Q = g^x; recover x.
&lt;p&gt;p, l, g = 1019, 509, 4      # p = 2*l + 1 (safe prime); g has prime order l
x_secret = 137              # the exponent the attacker does not know
Q = pow(g, x_secret, p)&lt;/p&gt;
&lt;p&gt;def step(X, a, b):
    # A three-way pseudo-random walk that also tracks X = g^a * Q^b (mod p).
    r = X % 3
    if r == 0:   return (X * Q) % p, a, (b + 1) % l
    elif r == 1: return (X * X) % p, (2 * a) % l, (2 * b) % l
    else:        return (X * g) % p, (a + 1) % l, b&lt;/p&gt;
&lt;p&gt;seen = {}                   # a table only to make the collision visible
X, a, b = g, 1, 0           # start at X = g^1 * Q^0
for i in range(1, l + 5):
    if X in seen:
        a2, b2 = seen[X]
        den = (b - b2) % l
        x = ((a2 - a) * pow(den, -1, l)) % l   # solve the collision for x
        print(&quot;collision at step&quot;, i, &quot; (sqrt(l) is about&quot;, round(l ** 0.5), &quot;)&quot;)
        print(&quot;recovered x =&quot;, x, &quot; true x =&quot;, x_secret, &quot; match:&quot;, x == x_secret)
        break
    seen[X] = (a, b)
    X, a, b = step(X, a, b)
`}&lt;/p&gt;
&lt;p&gt;A production attacker drops the table and uses constant memory, restarting on the rare degenerate collision where the bookkeeping cancels. What matters is the exponent: the cost scales as the &lt;em&gt;square root&lt;/em&gt; of the subgroup order, and nothing about the group&apos;s size changes that scaling.&lt;/p&gt;
&lt;p&gt;A close cousin, Pollard&apos;s kangaroo (or lambda) method, solves the DLP when $x$ is known to lie in a short interval, at cost proportional to the square root of the interval width rather than of $\ell$.&lt;/p&gt;
&lt;h3&gt;Parallelism does not change the exponent&lt;/h3&gt;
&lt;p&gt;In 1999, Paul van Oorschot and Michael Wiener turned rho into a production weapon [@vanoorschot-wiener-1999]. Many machines walk independently and report only &lt;em&gt;distinguished points&lt;/em&gt; -- points with a rare, easy-to-test property such as a run of leading zero bits. A collision between any two chains is caught by a central server, and the speedup is near-linear: $m$ machines finish in about $\sqrt{\ell}/m$ wall-clock time. Parallelism buys you a smaller constant and a division by your budget. It does not touch the square root.&lt;/p&gt;
&lt;h3&gt;The floor is a theorem, not a lack of imagination&lt;/h3&gt;
&lt;p&gt;Why be sure no cleverer generic walk exists? Because in 1997 Victor Shoup proved a matching lower bound: any algorithm that uses only the group operation must make $\Omega(\sqrt{\ell})$ queries to solve the discrete log, where $\ell$ is the largest prime factor of the order [@shoup-1997]. Pollard&apos;s upper bound and Shoup&apos;s lower bound close on the same exponent.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; On a group with no exploitable structure, the best attack anyone knows -- Pollard rho at about $0.886\sqrt{\ell}$ steps -- is provably the best attack anyone generically &lt;em&gt;can&lt;/em&gt; know, because Shoup&apos;s $\Omega(\sqrt{\ell})$ lower bound meets it. The two bounds coincide at $\Theta(\sqrt{\ell})$. The hardness is not a property of &quot;the logarithm.&quot; It is fixed entirely by one number: the largest prime factor of the group&apos;s order. The variable has moved from the operation to the group.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;That is why &quot;security level&quot; is &lt;em&gt;defined&lt;/em&gt; as the rho cost. A 256-bit curve is a $2^{128}$ target, not a $2^{256}$ one, because rho gets a square-root discount that no key-size increase can revoke.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Curve (256-bit unless noted)&lt;/th&gt;
&lt;th&gt;Pollard rho cost&lt;/th&gt;
&lt;th&gt;What it means&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Curve25519&lt;/td&gt;
&lt;td&gt;$2^{125.8}$&lt;/td&gt;
&lt;td&gt;about 128-bit security, unbroken [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NIST P-256, secp256k1&lt;/td&gt;
&lt;td&gt;$2^{127.8}$&lt;/td&gt;
&lt;td&gt;about 128-bit security, unbroken [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;brainpoolP256&lt;/td&gt;
&lt;td&gt;$2^{127.5}$&lt;/td&gt;
&lt;td&gt;about 128-bit security, unbroken [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NIST P-384 (384-bit)&lt;/td&gt;
&lt;td&gt;$2^{191.8}$&lt;/td&gt;
&lt;td&gt;about 192-bit security [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SafeCurves &quot;anomalous&quot; curve (about 204-bit)&lt;/td&gt;
&lt;td&gt;$2^{101.6}$ by size alone&lt;/td&gt;
&lt;td&gt;a red herring -- its real break is polynomial-time SSSA (Section 4), off the rho scale entirely [@safecurves]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;

State-of-the-art attacks on the elliptic-curve discrete log are still within a factor of two of Shanks&apos;s 1971 method. Half a century of cryptanalysis against a clean curve has bought a factor of two.
&lt;p&gt;The records bear this out. The largest discrete log ever solved on a generic, randomly chosen prime-field elliptic curve is a 112-bit curve, secp112r1, cracked in 2009 by a parallel rho computation [@bos-112bit-2009]. The only solves that have reached higher leaned on exploitable curve structure rather than a stronger generic attack, which is the thesis in miniature. Set that against the finite-field records we are about to meet, where the numbers run past 795 bits, and the gap tells the whole story: against a clean curve there is no better attack than the square-root walk, so records crawl.&lt;/p&gt;
&lt;p&gt;This is the wall every attacker hits -- unless the group hands them a crack. So where are the cracks? They start with the curve you choose.&lt;/p&gt;
&lt;h2&gt;4. The Curve as the Weak Part, I: Special Curves That Transfer the Log Away&lt;/h2&gt;
&lt;p&gt;The move to elliptic curves was supposed to strip out structure. But the first generation of curve choices smuggled it back in, and the way each weakness works is the quiet engine of this whole article. None of them computes a faster logarithm. Each one &lt;strong&gt;moves the logarithm out of the curve&lt;/strong&gt; and into a different group where the log was never hard to begin with.&lt;/p&gt;

flowchart TD
    A[ECDLP on the chosen curve E] --&amp;gt; B{&quot;What structure did the curve leak?&quot;}
    B --&amp;gt;|Trace equals 1, so the point count equals p| C[Additive transfer, the SSSA map]
    B --&amp;gt;|Small embedding degree k| D[Pairing transfer, MOV and Frey-Ruck]
    C --&amp;gt; E[Log now lives in the additive group of F_p, which has no hardness]
    D --&amp;gt; F[Log now lives in a finite field where index calculus finishes it]
    E --&amp;gt; G[Recovered in polynomial time]
    F --&amp;gt; H[Recovered in sub-exponential time]
&lt;h3&gt;Anomalous curves: a trapdoor hiding in the point count&lt;/h3&gt;
&lt;p&gt;Every elliptic curve over a prime field $\mathbb{F}_p$ has a point count governed by a single integer. Hasse&apos;s theorem says $#E(\mathbb{F}_p) = p + 1 - t$, where $t$ is the &lt;em&gt;trace of Frobenius&lt;/em&gt; and $|t| \le 2\sqrt{p}$. That one number, $t$, decides whether the curve is world-class or worthless.&lt;/p&gt;

The trace of Frobenius $t$ measures how the number of points on $E$ over $\mathbb{F}_p$ deviates from $p + 1$, via $\#E(\mathbb{F}_p) = p + 1 - t$. A curve is *anomalous* when $t = 1$, so that $\#E(\mathbb{F}_p) = p$ exactly -- the group of points has the same order as the additive group of the field it sits over. That coincidence is fatal.
&lt;p&gt;When the group order equals $p$, a map exists -- built from the $p$-adic (formal) logarithm and expressible through Fermat quotients -- that sends the elliptic-curve discrete log straight into $(\mathbb{F}_p, +)$, the additive group of the field. And addition has no discrete-log hardness at all: recovering $x$ from $x \cdot a$ in $(\mathbb{F}_p, +)$ is one modular division. The transfer runs in &lt;strong&gt;polynomial time&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;This was worked out in 1998 and 1999 by Nigel Smart [@smart-1999], and independently by Igor Semaev [@semaev-1998] and by Takakazu Satoh and Kiyomichi Araki [@satoh-araki-1998]; the attack is often abbreviated SSSA after the four names.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Size buys nothing here. A 256-bit anomalous curve -- indistinguishable at a glance from a strong one, same field size, same key length -- falls in polynomial time, essentially instantly, while its 256-bit clean neighbor stands at about $2^{125.8}$ operations [@safecurves]. The only thing that changed is the trace. The defense is one check: confirm that $#E(\mathbb{F}_p) \neq p$.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;There is a subtlety worth flagging so you can spot a common mis-citation: this 1998-99 break is the &lt;em&gt;additive&lt;/em&gt;, formal-logarithm transfer. It is not Semaev&apos;s later 2004 work on summation polynomials [@semaev-2004], which is a different line of attack we will meet in Section 10. Trace one is a coincidence in the point count; summation polynomials are an index-calculus program. Conflating them is the classic error in retellings of this attack.&lt;/p&gt;
&lt;h3&gt;Low embedding degree: a bridge into a weaker field&lt;/h3&gt;
&lt;p&gt;The second transfer needs a different structural flaw. Every prime-order subgroup of a curve has an &lt;em&gt;embedding degree&lt;/em&gt;, and if it is small, a bridge opens into a finite field where the log is soft.&lt;/p&gt;

For a subgroup of prime order $\ell$ on a curve over $\mathbb{F}_q$, the embedding degree $k$ is the least positive integer such that $\ell \mid q^k - 1$. Equivalently, $k$ is the smallest extension field $\mathbb{F}_{q^k}$ whose multiplicative group contains a copy of the subgroup. When $k$ is small, that copy is reachable, and the finite-field discrete log there is sub-exponential rather than square-root.
&lt;p&gt;The bridge itself is a bilinear pairing.&lt;/p&gt;

A pairing is a map $e$ that takes two curve points to an element of $\mathbb{F}_{q^k}^*$ and is *bilinear*: $e(aP, bQ) = e(P, Q)^{ab}$. Bilinearity is what turns a curve log into a field log, but there is a subtlety most retellings get wrong. The *Weil* pairing that MOV uses is *alternating*: $e(P, P) = 1$ for every $P$, so a naive $e(P, P)^x$ is just $1$ and carries no information. MOV instead pairs $Q = xP$ with a *second, linearly independent* order-$\ell$ point $R \notin \langle P \rangle$, giving $e(Q, R) = e(P, R)^x$ in $\mathbb{F}_{q^k}^*$ -- an ordinary finite-field discrete log in the nontrivial root of unity $e(P, R)$. On the classic supersingular victims that independent $R$ arrives for free from a *distortion map* $\psi$, an endomorphism that moves $P$ off its own subgroup so that $R = \psi(P)$ works [@verheul-2004] [@galbraith-2012]. Frey and Ruck use the *Tate* pairing, which is not alternating and does admit a nontrivial self-pairing, so there the bare $e(P, P)^x$ form is the legitimate one.
&lt;p&gt;Menezes, Okamoto, and Vanstone published the Weil-pairing reduction in 1993 [@mov-1993]; Frey and Ruck gave the companion Tate-pairing version in 1994 [@frey-ruck-1994]. The classic victims are supersingular curves, which have embedding degree $k \le 6$. Once transferred into $\mathbb{F}_{q^k}^*$ with small $k$, the log falls to the sub-exponential Number Field Sieve of Section 6.&lt;/p&gt;
&lt;p&gt;The escape to a curve is undone by a curve that quietly kept a low-degree door into a field. The defense, again, is a property of the curve you &lt;em&gt;choose&lt;/em&gt;: demand a large embedding degree, which the pairing textbook literature treats as a standard selection criterion [@hankerson-mv-2004].&lt;/p&gt;

There is a twist worth savoring. The very property MOV and Frey-Ruck exploit -- a workable pairing into a small field -- became the foundation of an entire branch of cryptography. Identity-based encryption, BLS signatures, and much of what makes modern threshold and aggregate signatures possible are *built on* pairing-friendly curves with deliberately small embedding degree. The supersingular curves that MOV destroyed for plain ECDLP found a second career as the substrate of constructive pairing-based cryptography. The same distortion maps that hand MOV its independent second point are what make Antoine Joux&apos;s one-round tripartite Diffie-Hellman work -- a three-party key agreement in a single round, and the first purpose-built pairing protocol [@joux-tripartite-2000]. A structural feature is only a weakness relative to what you are trying to do with it.
&lt;p&gt;Step back and notice what both attacks have in common with each other and with Pohlig-Hellman before them.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Neither the anomalous break nor the pairing break computes a faster logarithm. Each one &lt;em&gt;transfers&lt;/em&gt; the log: the anomalous curve&apos;s log is mapped into $(\mathbb{F}&lt;em&gt;p, +)$, where addition is trivial; the low-embedding-degree curve&apos;s log is mapped into $\mathbb{F}&lt;/em&gt;{q^k}^*$, where index calculus finishes it. The attacker never out-computes the logarithm on the curve. They relocate it to a group that was never hard. Structure, not speed, is the entire game.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Trace one and small embedding degree are properties an attacker can only &lt;em&gt;hope&lt;/em&gt; the designer chose badly. The next family of breaks is nastier, because they can be triggered by the attacker&apos;s own inputs, or by a field chosen one level up from the curve.&lt;/p&gt;
&lt;h2&gt;5. The Curve as the Weak Part, II: Twists, Shadow Groups, and Descent&lt;/h2&gt;
&lt;p&gt;The cleanest structural weakness of all does not live in the curve you publish. It lives in the curve&apos;s twin.&lt;/p&gt;
&lt;h3&gt;Twist attacks: falling off the curve onto its shadow&lt;/h3&gt;
&lt;p&gt;Fast elliptic-curve implementations often work with $x$-coordinates only -- the Montgomery ladder, used by X25519, never computes a $y$-coordinate at all. That is a real speed and safety win, but it introduces a subtlety: an $x$ value the attacker sends might not correspond to any point on $E$.&lt;/p&gt;

Over $\mathbb{F}_p$, a curve $E$ has a *quadratic twist* $E&apos;$ -- a sibling curve that becomes isomorphic to $E$ only over the larger field $\mathbb{F}_{p^2}$. The key fact for $x$-only arithmetic is that every $x$ in $\mathbb{F}_p$ is the $x$-coordinate of a point on *either* $E$ *or* $E&apos;$. So an attacker-supplied $x$ that is not on $E$ is silently processed as a point on the twist. A curve is *twist-secure* when both $E$ and $E&apos;$ have near-prime order.
&lt;p&gt;Here is the attack. If the twist $E&apos;$ has a &lt;em&gt;smooth&lt;/em&gt; order -- a product of small primes -- then a scalar multiplication the victim performs on that twist leaks the secret modulo each small prime, exactly the Pohlig-Hellman shattering from Section 2, now triggered by an attacker&apos;s chosen input rather than by the designer&apos;s bad luck. Collect enough small residues and the Chinese Remainder Theorem reassembles the key.&lt;/p&gt;
&lt;p&gt;The weakness is real, and again it is a property of the group the designer &lt;em&gt;chose&lt;/em&gt;: it is defeated by requiring the twist&apos;s order, not just the curve&apos;s, to be near-prime. Curve25519 was designed to be twist-secure from the start [@bernstein-curve25519-2006], and SafeCurves treats twist security as a first-class criterion [@safecurves].&lt;/p&gt;
&lt;h3&gt;Invalid-curve shadow groups: arithmetic that forgets its own curve&lt;/h3&gt;
&lt;p&gt;The next mechanism is sharper still, and it exposes something almost philosophical about how curve arithmetic works.&lt;/p&gt;

For a short-Weierstrass curve $y^2 = x^3 + ax + b$, the standard point-addition formulas use $a$ but never use $b$. So if you feed the arithmetic a point that satisfies $y^2 = x^3 + ax + c$ for the *wrong* constant $c$, every formula still returns a well-defined answer -- computed as if on a different, weaker &quot;shadow&quot; curve. If that shadow curve has smooth order, the secret is confined to small subgroups, just as in a twist attack.
&lt;p&gt;Biehl, Meyer, and Muller analyzed this in 2000 [@biehl-meyer-muller-2000], and SafeCurves states the load-bearing fact plainly: the standard formulas do not involve the constant coefficient $b$ [@safecurves]. What makes this a &quot;shadow group&quot; rather than a single weak curve is that the attacker gets to choose $c$, and so gets a whole &lt;em&gt;family&lt;/em&gt; of weaker curves to hunt through for one with a smooth order.&lt;/p&gt;
&lt;p&gt;Do not confuse invalid-curve attacks with small-subgroup confinement in the Lim-Lee sense. The former uses many &lt;em&gt;different&lt;/em&gt; off-curve shadow curves reached by varying $c$; the latter feeds a single low-order element inside &lt;em&gt;one&lt;/em&gt; group. Both end in Pohlig-Hellman, but the structural handle is different.&lt;/p&gt;
&lt;p&gt;Now, the honest boundary. The &lt;em&gt;mechanism&lt;/em&gt; above is pure group arithmetic -- a genuine structural property of the short-Weierstrass addition law -- and that is what belongs here. What makes it fire in a real system is a missing check: the software accepted a point without verifying it was on the intended curve. That trigger is an implementation gap, not curve mathematics, and this article deliberately stops at the mathematics.&lt;/p&gt;

This piece keeps a strict contract: it analyzes only the mathematics of the group. The moment a break depends on a missing input validation, a leaked nonce, a fault injected into a signature, a downgrade negotiated on the wire, or a manipulated parameter, it crosses into implementation and protocol territory. Those are the domain of the empirical sibling, &quot;How Elliptic Curves and Diffie-Hellman Break in Real Life: PS3, CurveBall, Logjam, and Biased Nonces,&quot; which covers the PlayStation 3 repeated-nonce disaster, the CurveBall certificate-validation flaw, the Logjam downgrade handshake, and the biased-nonce lattice attacks. When you finish here knowing *which group properties* are dangerous, that article shows *how deployments trip over them*. The invalid-curve trigger -- &quot;the code forgot to validate the point&quot; -- is handed there in full.
&lt;h3&gt;Weil descent: a weakness chosen one level up, in the field&lt;/h3&gt;
&lt;p&gt;The last structural break in this pair does not need a bad curve so much as a badly chosen &lt;em&gt;field&lt;/em&gt;. Some curves live over binary extension fields $\mathbb{F}_{2^n}$. When the extension degree $n$ is composite, a technique called Weil restriction can re-express the curve&apos;s group as points on a higher-genus curve over a smaller subfield -- and on that higher-genus object, &lt;em&gt;index calculus&lt;/em&gt; applies and beats the generic square-root floor.&lt;/p&gt;
&lt;p&gt;Gaudry, Hess, and Smart formalized this in 2002 [@ghs-2002], and the title of their paper is itself a summary of this whole section: &quot;Constructive and destructive facets of Weil descent on elliptic curves.&quot; The precondition is structural and specific: a composite-degree binary extension field. The defense is equally specific: use prime fields, or at worst prime-degree extensions, so there is no subfield to descend into.&lt;/p&gt;
&lt;p&gt;Every curve break in these two sections has needed a &lt;em&gt;particular&lt;/em&gt; structural precondition -- trace one, small embedding degree, a smooth twist, $b$-independent arithmetic, a composite extension field. Not one has been a faster logarithm. Now cross the aisle to the group the whole field was fleeing in 1985. There, the structure is not an accident of a bad curve. It is built into the group itself.&lt;/p&gt;
&lt;h2&gt;6. The Finite-Field Side: When the Group Itself Has Structure&lt;/h2&gt;
&lt;p&gt;An anomalous curve is a &lt;em&gt;bad choice&lt;/em&gt; -- pick a different curve and the weakness is gone. The multiplicative group $\mathbb{F}_p^*$ is different. It is not a bad choice; it is &lt;em&gt;inherently&lt;/em&gt; structured. Its elements are ordinary integers, and integers can be multiplied and factored. That single property -- the one thing an elliptic-curve group pointedly does not have -- is exactly what the fastest classical attack needs.&lt;/p&gt;
&lt;h3&gt;Index calculus: turning multiplication into linear algebra&lt;/h3&gt;

Fix a *factor base* of small primes. An element is *smooth* if it factors completely over that base. Index calculus hunts for powers $g^k$ that are smooth; each one factors as a product of factor-base primes, and taking logs turns that product into a *linear equation* relating the unknown logs of the base primes. Collect more smooth relations than there are base primes, solve the linear system once, and you know the log of every prime in the base. To finish a specific target $h$, nudge it by random powers of $g$ until $h \cdot g^k$ is smooth, and read the answer off the precomputed base logs.
&lt;p&gt;Notice what index calculus consumes: the ability to &lt;em&gt;factor&lt;/em&gt; group elements into small pieces. In $\mathbb{F}_p^*$ that ability is free, because the elements are integers. On an elliptic curve there is no such thing as a &quot;small&quot; point, no factor base, no notion of a smooth point at all. The attack has nothing to grip. That absence is not a minor detail -- it is the entire reason elliptic-curve cryptography exists.&lt;/p&gt;
&lt;h3&gt;The Number Field Sieve, pointed at the logarithm&lt;/h3&gt;
&lt;p&gt;The mature form of this idea is the Number Field Sieve. Built for factoring by Lenstra, Lenstra, Manasse, and Pollard in 1990 [@nfs-llmp-1990], it was adapted to the discrete log in a prime field by Daniel Gordon in 1993 [@gordon-1993].&lt;/p&gt;
&lt;p&gt;Its pipeline has four stages: choose number fields tuned to $p$ (polynomial selection), sieve for smooth relations (relation collection), solve the resulting sparse linear system modulo the group order (linear algebra), and then peel off each individual target log (descent). The first three stages depend only on the prime $p$ -- a fact that looks academic here and becomes a weapon in the next section.&lt;/p&gt;

Cryptographers measure these costs with $L_p[\alpha, c] = \exp\!\big((c + o(1))(\ln p)^{\alpha}(\ln\ln p)^{1-\alpha}\big)$. The exponent $\alpha$ interpolates between two worlds: $\alpha = 1$ is fully exponential (Pollard rho on a $b$-bit group costs about $2^{b/2}$, an $L_p[1, 1/2]$ cost), and $\alpha = 0$ is polynomial. The Number Field Sieve sits at $\alpha = 1/3$, deep in *sub-exponential* territory -- vastly faster than the generic square root, and the same complexity class as integer factoring.
&lt;p&gt;Gordon&apos;s 1993 algorithm put the finite-field discrete log in the sub-exponential $L_p[1/3]$ class, with heuristic constant $3^{2/3} \approx 2.08$ [@gordon-1993]; later refinements sharpened that constant to the modern $(64/9)^{1/3} \approx 1.923$. To feel what the difference between $\alpha = 1/2$ and $\alpha = 1/3$ does to real key sizes, run the estimator: the finite-field cost grows like a &lt;em&gt;cube root&lt;/em&gt; of the bit length in the exponent, while the elliptic-curve cost grows &lt;em&gt;linearly&lt;/em&gt;. That is why the two settings need such different key sizes for the same security.&lt;/p&gt;
&lt;p&gt;{`
import math&lt;/p&gt;
&lt;p&gt;def nfs_bits(bits):
    # Leading-term model of the NFS-DL cost L_p[1/3, (64/9)^(1/3)] for a &apos;bits&apos;-bit prime.
    lnp = bits * math.log(2)
    c = (64 / 9) ** (1 / 3)                  # about 1.923
    return c * lnp ** (1/3) * math.log(lnp) ** (2/3) / math.log(2)&lt;/p&gt;
&lt;p&gt;def rho_bits(order_bits):
    return order_bits / 2                    # Pollard rho: half the bit length&lt;/p&gt;
&lt;p&gt;print(&quot;Finite-field DH (cost grows like a cube root in the exponent):&quot;)
for b in [512, 1024, 2048, 3072]:
    print(f&quot;  {b:&amp;gt;4}-bit prime  ~  2^{nfs_bits(b):5.1f}&quot;)
print(&quot;Elliptic curve (cost grows linearly):&quot;)
for m in [160, 224, 256]:
    print(f&quot;  {m:&amp;gt;4}-bit curve   ~  2^{rho_bits(m):5.1f}&quot;)&lt;/p&gt;
The leading term runs a little high; calibrated against real records, standard
practice reads 1024-bit as roughly 80-bit and 3072-bit as roughly 128-bit security.
&lt;p&gt;`}&lt;/p&gt;
&lt;p&gt;The scaling is the point. A clean 256-bit curve and a 3072-bit prime deliver comparable security -- the curve does it with an eighth of the key length -- precisely because the curve denies the sieve its factor base. This is the thesis at its sharpest: the &lt;em&gt;same&lt;/em&gt; discrete logarithm, but a group whose structure leaks drops the attack from square-root time all the way to $L_p[1/3]$.&lt;/p&gt;

Same discrete log. On a generic curve, the largest ever solved is 112 bits and the records crawl. In a prime field, the record is 795 bits and climbing. The logarithm did not change -- the group did.
&lt;p&gt;The records make the gap concrete. The current prime-field discrete-log record is 795 bits (240 decimal digits), set in 2019 by Boudot, Gaudry, Guillevic, Heninger, Thome, and Zimmermann, with the discrete-log computation costing roughly 3,100 core-years [@boudot-795bit-2020]; the previous record was 768 bits [@kleinjung-768bit-2017]. Against the 112-bit generic-curve ceiling of Section 3, the sieve&apos;s structural advantage is not subtle. The multiplicative group hands the attacker a factor base; the curve hands them nothing. The results corroborate the standard textbook accounting of index calculus and its consequences for finite-field sizing [@hac-1996].&lt;/p&gt;
&lt;p&gt;A sub-exponential attack still sounds expensive -- years of computation for a single prime. So why is a 1024-bit Diffie-Hellman group a &lt;em&gt;practical&lt;/em&gt; target rather than a merely theoretical one? Because the expensive part only has to be done once.&lt;/p&gt;
&lt;h2&gt;7. Logjam: Precomputation as a Structural Property&lt;/h2&gt;
&lt;p&gt;The most misunderstood word in &lt;a href=&quot;https://paragmali.com/blog/nobody-broke-the-discrete-log-a-field-guide-to-diffie-hellma/&quot; rel=&quot;noopener&quot;&gt;forward secrecy&lt;/a&gt; is &quot;fresh.&quot; A new ephemeral key on every connection &lt;em&gt;feels&lt;/em&gt; like it should defeat any precomputed attack -- surely a one-time secret cannot be broken by work done in advance. Against a &lt;em&gt;shared&lt;/em&gt; prime, that intuition is simply wrong, and seeing why is the sharpest lesson the finite-field side has to teach.&lt;/p&gt;
&lt;p&gt;Recall the four stages of the Number Field Sieve. Three of them -- polynomial selection, relation collection, and the enormous linear-algebra solve -- depend only on the prime $p$. They produce the discrete logs of the entire factor base, and that output is reusable for &lt;em&gt;every&lt;/em&gt; discrete log computed in that same prime field. Only the final descent step depends on the particular target. The Logjam researchers put it in one line on the project page: the first step of the number field sieve is dependent only on this prime [@logjam-adrian-2015].&lt;/p&gt;

flowchart TD
    subgraph PC[&quot;Precomputation, depends only on the prime p&quot;]
      A[Polynomial selection] --&amp;gt; B[Relation collection by sieving]
      B --&amp;gt; C[Linear algebra, logs of the whole factor base]
    end
    C --&amp;gt; D[Per-target descent, one quick step per connection]
    D --&amp;gt; E[Discrete log of this specific ephemeral key]
    F[Every connection that shares p reuses the same precomputation] -.-&amp;gt; D
&lt;p&gt;So a fresh ephemeral does not help if the prime behind it is shared and undersized. The attacker pays the sieve cost once, for the prime, and then every &quot;fresh&quot; handshake using that prime falls in the cheap descent step. Freshness protects the &lt;em&gt;key&lt;/em&gt;; it does nothing for a &lt;em&gt;shared group&lt;/em&gt;.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Precomputation is not a shortcut around the math -- it &lt;em&gt;is&lt;/em&gt; the structure being exploited. The weakness Logjam turns into a live threat is the amortized cost of a shared, undersized prime, spread across millions of connections. It is not a faster logarithm and not a smaller key in isolation. It is the fact that everyone reused the same group.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The blast radius came from exactly that reuse. A handful of 1024-bit primes were hard-coded into standards and shipped in software everywhere. Adrian and colleagues measured the exposure [@logjam-adrian-2015]. The immediate Logjam downgrade, forcing connections to 512-bit export-grade Diffie-Hellman, initially left 8.4% of the Top 1 Million HTTPS domains vulnerable.&lt;/p&gt;
&lt;p&gt;Looking forward, a single precomputation against one common 1024-bit prime would let a passive eavesdropper read roughly 18% of the Top 1 Million HTTPS domains; precomputing a second common 1024-bit prime would reach about 66% of VPNs and 26% of SSH servers. A nation-state budget for one very large computation buys passive decryption of a striking fraction of the internet, all because the primes were shared.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The lesson people take away from Logjam is usually &quot;use bigger primes,&quot; and that is half right. The deeper point is that a 1024-bit prime is dangerous mainly because it is &lt;em&gt;shared and precomputed&lt;/em&gt;, not merely because it is 1024 bits. A &lt;em&gt;unique&lt;/em&gt;, per-organization 2048-bit or larger prime denies the attacker the amortization that makes the sieve economical at internet scale. Shared-and-precomputed versus unique is the real axis; size is secondary [@logjam-adrian-2015].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;There is a further twist this article names only to hand off: a prime can be &lt;em&gt;maliciously&lt;/em&gt; constructed so that a hidden special-number-field-sieve structure makes it far weaker than it looks, a trapdoor invisible to anyone who did not build it. That, along with the wire-level mechanics of how a downgrade is actually negotiated, is deployment and protocol territory -- the empirical sibling&apos;s ground, not this article&apos;s.&lt;/p&gt;
&lt;p&gt;Logjam attacks a field whose prime was too small and, above all, shared. But there is a family of fields where the sieve does not merely amortize -- it changes complexity class entirely, from sub-exponential to almost polynomial. The only question is which fields, and the answer is, once again, a structural property someone chose.&lt;/p&gt;
&lt;h2&gt;8. Small Characteristic: The Quasi-Polynomial Frontier&lt;/h2&gt;
&lt;p&gt;For one specific family of fields, the discrete log came close to &lt;em&gt;collapsing&lt;/em&gt; -- and the story teaches the same lesson one more time, in its most dramatic form: the characteristic you choose is a structural gift to the attacker.&lt;/p&gt;
&lt;p&gt;Finite fields come in two flavors that matter here. Prime fields $\mathbb{F}&lt;em&gt;p$ have large characteristic $p$. Extension fields like $\mathbb{F}&lt;/em&gt;{2^n}$ and $\mathbb{F}_{3^n}$ have &lt;em&gt;small&lt;/em&gt;, fixed characteristic (2 or 3) and a large extension degree $n$. For decades both were treated as roughly comparable homes for the discrete log. Then, in the span of a few years, the small-characteristic case fell apart.&lt;/p&gt;
&lt;p&gt;In 2013, Antoine Joux broke the long-standing $L[1/3]$ barrier for small-characteristic fields with a new index-calculus algorithm of complexity $L[1/4 + o(1)]$, published at Selected Areas in Cryptography [@joux-2013-l14]. That was the crack in the dam. In 2014, Barbulescu, Gaudry, Joux, and Thome went much further, giving a &lt;em&gt;heuristic quasi-polynomial&lt;/em&gt; algorithm -- cost $n^{O(\log n)}$ -- for the discrete log in finite fields of small characteristic [@bgjt-2014]. Quasi-polynomial is not merely faster than sub-exponential; it is a different universe of growth, far below $L[1/3]$.&lt;/p&gt;
&lt;p&gt;Then in 2019, Kleinjung and Wesolowski removed the heuristics, proving that the discrete log in a fixed-characteristic field can be solved in expected time $(pn)^{2\log_2(n) + O(1)}$ -- a genuine theorem, not a conjecture backed by experiments [@kleinjung-wesolowski-2019].&lt;/p&gt;
&lt;p&gt;Why does small characteristic collapse when a prime field does not? The whole descent turns on one structural gift. In a field like $\mathbb{F}_{2^n}$ every element is a low-degree polynomial over a tiny base field, and the Frobenius map $x \mapsto x^p$ acts &lt;em&gt;linearly&lt;/em&gt; on that representation, because $(a + b)^p = a^p + b^p$ in characteristic $p$. Those two facts hand the attacker a cheap, self-replenishing supply of low-degree relations: the algorithm presents the field through a low-degree identity linking an element to its Frobenius image, so a single relation spawns a whole orbit of them essentially for free.&lt;/p&gt;
&lt;p&gt;The attack then &lt;em&gt;descends on degree&lt;/em&gt;. It rewrites the logarithm of a degree-$d$ target as a combination of logarithms of strictly lower-degree elements, recurses ($d \to d/2 \to \cdots$), and bottoms out at degree-one elements whose logs are read off directly. Because each step roughly halves the degree while spawning only quasi-polynomially many sub-problems, the descent tree has depth about $\log d$ and terminates in $n^{O(\log n)}$ time -- that logarithmic recursion depth is exactly why the exponent is &quot;quasi-,&quot; not fully, polynomial.&lt;/p&gt;
&lt;p&gt;A prime field $\mathbb{F}_p^*$ offers none of this. Its elements are integers modulo $p$, with no subfield tower, no element degree to shrink, and no small-characteristic Frobenius to make relations cheap. The descent has nothing to grip, which is precisely why the Number Field Sieve at $L_p[1/3]$ stays the best attack there.&lt;/p&gt;
&lt;p&gt;The practical consequence was immediate: this line of work retired small-characteristic pairing choices, including the supersingular binary curves once proposed for pairing-based cryptography, whose security rested on a small-characteristic field discrete log. The field that was supposed to be the hard part evaporated.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The quasi-polynomial result applies to &lt;em&gt;small, fixed characteristic&lt;/em&gt; only: $\mathbb{F}&lt;em&gt;{2^n}$, $\mathbb{F}&lt;/em&gt;{3^n}$, and their relatives. It does &lt;strong&gt;not&lt;/strong&gt; extend to prime fields $\mathbb{F}_p$, where the Number Field Sieve at $L_p[1/3]$ remains the best known attack. Dropping the words &quot;small characteristic&quot; would produce a dangerous falsehood -- that prime-field Diffie-Hellman is quasi-polynomially broken. It is not. Finite-field DH over a properly sized, unique prime is still standing; only the small-characteristic cousins collapsed [@kleinjung-wesolowski-2019].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The calibration is almost comical in scale. The record discrete log in a fixed-characteristic field now stands at $\mathrm{GF}(2^{30750})$, computed in 2019 [@disclog-records-wiki]. That field is roughly thirty-nine times larger in bit length than the 795-bit &lt;em&gt;prime-field&lt;/em&gt; record from the same era. Same &quot;discrete logarithm&quot;; the characteristic of the chosen field decides whether the records sit near 800 bits or sail past 30,000.&lt;/p&gt;
&lt;p&gt;This reinforced a standards trend already under way. NIST SP 800-186 &lt;em&gt;deprecates&lt;/em&gt; the binary and Koblitz curves defined over small-characteristic fields, and FIPS 186-5 &lt;em&gt;removes&lt;/em&gt; them from the approved list entirely [@nist-sp800-186]. The precision matters: deprecation and removal are two distinct regulatory steps, and the small-characteristic results are part of why both happened.&lt;/p&gt;
&lt;p&gt;Eight sections, eight breaks, and one relentless pattern: every classical break so far -- Pohlig-Hellman, the anomalous transfer, MOV and Frey-Ruck, twists, invalid-curve shadows, Weil descent, the Number Field Sieve, and now small-characteristic descent -- needs a &lt;em&gt;specific&lt;/em&gt; structural property of the chosen group. But a pattern is only convincing if you can see all of it at once. Lay every attack on a single table, and the thesis stops being a claim you have to trust and becomes something you can read straight off a column.&lt;/p&gt;
&lt;h2&gt;9. A Map of Where the Weakness Lives&lt;/h2&gt;
&lt;p&gt;One table, read down one column, is the whole argument. Here is every attack in this article, each with the structural property it requires, the easy group it reduces the log to, its cost, and the one question that matters -- does a well-chosen group have that property?&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Attack&lt;/th&gt;
&lt;th&gt;Group property it needs&lt;/th&gt;
&lt;th&gt;Reduces the log to&lt;/th&gt;
&lt;th&gt;Complexity&lt;/th&gt;
&lt;th&gt;Clean group has it?&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Pollard rho [@pollard-rho-1978]&lt;/td&gt;
&lt;td&gt;none (generic)&lt;/td&gt;
&lt;td&gt;nothing; it &lt;em&gt;is&lt;/em&gt; the floor&lt;/td&gt;
&lt;td&gt;$\approx 0.886\sqrt{\ell}$&lt;/td&gt;
&lt;td&gt;the baseline&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Pohlig-Hellman [@pohlig-hellman-1978]&lt;/td&gt;
&lt;td&gt;smooth group order&lt;/td&gt;
&lt;td&gt;small subgroups plus CRT&lt;/td&gt;
&lt;td&gt;$\sum_i e_i(\log n + \sqrt{p_i})$&lt;/td&gt;
&lt;td&gt;No: large prime order&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Anomalous / SSSA [@smart-1999]&lt;/td&gt;
&lt;td&gt;trace $t = 1$, so $#E = p$&lt;/td&gt;
&lt;td&gt;addition in $(\mathbb{F}_p, +)$&lt;/td&gt;
&lt;td&gt;polynomial&lt;/td&gt;
&lt;td&gt;No: require $#E \neq p$&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MOV / Frey-Ruck [@mov-1993]&lt;/td&gt;
&lt;td&gt;small embedding degree $k$&lt;/td&gt;
&lt;td&gt;DLP in $\mathbb{F}_{q^k}^*$&lt;/td&gt;
&lt;td&gt;sub-exponential&lt;/td&gt;
&lt;td&gt;No: large $k$&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Twist confinement [@safecurves]&lt;/td&gt;
&lt;td&gt;smooth twist plus x-only ladder&lt;/td&gt;
&lt;td&gt;small subgroups on the twist&lt;/td&gt;
&lt;td&gt;small-subgroup cost&lt;/td&gt;
&lt;td&gt;No: twist-secure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Invalid-curve shadow [@biehl-meyer-muller-2000]&lt;/td&gt;
&lt;td&gt;$b$-independent arithmetic plus weak shadow&lt;/td&gt;
&lt;td&gt;small subgroups on a shadow curve&lt;/td&gt;
&lt;td&gt;small-subgroup cost&lt;/td&gt;
&lt;td&gt;No: twist-secure and validated&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Weil descent / GHS [@ghs-2002]&lt;/td&gt;
&lt;td&gt;composite-degree binary field&lt;/td&gt;
&lt;td&gt;index calculus on a higher-genus curve&lt;/td&gt;
&lt;td&gt;sub-exponential&lt;/td&gt;
&lt;td&gt;No: prime field&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NFS-DL [@gordon-1993]&lt;/td&gt;
&lt;td&gt;a factor base (multiplicative smoothness)&lt;/td&gt;
&lt;td&gt;linear algebra on smooth relations&lt;/td&gt;
&lt;td&gt;$L_p[1/3,, 1.923]$&lt;/td&gt;
&lt;td&gt;No: a curve has no factor base&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Small-char quasi-poly [@kleinjung-wesolowski-2019]&lt;/td&gt;
&lt;td&gt;small, fixed characteristic&lt;/td&gt;
&lt;td&gt;function-field descent&lt;/td&gt;
&lt;td&gt;quasi-polynomial&lt;/td&gt;
&lt;td&gt;No: prime field&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Shor [@shor-1997]&lt;/td&gt;
&lt;td&gt;none (changes the machine)&lt;/td&gt;
&lt;td&gt;quantum period-finding&lt;/td&gt;
&lt;td&gt;polynomial in $\log \ell$&lt;/td&gt;
&lt;td&gt;Yes, but needs a quantum computer&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Read the &quot;group property it needs&quot; column from top to bottom. Every classical attack that beats square-root time names a &lt;em&gt;specific&lt;/em&gt; structural precondition -- a smooth order, trace one, low embedding degree, a smooth twist, $b$-independent arithmetic, a composite extension field, a factor base, small characteristic. The only two rows needing &lt;em&gt;no&lt;/em&gt; structure are Pollard rho, which &lt;em&gt;is&lt;/em&gt; the square-root floor, and Shor, which leaves the classical world entirely. Not one classical row is a faster generic logarithm. That is the thesis, rendered as a table.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The same pattern shows up in what a working engineer actually chooses between. Line up the deployed groups and the story is not &quot;big keys versus small keys&quot; -- it is &quot;which structural weakness is present.&quot;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Group&lt;/th&gt;
&lt;th&gt;Advertised security&lt;/th&gt;
&lt;th&gt;Public-key size&lt;/th&gt;
&lt;th&gt;Best known classical attack&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;FFDH-1024 (shared prime)&lt;/td&gt;
&lt;td&gt;about 80-bit, broken in practice&lt;/td&gt;
&lt;td&gt;1024-bit&lt;/td&gt;
&lt;td&gt;NFS-DL plus shared-prime precomputation [@logjam-adrian-2015]&lt;/td&gt;
&lt;td&gt;Deprecated, nation-state target&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;FFDH-2048 / 3072 (shared or unique)&lt;/td&gt;
&lt;td&gt;about 112 / 128-bit&lt;/td&gt;
&lt;td&gt;2048 / 3072-bit&lt;/td&gt;
&lt;td&gt;NFS-DL, but precomputation is infeasible at this size&lt;/td&gt;
&lt;td&gt;Acceptable if unavoidable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;NIST P-256&lt;/td&gt;
&lt;td&gt;about 128-bit ($2^{127.8}$ rho)&lt;/td&gt;
&lt;td&gt;256-bit&lt;/td&gt;
&lt;td&gt;Pollard rho, generic [@safecurves]&lt;/td&gt;
&lt;td&gt;Active, FIPS&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Curve25519 / X25519&lt;/td&gt;
&lt;td&gt;about 128-bit ($2^{125.8}$ rho)&lt;/td&gt;
&lt;td&gt;256-bit&lt;/td&gt;
&lt;td&gt;Pollard rho, generic [@safecurves]&lt;/td&gt;
&lt;td&gt;Active, twist-secure and rigid&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;The two 256-bit curves and the 3072-bit prime all deliver about 128-bit security -- the curves with an eighth of the key length -- because a clean curve denies the sieve its factor base. And the two finite-field rows differ not by size alone but by &lt;em&gt;sharing&lt;/em&gt;: the 1024-bit row is a target because its prime is common and precomputed, not merely because it is 1024 bits.&lt;/p&gt;
&lt;p&gt;The table has one uncomfortable empty space. Every row is a break that needs structure, and a clean group has none of those structures. But is there a &lt;em&gt;proof&lt;/em&gt; that a structure-free group is actually safe -- or have we simply never found the crack? To answer honestly, we have to admit what the entire edifice rests on.&lt;/p&gt;
&lt;h2&gt;10. Theoretical Limits: Is the Log Itself Ever the Weak Part?&lt;/h2&gt;
&lt;p&gt;Here is the admission the whole subject rests on, and it is more unsettling than most textbooks let on: &lt;strong&gt;nobody has proved the discrete log is hard.&lt;/strong&gt; Not for $\mathbb{F}_p^*$, not for a clean elliptic curve, not for any group that carries real traffic. The security of a large fraction of the internet rests on a problem no one can prove is difficult.&lt;/p&gt;
&lt;p&gt;The only proven wall is Shoup&apos;s $\Omega(\sqrt{\ell})$ lower bound from Section 3 [@shoup-1997] -- and its scope is precisely the catch. It holds &lt;em&gt;in the generic-group model&lt;/em&gt;, where the algorithm may not read anything from the encoding of group elements. It is a statement about structure-blind algorithms, not about the discrete log as such.&lt;/p&gt;
&lt;p&gt;This is exactly why index calculus is not a paradox. The Number Field Sieve beats Shoup&apos;s $\sqrt{\ell}$ floor for $\mathbb{F}_p^&lt;em&gt;$ not because the proof is wrong but because $\mathbb{F}_p^&lt;/em&gt;$ is &lt;em&gt;not a generic group&lt;/em&gt;: its elements are integers, the algorithm reads their factorizations, and the generic model&apos;s central assumption simply does not apply. Every faster attack in this article is another group that leaves the generic model through some door of its own. The matching bound of Section 3 is real, and it is real only inside a model that structured groups escape.&lt;/p&gt;

The gap has two values, and keeping them straight is the difference between understanding this subject and sloganeering about it. *In the generic-group model* the question is CLOSED: Pollard rho&apos;s $O(\sqrt{\ell})$ upper bound meets Shoup&apos;s $\Omega(\sqrt{\ell})$ lower bound at $\Theta(\sqrt{\ell})$, a rare matching pair. *Unconditionally* it is WIDE OPEN: there is no proof the discrete log is hard at all. The space between the generic wall and reality is exactly what index calculus and the curve transfers exploit. And there is a structural reason a hardness proof is out of reach: the DLP lies in $\mathrm{NP} \cap \mathrm{coNP}$ -- given the factorization of the group order, both a claimed logarithm and its absence are efficiently checkable -- so it is *not expected* to be NP-complete, since an NP-complete problem in $\mathrm{NP} \cap \mathrm{coNP}$ would collapse $\mathrm{NP} = \mathrm{coNP}$ [@galbraith-2012] [@hac-1996]. Proving the discrete log hard would be a complexity-theory landmark far beyond anything currently in reach. That is why &quot;only Shor breaks a clean group&quot; must always be read &quot;as far as is known.&quot;
&lt;p&gt;The sharpest open question sits one level down, and it is the one that keeps elliptic-curve cryptographers honest: does a sub-exponential, index-calculus-style algorithm exist for the ECDLP over a &lt;em&gt;prime&lt;/em&gt; field? If it did, it would do to elliptic curves what the Number Field Sieve did to finite-field Diffie-Hellman -- collapse the square-root advantage that justifies 256-bit keys.&lt;/p&gt;
&lt;p&gt;This is the correct home for Semaev&apos;s &lt;em&gt;summation polynomials&lt;/em&gt; and the related Gröbner-basis point-decomposition program, from 2004 onward [@semaev-2004] -- a genuine attempt to build an ECDLP index calculus. It must not be confused with the 1998-99 anomalous-curve transfer of Section 4, which is a different mechanism entirely. Over prime fields the summation-polynomial approach remains &lt;em&gt;exponential&lt;/em&gt;: it is the live frontier, not a solved attack.&lt;/p&gt;
&lt;p&gt;So, classically and as far as anyone knows, a clean group leaves the square-root floor standing. There is no known sub-exponential attack on a well-chosen prime-field curve, and the conjecture that none exists is exactly that -- a conjecture, the working hypothesis behind every ECC key-size recommendation.&lt;/p&gt;
&lt;p&gt;Even the improvements that do exist stay on their side of the line. The extended Tower Number Field Sieve of Kim and Barbulescu sharpens the &lt;em&gt;constants&lt;/em&gt; for medium- and non-prime-characteristic fields, but it does not move the $1/3$ exponent for prime fields [@kim-barbulescu-2016]. Prime-field discrete logs have been stuck at $L_p[1/3]$ since Gordon in 1993.&lt;/p&gt;
&lt;p&gt;If the log&apos;s classical hardness is unproven yet unbroken on a clean group, then the only &lt;em&gt;known&lt;/em&gt; way to break such a group is not a cleverer algorithm in the same world. It is to change worlds -- to a machine that computes on a fundamentally different substrate.&lt;/p&gt;
&lt;h2&gt;11. The Third Road: Shor, and Why a Clean Group Leaves Only Quantum&lt;/h2&gt;
&lt;p&gt;Strip a group of every exploitable structure and the classical attacker is back at Pollard&apos;s 1978 random walk, hitting the square-root wall with no crack to exploit. The one thing left that beats that wall does not compute a cleverer logarithm. It runs on a different machine.&lt;/p&gt;
&lt;p&gt;In 1994, Peter Shor showed that a quantum computer could solve both integer factoring and the discrete log in polynomial time [@shor-1997]. The discrete-log algorithm does not attack the group&apos;s structure the way index calculus does. It rewrites the problem into a shape a quantum computer is uniquely good at.Framed abstractly, Shor&apos;s discrete-log routine solves a &lt;em&gt;hidden subgroup problem&lt;/em&gt;: the secret $x$ hides a subgroup of $\mathbb{Z}&lt;em&gt;\ell \times \mathbb{Z}&lt;/em&gt;\ell$ generated by $(x, 1)$, and the quantum Fourier transform is the tool that exposes it [@childs-vandam-2010]. The abelian hidden-subgroup problem is the common engine behind Shor&apos;s factoring and discrete-log algorithms alike.&lt;/p&gt;

Shor&apos;s move is to recast the discrete log as *period-finding*. From the target one builds a function whose period encodes the secret exponent $x$. A classical machine cannot see that period without effectively searching for it, but a quantum machine can evaluate the function over a superposition of inputs and apply the quantum Fourier transform, which concentrates measurement probability on the period. Each measurement then returns a pair $(\alpha, \beta)$ obeying a linear relation $\alpha x + \beta \equiv 0 \pmod{\ell}$, and a few such relations pin down $x$ by classical linear algebra mod $\ell$ -- not the continued-fractions step that finishes Shor&apos;s *factoring* routine.

flowchart TD
    A[Target: Q equals x times P on a clean curve] --&amp;gt; B[Build a function periodic in the unknown x]
    B --&amp;gt; C[Evaluate it over a superposition on the quantum register]
    C --&amp;gt; D[Quantum Fourier transform makes the period observable]
    D --&amp;gt; E[Measure: each shot yields a linear relation in x, mod l]
    E --&amp;gt; F[Solve the linear congruences for the discrete log x, polynomial in log of the order]
&lt;p&gt;The consequence is the one classical cryptanalysis can never deliver: the cost is &lt;em&gt;polynomial in $\log \ell$&lt;/em&gt;, so &lt;strong&gt;key size is no defense.&lt;/strong&gt; Doubling the curve size barely moves Shor&apos;s cost. And it needs none of the structural preconditions from the table in Section 9 -- no trace one, no small embedding degree, no smooth twist, no factor base. It breaks a &lt;em&gt;correct key on a flawless group&lt;/em&gt;. Shor is the empty cell filled in: the only known attack that does not require the group to be badly chosen.&lt;/p&gt;
&lt;p&gt;Crucially, the progress since 1994 has been &lt;em&gt;algorithmic&lt;/em&gt;, not hardware. The first ECDLP-specific quantum circuit came from Proos and Zalka in 2003, who made a structural observation that still holds: elliptic curves are an &lt;em&gt;easier&lt;/em&gt; quantum target than equal-security &lt;a href=&quot;https://paragmali.com/blog/how-rsa-would-break-why-factoring-is-the-slow-path-and-coppe/&quot; rel=&quot;noopener&quot;&gt;RSA&lt;/a&gt; [@proos-zalka-2003].&lt;/p&gt;
&lt;p&gt;The modern resource estimate, from Roetteler, Naehrig, Svore, and Lauter in 2017, is concrete: a 256-bit ECDLP needs about 2,330 logical qubits -- following their count of $9n + 2\lceil\log_2 n\rceil + 10$, which for $n = 256$ gives $2304 + 16 + 10 = 2330$ -- and on the order of $1.3 \times 10^{11}$ Toffoli gates, versus roughly 6,146 logical qubits for RSA-3072 [@roetteler-2017]. The curve&apos;s small keys, its great classical advantage, make it the &lt;em&gt;cheaper&lt;/em&gt; thing to break once a quantum computer exists.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Shor is structural mathematics against an asymmetric primitive: it breaks the discrete-log problem itself, in polynomial time, on a flawless group -- squarely the subject of this article. Grover&apos;s algorithm is a different animal: a generic square-root speedup for unstructured search that halves the effective key length of &lt;em&gt;symmetric&lt;/em&gt; ciphers and hashes. It is not a structural break of the discrete log, and simply doubling a symmetric key neutralizes it. Grover is named here only to be set aside.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Two honest boundaries close this section. First, no cryptographically-relevant quantum computer exists today, and this article asserts &lt;em&gt;no timeline&lt;/em&gt; for when, or whether, one will. The resource estimates set a migration clock, not a countdown. Second, the genuine successor to discrete-log cryptography is &lt;em&gt;post-quantum cryptography&lt;/em&gt; -- schemes built on entirely &lt;em&gt;different&lt;/em&gt; hard problems such as lattices, error-correcting codes, and hash functions. That is a separate research program, out of scope here, and its independence is the point: it is not a faster discrete log but a different foundation.&lt;/p&gt;
&lt;p&gt;That post-quantum cryptography is a genuinely different problem, not a continuation of the discrete-log genealogy, is underscored by how young and unsettled it still is: several proposed post-quantum schemes have themselves been broken during standardization -- the SIDH/SIKE isogeny key-exchange scheme fell to an efficient classical key-recovery attack [@castryck-decru-2022], and the Rainbow signature finalist was broken on a laptop in a single weekend [@beullens-2022] -- which would be impossible if they were merely the discrete log in disguise. Different problems fail in different ways.&lt;/p&gt;
&lt;p&gt;So the mathematics is settled enough to act on. Choose a group with no weak part, and the classical attacker is stranded at the square-root floor; the only remaining break is one you cannot out-size, and the response to it is migration, not a bigger key. That leaves one practical question: how do you actually choose a group with no weak part? Every criterion is a scar from an attack in this article.&lt;/p&gt;
&lt;h2&gt;12. Choosing a Group With No Weak Part&lt;/h2&gt;
&lt;p&gt;Every line on a curve-selection checklist is a scar from a specific attack in this article. Read the checklist not as arbitrary hygiene but as a map of defeated enemies -- each criterion exists because someone, somewhere, lost a key to the attack it blocks.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Criterion&lt;/th&gt;
&lt;th&gt;Attack it defeats&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Large prime subgroup order&lt;/td&gt;
&lt;td&gt;Pohlig-Hellman [@pohlig-hellman-1978]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Small cofactor&lt;/td&gt;
&lt;td&gt;small-subgroup leakage&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Trace not one, so $#E \neq p$&lt;/td&gt;
&lt;td&gt;anomalous / SSSA transfer [@smart-1999]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Large embedding degree&lt;/td&gt;
&lt;td&gt;MOV / Frey-Ruck [@mov-1993]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Twist-security (curve and twist near-prime order)&lt;/td&gt;
&lt;td&gt;twist confinement; in a single-coordinate ladder it also confines an off-curve input to the secure twist. The full-coordinate invalid-curve shadow needs input-point validation instead, an implementation check handed to the sibling [@safecurves] [@biehl-meyer-muller-2000]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Prime field, no small characteristic, no composite extension&lt;/td&gt;
&lt;td&gt;Weil descent / GHS [@ghs-2002], small-char quasi-poly [@kleinjung-wesolowski-2019]&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Rigidity (fully explained, manipulation-resistant parameters)&lt;/td&gt;
&lt;td&gt;hidden-structure and backdoor suspicion [@bernstein-curve25519-2006]&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Two of these checks are easy enough to run on a toy example, which makes the abstract concrete: a curve is anomalous exactly when its point count equals the field prime, and it has a dangerous embedding degree exactly when the subgroup order divides $p^k - 1$ for some small $k$.&lt;/p&gt;
&lt;p&gt;{`
def embedding_degree(l, p, bound=200):
    # least k with l dividing p^k - 1; small k means a MOV / Frey-Ruck door
    r = p % l
    for k in range(1, bound + 1):
        if r == 1:
            return k
        r = (r * p) % l
    return None  # beyond the search bound: safely large&lt;/p&gt;
&lt;p&gt;def score(p, n, l):
    flags = []
    if n == p:
        flags.append(&quot;ANOMALOUS: #E equals p, trace one -&amp;gt; polynomial-time SSSA transfer&quot;)
    if n % l == 0:
        k = embedding_degree(l, p)
        if k is not None and k &amp;lt;= 6:
            flags.append(&quot;LOW EMBEDDING DEGREE k=&quot; + str(k) + &quot; -&amp;gt; MOV / Frey-Ruck transfer&quot;)
        if n // l &amp;gt; 8:
            flags.append(&quot;LARGE COFACTOR &quot; + str(n // l) + &quot; -&amp;gt; small-subgroup leakage&quot;)
    else:
        flags.append(&quot;subgroup order does not divide the point count (bad parameters)&quot;)
    return flags or [&quot;no structural red flag on these two checks&quot;]&lt;/p&gt;
&lt;p&gt;print(&quot;anomalous toy (p = n = 23):&quot;, score(23, 23, 23))
print(&quot;low-k toy (p=23, points=24, order=3):&quot;, score(23, 24, 3))
print(&quot;clean toy (p=101, points=order=83):&quot;, score(101, 83, 83))
`}&lt;/p&gt;
&lt;h3&gt;The decision, in one flow&lt;/h3&gt;

flowchart TD
    A{&quot;What are you building?&quot;} --&amp;gt;|New system, free choice| B[X25519 for key exchange, Ed25519 for signatures]
    A --&amp;gt;|FIPS-constrained| C[NIST P-256]
    A --&amp;gt;|Finite-field DH is forced| D[A standard RFC 7919 group of at least 2048 bits, never a shared 1024-bit prime]
    B --&amp;gt; E[Verify large prime order, small cofactor, trace not one, large embedding degree, twist-secure, rigid]
    C --&amp;gt; E
    D --&amp;gt; F[Plan a post-quantum or hybrid migration for the Shor horizon]
    E --&amp;gt; F
&lt;p&gt;For a new system with a free hand, use X25519 for key exchange and Ed25519 for signatures [@rfc7748] [@rfc8032]: they are twist-secure and rigid by construction, and they close every classical door in the table above. Where a standard mandates the NIST curves, &lt;a href=&quot;https://paragmali.com/blog/the-curve-was-hard-the-gap-was-soft-a-field-guide-to-using-e/&quot; rel=&quot;noopener&quot;&gt;P-256&lt;/a&gt; is a sound choice with the same generic-floor security [@nist-sp800-186]. If finite-field Diffie-Hellman is genuinely unavoidable, use a standard RFC 7919 group of at least 2048 bits -- its shared named groups are safe at this size because the sieve precomputation is infeasible -- or a dedicated unique prime; never a shared or legacy 1024-bit prime, whose danger was the entire lesson of Logjam [@rfc7919].&lt;/p&gt;
&lt;p&gt;And across the board, avoid the families this article condemned: anomalous curves, low-embedding-degree curves, small-characteristic fields, and the binary and Koblitz curves that NIST now deprecates and FIPS 186-5 removes [@nist-sp800-186].&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; For roughly 128-bit security you can carry a 256-bit elliptic-curve key or a 3072-bit finite-field prime -- an eighth of the size for the same strength, with the gap widening at higher security levels. That is not a small optimization; it is why elliptic curves dominate new deployments. Unless a specific standard forces finite-field Diffie-Hellman, prefer X25519 and Ed25519 for smaller keys and faster, twist-secure operations [@safecurves] [@rfc7748].&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;One caveat belongs to the sibling article, not this one: choosing a strong group is necessary but not sufficient. A flawless curve still fails if the software forgets to validate an input point, reuses a nonce, or leaks timing -- the implementation failures catalogued in &quot;How Elliptic Curves and Diffie-Hellman Break in Real Life.&quot; This article guarantees only that the &lt;em&gt;mathematics&lt;/em&gt; of a well-chosen group offers no purchase. The code still has to hold up its end.&lt;/p&gt;
&lt;p&gt;That covers what to do. The questions careful engineers keep asking -- and the misconceptions that trip up even good ones -- deserve direct answers.&lt;/p&gt;
&lt;h2&gt;13. Frequently Asked Questions&lt;/h2&gt;

No -- it gives about 128-bit security. Because Pollard rho solves the discrete log in roughly the square root of the group order, a 256-bit curve is a $2^{128}$ target, not a $2^{256}$ one. SafeCurves lists NIST P-256 at about $2^{127.8}$ and Curve25519 at about $2^{125.8}$ operations [@safecurves]. The bit length of the key is double the security level, not equal to it.

Only for two of the problems. A bigger key raises the generic square-root floor, and a larger, unique prime defeats undersized or shared finite-field Diffie-Hellman. But a *structural* break ignores key size entirely: an anomalous curve falls in polynomial time regardless of its bit length [@smart-1999], a shared precomputed prime falls no matter how fresh the ephemeral [@logjam-adrian-2015], and Shor is polynomial in the log of the order, so doubling the curve barely moves its cost [@shor-1997]. Against structure, size is no defense.

No. On a well-chosen group it is, as far as anyone knows, as hard as it can be -- the best generic attack is Pollard rho, and Shoup proved no generic algorithm does better [@shoup-1997]. Every real break in the literature exploited a structural property of a *chosen* group, not the logarithm itself. The honest caveat is that elliptic-curve discrete-log hardness is *unproven*: no one can prove it is hard, only observe that no one has broken a clean curve.

Because $\mathbb{F}_p^*$ has a factor base and a clean curve does not. The multiplicative group&apos;s elements are integers you can factor, which is exactly what the sub-exponential Number Field Sieve needs [@gordon-1993]. A well-chosen elliptic curve has no notion of a &quot;smooth&quot; point, so the sieve has nothing to grip, and the best attack stays at the square-root floor. The Logjam exposure came from that structural difference meeting a shared, undersized prime [@logjam-adrian-2015].

No. The expensive first stage of the Number Field Sieve depends only on the *prime*, not on any individual key, so it amortizes across every connection that shares that prime [@logjam-adrian-2015]. Freshness protects the ephemeral key; it does nothing about a shared group. A unique prime, not a fresh ephemeral, is what denies the attacker the precomputation.

Shor. It reduces the discrete log to quantum period-finding and solves it in polynomial time on a flawless group, which is a structural break and squarely in scope [@shor-1997]. Grover&apos;s algorithm is only a generic square-root speedup for unstructured search; it shortens *symmetric* keys and is neutralized by doubling them. Grover is not a structural break of the discrete log at all, and it is named here only to be set aside.

No. The only proven wall is Shoup&apos;s $\Omega(\sqrt{\ell})$ lower bound, and it holds only in the *generic-group* model -- index calculus beats it for $\mathbb{F}_p^*$ precisely because that group is not generic [@shoup-1997]. There is no unconditional hardness proof, and one is not expected soon: the discrete log sits in $\mathrm{NP} \cap \mathrm{coNP}$, so it is believed not to be NP-complete, which puts a hardness proof far beyond current complexity theory [@galbraith-2012]. &quot;Only Shor breaks a clean group&quot; always carries the silent rider &quot;as far as is known.&quot;
&lt;h2&gt;The Log Was Never the Weak Part&lt;/h2&gt;
&lt;p&gt;Return to the four groups from the opening. NIST P-256 and Curve25519 stand at about $2^{128}$ because they have large prime order, trace not one, large embedding degree, twist-security, and rigid parameters -- every structural door bolted shut, leaving only the square-root floor.&lt;/p&gt;
&lt;p&gt;The third 256-bit curve dies in polynomial time for one reason: its trace is one, so its log transfers into simple addition. And the 1024-bit finite-field group is a nation-state target because its group is inherently factorable and its prime was shared and precomputed. Four groups, the same discrete logarithm, three different fates -- and in every case the deciding variable was the group.&lt;/p&gt;

Same discrete log, radically different fates. The variable was never the logarithm. It was the group.
&lt;p&gt;That is the pattern under all ten attacks. Pohlig-Hellman needs a smooth order. The anomalous transfer needs trace one. MOV and Frey-Ruck need a small embedding degree. Twist attacks need a smooth twist. Invalid-curve shadows need $b$-independent arithmetic. Weil descent needs a composite extension field. The Number Field Sieve needs a factor base. Logjam needs a shared prime. Small-characteristic descent needs a small characteristic. Every classical break is a receipt for a structural property of a &lt;em&gt;chosen&lt;/em&gt; group, and never once a faster generic logarithm.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Strip a group of every exploitable structure -- give it a large prime order, a small cofactor, trace not one, a large embedding degree, twist-security, rigidity, a prime field, no small characteristic, and a unique well-sized prime -- and the classical attacker is thrown all the way back to Pollard&apos;s 1978 random walk. The only thing left that beats it does not compute a cleverer logarithm; it changes the machine. The logarithm was never the weak part. The group always was.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Which is why the rational response has two halves. Choose a clean group -- the checklist in Section 12 is really a list of defeated attacks -- and begin preparing for the one break you cannot out-size, by planning the migration to &lt;a href=&quot;https://paragmali.com/blog/one-event-three-assumptions-five-answers-a-field-guide-to-th/&quot; rel=&quot;noopener&quot;&gt;post-quantum primitives&lt;/a&gt; before a quantum computer forces the issue.&lt;/p&gt;
&lt;p&gt;For the failures that live in code rather than mathematics -- unvalidated points, repeated nonces, timing leaks, negotiated downgrades -- turn to the empirical sibling, &quot;How Elliptic Curves and Diffie-Hellman Break in Real Life.&quot; The mathematics here gives you a group with no weak part. The engineering there decides whether your system keeps it that way.&lt;/p&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;how-discrete-log-would-break&quot; keyTerms={[
  { term: &quot;Discrete logarithm problem (DLP)&quot;, definition: &quot;Given g and h = g to the x in a cyclic group, recover the exponent x. The hardness assumption behind Diffie-Hellman, DSA, ECDH, ECDSA, and EdDSA.&quot; },
  { term: &quot;Generic group&quot;, definition: &quot;A group whose elements are opaque tokens with no readable structure; the setting in which the square-root floor is proven.&quot; },
  { term: &quot;Pollard rho&quot;, definition: &quot;A low-memory pseudo-random walk that solves the DLP in about 0.886 times the square root of the group order via a birthday collision.&quot; },
  { term: &quot;Pohlig-Hellman&quot;, definition: &quot;Reduction that shatters a smooth-order group into small prime-power subgroups, so security requires a large prime factor of the order.&quot; },
  { term: &quot;Trace of Frobenius&quot;, definition: &quot;The integer t with number of points equal to p plus 1 minus t; a curve is anomalous when t equals 1.&quot; },
  { term: &quot;Anomalous curve&quot;, definition: &quot;A curve with point count equal to p, whose discrete log transfers into the additive group of the field and falls in polynomial time (SSSA).&quot; },
  { term: &quot;Embedding degree&quot;, definition: &quot;The least k with the subgroup order dividing q to the k minus 1; a small k opens the MOV and Frey-Ruck pairing transfers.&quot; },
  { term: &quot;Quadratic twist and twist-security&quot;, definition: &quot;The sibling curve reached by off-curve x-coordinates; twist-security requires both curve and twist to have near-prime order.&quot; },
  { term: &quot;Index calculus&quot;, definition: &quot;A DLP attack using a factor base of small primes and smooth relations; it needs factorable elements, which a clean curve lacks.&quot; },
  { term: &quot;L-notation&quot;, definition: &quot;Sub-exponential cost measure L[alpha, c]; alpha equal to 1 is exponential, 0 is polynomial, and 1/3 is the Number Field Sieve regime.&quot; },
  { term: &quot;Number Field Sieve for discrete logs&quot;, definition: &quot;The sub-exponential attack on finite-field DLP at L[1/3]; its precomputation depends only on the prime, which Logjam exploits.&quot; },
  { term: &quot;Period-finding&quot;, definition: &quot;The quantum subroutine at the heart of Shor&apos;s algorithm; it recovers the discrete log in polynomial time on any clean group.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>cryptography</category><category>discrete-logarithm</category><category>elliptic-curves</category><category>diffie-hellman</category><category>cryptanalysis</category><category>quantum-computing</category><category>number-field-sieve</category><author>noreply@paragmali.com (Parag Mali)</author></item><item><title>Nobody Broke the Discrete Log: A Field Guide to Diffie-Hellman and Forward Secrecy</title><link>https://paragmali.com/blog/nobody-broke-the-discrete-log-a-field-guide-to-diffie-hellma/</link><guid isPermaLink="true">https://paragmali.com/blog/nobody-broke-the-discrete-log-a-field-guide-to-diffie-hellma/</guid><description>The discrete log held for fifty years; Logjam, small-subgroup, and invalid-curve attacks broke the deployment instead. A field guide to FFDHE, ECDH, and X25519.</description><pubDate>Mon, 13 Jul 2026 02:35:50 GMT</pubDate><content:encoded>
**Diffie-Hellman&apos;s hardness -- the discrete logarithm -- has held for fifty years and almost never breaks in the field.** What breaks is one of four conditions the caller must supply, plus one discipline beneath them all.&lt;p&gt;Forward secrecy needs a genuinely &lt;strong&gt;fresh&lt;/strong&gt; ephemeral: reuse it and the property silently evaporates, which is why the paper that named the problem is titled &lt;em&gt;Imperfect Forward Secrecy&lt;/em&gt;. The group must be &lt;strong&gt;strong and unshared&lt;/strong&gt;: finite-field DH has a sub-exponential attack whose expensive step depends only on the prime, so millions of servers sharing one 1024-bit prime let a nation-state precompute once and read everyone, while a 256-bit curve escapes this -- which is why X25519 keys are 32 bytes. The peer&apos;s public value must be &lt;strong&gt;validated&lt;/strong&gt;: an unvalidated point turns your reused key into a key-extraction oracle, and X25519 makes that check structural through twist security, so clamping is &lt;em&gt;not&lt;/em&gt; validation. The exchange must be &lt;strong&gt;authenticated&lt;/strong&gt;: raw DH stops a passive eavesdropper and not an active man-in-the-middle. Beneath all four, the raw shared secret is a group element, not a key: run it through a KDF.&lt;/p&gt;
&lt;p&gt;The fifty-year evolution -- finite-field DH in 1976, then elliptic-curve DH, then X25519, then the TLS 1.3 ephemeral mandate, then today&apos;s &lt;code&gt;X25519MLKEM768&lt;/code&gt; hybrid -- is one sustained move to bake each condition into the primitive, the named group, and the protocol, so the simple thing to do is the safe thing to do. Every one of these still falls to Shor, which is why ECDH is now being wrapped, not replaced. The math held; the deployment handed the secret away.
&lt;/p&gt;&lt;p&gt;&lt;/p&gt;
&lt;h2&gt;1. They Precomputed the Prime Once, and Read Everyone&lt;/h2&gt;
&lt;p&gt;In 2015 a team of researchers pointed out something that should have been impossible: millions of HTTPS, SSH, and VPN servers were sharing the same handful of 1024-bit Diffie-Hellman primes. That sharing did not merely weaken those servers -- it changed the &lt;em&gt;economics&lt;/em&gt; of breaking them. The most expensive step of the best known algorithm for computing discrete logarithms depends only on the prime, not on any particular connection, so an adversary who could afford the precomputation for one common prime could then decrypt, passively and forever, every connection that used it [@weakdh].&lt;/p&gt;
&lt;p&gt;Breaking the single most common 1024-bit group would have exposed an estimated 18% of the top million HTTPS sites, and a second common prime an estimated 66% of VPNs [@weakdh]. Nobody had to break the math. They precomputed the prime once and read everyone.&lt;/p&gt;
&lt;p&gt;Here is the part that should unsettle you. The people running those servers were not careless. They believed they were doing the one thing everyone agrees you must do: generate a brand-new key for every connection. The researchers put it plainly -- practitioners &quot;believed this was safe as long as new key exchange messages were generated for every connection&quot; -- and they were wrong, because a &lt;em&gt;shared&lt;/em&gt; prime and a &lt;em&gt;fresh&lt;/em&gt; per-connection secret are two different conditions, and only one of them was being met [@weakdh].&lt;/p&gt;
&lt;p&gt;The attack, named Logjam, actually had a second half: an active attacker could force a browser and server to negotiate a deliberately breakable 512-bit &quot;export-grade&quot; group, so that even a modest adversary could solve the discrete log in real time [@weakdh]. Two coupled failures -- a downgrade and a precomputation -- and neither one touched the underlying hardness assumption. That active downgrade even had an exact RSA twin the same year, FREAK, which forced a browser down to breakable 512-bit &quot;export&quot; RSA instead of Diffie-Hellman [@freak]. The paper&apos;s title says the whole thing in two words: &lt;em&gt;Imperfect Forward Secrecy&lt;/em&gt;.&lt;/p&gt;

The math held; the deployment handed the secret away.
&lt;p&gt;This article is about that gap, and about closing it. The security a system actually gets from Diffie-Hellman is never simply &quot;the discrete logarithm is hard.&quot; It is a stack of four conditions the caller must independently satisfy -- a genuinely &lt;strong&gt;fresh&lt;/strong&gt; ephemeral secret, a &lt;strong&gt;strong and unshared&lt;/strong&gt; group, a &lt;strong&gt;validated&lt;/strong&gt; peer value, and an &lt;strong&gt;authenticated&lt;/strong&gt; exchange -- plus one discipline underneath them: the raw output is a group element, not a key, so it must pass through a key derivation function.&lt;/p&gt;
&lt;p&gt;Every world-scale Diffie-Hellman break you half-remember -- Logjam, small-subgroup key recovery, invalid-curve attacks on TLS, Raccoon, the anonymous man-in-the-middle -- is exactly one of those conditions quietly violated. The same unbroken math spawned a whole catalog of disasters, and the fifty-year history of the primitive is one sustained effort to pull those conditions back inside the primitive, the named group, and the protocol, so that a caller cannot forget them.&lt;/p&gt;
&lt;p&gt;To see why a shared prime is a catastrophe -- and why &quot;we generate a fresh key every connection&quot; was true yet still left everyone exposed -- you first have to be precise about what a Diffie-Hellman exchange promises, and the four jobs it quietly delegates to you.&lt;/p&gt;
&lt;h2&gt;2. What Diffie-Hellman Actually Is, and the Four Things You Must Supply&lt;/h2&gt;
&lt;p&gt;Two strangers who have never met, standing on either side of a wire the whole world can read, end up sharing a secret that no eavesdropper can compute. That is one of the deepest ideas in computer science, and it hides four decisions the scheme refuses to make for you.&lt;/p&gt;
&lt;h3&gt;The mechanism, with just enough math&lt;/h3&gt;
&lt;p&gt;Fix a public group with a generator $g$. Alice picks a secret number $a$ and sends $g^a$; Bob picks a secret $b$ and sends $g^b$. Each raises what they received to their own secret, and because exponents commute, they land on the same value:&lt;/p&gt;
&lt;p&gt;$$g^{ab} = (g^a)^b = (g^b)^a.$$&lt;/p&gt;
&lt;p&gt;An eavesdropper sees $g$, $g^a$, and $g^b$, but never $a$ or $b$. A student can implement the whole thing in three lines of modular exponentiation.&lt;/p&gt;

A protocol in which two parties exchange the public values $g^a$ and $g^b$ over an open channel and each computes the shared secret $g^{ab}$, which an eavesdropper who sees only $g$, $g^a$, and $g^b$ cannot compute.
&lt;p&gt;{&lt;code&gt;// Toy Diffie-Hellman over a tiny prime field. Illustrative sizes, NOT secure. const p = 2147483647n;   // a small 31-bit prime; a real DH prime is &amp;gt;= 3072 bits const g = 7n;            // a public generator element function powmod(base, exp, m){   let r = 1n; base %= m;   while (exp &amp;gt; 0n){ if (exp &amp;amp; 1n) r = (r * base) % m; base = (base * base) % m; exp &amp;gt;&amp;gt;= 1n; }   return r; } const a = 1234567n;             // Alice&apos;s fresh ephemeral secret (never sent) const b = 7654321n;             // Bob&apos;s fresh ephemeral secret   (never sent) const A = powmod(g, a, p);      // Alice sends this over the open wire const B = powmod(g, b, p);      // Bob sends this over the open wire const secretAlice = powmod(B, a, p);  // Alice computes (g^b)^a const secretBob   = powmod(A, b, p);  // Bob   computes (g^a)^b console.log(&apos;Alice g^ab =&apos;, secretAlice.toString()); console.log(&apos;Bob   g^ab =&apos;, secretBob.toString()); console.log(&apos;do they agree? -&amp;gt;&apos;, secretAlice === secretBob); // The raw shared value is a group element, NOT a key. Real code never uses it // directly: it feeds g^ab into a KDF (HKDF-SHA256) to extract a uniform key. const toyKey = (secretAlice * 2654435761n) % (2n ** 32n); // stand-in for HKDF only console.log(&apos;derived key (toy stand-in) =&apos;, toyKey.toString());&lt;/code&gt;}&lt;/p&gt;
&lt;h3&gt;Why it is hard to break&lt;/h3&gt;
&lt;p&gt;The security rests on the &lt;strong&gt;discrete logarithm problem&lt;/strong&gt;: given $g$ and $g^a$, recover the exponent $a$. In a well-chosen group this is believed intractable.&lt;/p&gt;

Given a generator $g$ and an element $g^a$ in a large group, the problem of recovering the exponent $a$. It is believed hard in carefully chosen groups, and it is the foundation Diffie-Hellman rests on.
&lt;p&gt;But hardness of the discrete log is not quite the property we need. Recovering $a$ is the discrete-log problem; &lt;em&gt;computing the shared secret&lt;/em&gt; $g^{ab}$ from $g^a$ and $g^b$ without recovering either exponent is the &lt;strong&gt;Computational Diffie-Hellman (CDH)&lt;/strong&gt; assumption, a slightly weaker thing to assume hard. Sharper still: &quot;the shared secret is indistinguishable from a random group element&quot; is the &lt;strong&gt;Decisional Diffie-Hellman (DDH)&lt;/strong&gt; assumption, and it is &lt;em&gt;strictly stronger&lt;/em&gt; than CDH [@cryptobook]. The distance between &quot;hard to compute&quot; and &quot;looks random&quot; is exactly why the raw output of the exchange is not yet a key.&lt;/p&gt;

CDH is the assumption that computing $g^{ab}$ from $g^a$ and $g^b$ is hard. DDH is the stronger assumption that $g^{ab}$ cannot even be distinguished from a random group element. DDH can fail in groups where CDH still holds, which is why the raw shared value is not treated as a uniform key.
&lt;p&gt;There are real groups -- pairing-friendly elliptic curves -- where DDH is &lt;em&gt;easy&lt;/em&gt; even though CDH is plausibly hard, so $g^{ab}$ is computable-hard yet distinguishable from random.This is why &quot;looks random&quot; is the &lt;em&gt;decisional&lt;/em&gt; assumption, not the computational one. The one-line consequence, paid off in the forward-secrecy and theory sections, is that you must extract a key from the shared value with a KDF rather than use it raw. Keep that fact in your pocket; it becomes a theorem later.&lt;/p&gt;
&lt;h3&gt;The thesis, stated as the primitive&apos;s interface&lt;/h3&gt;
&lt;p&gt;Now look at what the exchange quietly assumes but never enforces. Raw finite-field Diffie-Hellman outsources all of the following to the caller, at once:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Freshness.&lt;/strong&gt; The secret $a$ must be genuinely fresh per session, then destroyed. This is what buys forward secrecy.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;A strong, unshared group.&lt;/strong&gt; The group must be large enough and not shared in a way that lets an attacker amortize work across everyone who uses it.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;A validated peer value.&lt;/strong&gt; The incoming $g^b$ must actually be a well-formed element of the right group, not a hostile input chosen to leak your secret.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Authentication.&lt;/strong&gt; Something must bind $g^a$ and $g^b$ to identities, or an active attacker sits in the middle.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;And beneath all four, a fifth discipline: the raw $g^{ab}$ is a structured group element, not a key, so it must go through a &lt;a href=&quot;https://paragmali.com/blog/one-secret-is-not-one-key-the-discipline-of-key-derivation-w/&quot; rel=&quot;noopener&quot;&gt;key derivation function&lt;/a&gt; before anyone calls it a key [@rfc5869]. The original 1976 construction supplies &lt;em&gt;none&lt;/em&gt; of these; it hands you a shared secret and trusts you to remember the rest [@dh1976].&lt;/p&gt;

flowchart TD
    A[&quot;Alice: fresh secret a, send g^a&quot;] --&amp;gt; S[&quot;Shared value g^(ab)&quot;]
    B[&quot;Bob: fresh secret b, send g^b&quot;] --&amp;gt; S
    S --&amp;gt; K[&quot;KDF turns g^(ab) into a real key&quot;]
    F1[&quot;1. Freshness: is a truly ephemeral and destroyed&quot;] -.-&amp;gt; A
    F2[&quot;2. Strong and unshared group&quot;] -.-&amp;gt; S
    F3[&quot;3. Validate the peer value g^b&quot;] -.-&amp;gt; B
    F4[&quot;4. Authenticate the exchange&quot;] -.-&amp;gt; S
&lt;p&gt;This table is the entire article compressed into a grid: each row a condition, each column showing who historically lifted that burden off the caller. It fills in from left (the caller does everything by hand) to right (the primitive, the named group, or the protocol does it).&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Condition&lt;/th&gt;
&lt;th&gt;What the caller must supply&lt;/th&gt;
&lt;th&gt;Where it eventually gets pulled inside&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;1. Freshness&lt;/td&gt;
&lt;td&gt;A per-session ephemeral secret, destroyed after use&lt;/td&gt;
&lt;td&gt;The protocol: TLS 1.3 mandates ephemeral (EC)DHE&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2. Strong, unshared group&lt;/td&gt;
&lt;td&gt;A large prime or curve nobody can precompute against&lt;/td&gt;
&lt;td&gt;The named group: RFC 7919 FFDHE safe primes; strong curves&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3. Validated peer value&lt;/td&gt;
&lt;td&gt;An on-curve, correct-subgroup public value&lt;/td&gt;
&lt;td&gt;The primitive: X25519 twist security; or a hand-written check for classic ECDH&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;4. Authentication&lt;/td&gt;
&lt;td&gt;A signature or MAC binding the transcript to identities&lt;/td&gt;
&lt;td&gt;The protocol: STS/SIGMA, then TLS 1.3&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;5. KDF discipline&lt;/td&gt;
&lt;td&gt;Extract a uniform key from the raw shared value&lt;/td&gt;
&lt;td&gt;Every modern design: HKDF over the shared secret&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; The security a system gets from Diffie-Hellman is never &quot;the discrete log is hard.&quot; It is four conditions the caller must supply -- fresh, strong-and-unshared, validated, authenticated -- and then a KDF beneath them. Every named break in this article is exactly one of those quietly missing.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The raw $g^{ab}$ (or, on a curve, the shared x-coordinate) is a group element, not a key. Run it through a KDF such as HKDF before you ever call it a key. This is the discipline beneath all four conditions, and later it turns out to be a theorem, not a style preference.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Three of those four conditions were not obvious in 1976. Each was discovered the hard way, by a named break. To understand why a fifty-year-old idea still hands them to you, go back to the moment key agreement was only an idea -- an idea that, it turns out, had already been discovered in secret.&lt;/p&gt;
&lt;h2&gt;3. Where This Came From: 1976, and the Secret That Came First&lt;/h2&gt;
&lt;p&gt;In 1976 two Stanford researchers opened a paper with a sentence that has aged remarkably well: &quot;We stand today on the brink of a revolution in cryptography&quot; [@dh1976]. Whitfield Diffie and Martin Hellman were right about the revolution. They were also, unknown to them, second.&lt;/p&gt;
&lt;h3&gt;The problem before the answer&lt;/h3&gt;
&lt;p&gt;Before public key agreement, two parties who wanted to talk securely had to already share a secret key, delivered out of band -- by a trusted courier, a locked briefcase, a prior meeting. That does not scale. A network of $n$ parties who each want to talk privately needs on the order of $n^2$ pairwise keys, every one of them distributed and stored in advance. The cost of moving keys, not the cost of encryption, is what throttled commercial cryptography for decades.&lt;/p&gt;
&lt;h3&gt;The public origin&lt;/h3&gt;
&lt;p&gt;Diffie and Hellman&apos;s &quot;New Directions in Cryptography&quot; broke the deadlock. Their key exchange let two parties agree on a shared secret over a channel an adversary could fully observe: fix a public generator $g$ over a finite field, keep the exponents private, exchange $g^a$ and $g^b$, and let both sides compute $g^{ab}$, with security resting on the discrete logarithm modulo a large prime [@dh1976]. The same paper credits Ralph Merkle&apos;s independent &quot;puzzles&quot; idea as a partial solution to the same problem, which is the seed of the argument -- pressed for years by Hellman -- that the scheme should be called Diffie-Hellman-Merkle [@dh1976], [@merkle]. Merkle&apos;s own framing was that his construction &quot;forces any enemy to expend an amount of work which increases as the square of the work required of the two communicants&quot; [@cacm-merkle].&lt;/p&gt;
&lt;p&gt;Merkle conceived his puzzles around 1974 and saw a 1975 write-up rejected; the work was not published until 1978. Yet Diffie and Hellman&apos;s 1976 paper already cites it as &quot;submitted to the CACM,&quot; which fixed the idea in the literature before its own publication -- part of why Hellman argued for the three-name credit [@merkle].&lt;/p&gt;
&lt;h3&gt;The classified precursor&lt;/h3&gt;
&lt;p&gt;Here is the part most textbooks skip. Inside the United Kingdom&apos;s signals-intelligence agency, GCHQ, and its information-security arm CESG, the same ideas had already arrived, and stayed locked in a safe. James Ellis conceived what he called &quot;non-secret encryption&quot; at the end of the 1960s -- the recipient, he realized, only needs to be in a &lt;em&gt;different position&lt;/em&gt; from the interceptor, not a secret one [@ellis]. Clifford Cocks worked out the trapdoor that we would now recognize as RSA in 1973, and Malcolm Williamson derived the discrete-exponentiation key exchange -- Diffie-Hellman in substance -- in 1974 [@wikipedia-cocks]. All of it remained classified until December 1997 [@wikipedia-cocks].&lt;/p&gt;
&lt;p&gt;The counterfactual sharpens the whole thesis of this article. The &lt;em&gt;idea&lt;/em&gt; of public key agreement existed inside a government agency and changed nothing about how the world built systems, because it was never published, never standardized, never turned into a named group or a protocol anyone could deploy. An idea that no caller can reach protects no one.&lt;/p&gt;
&lt;p&gt;The GCHQ dates are genuinely disputed. Ellis&apos;s own account traces the origin only to &quot;the 60&apos;s&quot;; the widely repeated &quot;1970&quot; is the date of his internal report. The primary CESG and gchq.gov.uk pages that once hosted this history are gone, so the record here rests on the archived Ellis document plus corroborating biography, not on any live government URL [@ellis], [@wikipedia-cocks].&lt;/p&gt;

timeline
    title From a secret idea to a mandated protocol
    1969 : Ellis conceives non-secret encryption inside GCHQ
    1974 : Williamson derives DH-style key exchange, kept classified
    1976 : Diffie and Hellman publish New Directions, finite-field DH
    1985 : Miller proposes elliptic-curve cryptography (Koblitz independently, published 1987)
    1992 : Station-to-Station signs the DH values for authentication
    2006 : Bernstein publishes Curve25519 and the X25519 function
    2015 : Logjam shows shared 1024-bit primes are a mass liability
    2018 : TLS 1.3 mandates ephemeral key exchange, removes static DH
    2024 : X25519MLKEM768 hybrid ships by default in OpenSSH 9.9
&lt;p&gt;Diffie and Hellman had shown that two strangers could agree on a secret against an eavesdropper who only &lt;em&gt;listens&lt;/em&gt;. They said almost nothing about an adversary who &lt;em&gt;acts&lt;/em&gt;. That omission is not a flaw in the paper; it is the second of the four conditions, and closing it took another two decades.&lt;/p&gt;
&lt;h2&gt;4. The Anonymous-DH Gap: Why Raw DH Is Only Half a Protocol&lt;/h2&gt;
&lt;p&gt;Raw ephemeral Diffie-Hellman defeats a passive eavesdropper &lt;em&gt;completely&lt;/em&gt;, and an &lt;a href=&quot;https://paragmali.com/blog/secure-against-whom-the-security-definitions-every-protocol-/&quot; rel=&quot;noopener&quot;&gt;active attacker&lt;/a&gt; &lt;em&gt;not at all&lt;/em&gt;. The whole difference is one adversary who can inject packets, and it is the entire reason &quot;just do a DH exchange&quot; is never the whole answer.&lt;/p&gt;
&lt;h3&gt;The man-in-the-middle, mechanically&lt;/h3&gt;
&lt;p&gt;Suppose an attacker sits on the wire and can not only read but rewrite. When Alice sends $g^a$ toward Bob, the attacker keeps it and sends its own $g^m$ onward. When Bob replies with $g^b$, the attacker keeps that too and sends $g^m$ back to Alice. Now the attacker shares one secret, $g^{am}$, with Alice, and a &lt;em&gt;different&lt;/em&gt; secret, $g^{bm}$, with Bob. It decrypts whatever Alice sends, reads or modifies it, re-encrypts under the Bob-side secret, and forwards. Neither party sees anything wrong: both completed a textbook-perfect exchange. The primitive simply never promised anything about &lt;em&gt;who&lt;/em&gt; is on the other end.&lt;/p&gt;

sequenceDiagram
    participant A as Alice
    participant M as Attacker
    participant B as Bob
    A-&amp;gt;&amp;gt;M: sends g^a intended for Bob
    M-&amp;gt;&amp;gt;B: substitutes g^m
    B-&amp;gt;&amp;gt;M: sends g^b intended for Alice
    M-&amp;gt;&amp;gt;A: substitutes g^m
    Note over A,M: Alice agrees on secret g^am with the attacker
    Note over M,B: Bob agrees on a different secret g^bm
    Note over M: Attacker decrypts, reads, re-encrypts both directions
&lt;p&gt;This is a design gap, not an implementation bug. It falls to an &lt;em&gt;active&lt;/em&gt; adversary specifically; a passive listener still learns nothing.&lt;/p&gt;
&lt;p&gt;{&lt;code&gt;// Toy anonymous-DH MITM. Illustrative sizes, NOT secure. const p = 2147483647n, g = 7n; function powmod(base, exp, m){   let r = 1n; base %= m;   while (exp &amp;gt; 0n){ if (exp &amp;amp; 1n) r = (r*base) % m; base = (base*base) % m; exp &amp;gt;&amp;gt;= 1n; }   return r; } const a = 111111n, b = 999999n;   // honest ephemeral secrets const A = powmod(g, a, p);        // Alice&apos;s message (intercepted) const B = powmod(g, b, p);        // Bob&apos;s message   (intercepted) const m = 424242n;                // the attacker&apos;s own secret const M = powmod(g, m, p);        // the attacker forwards THIS to both sides const aliceSide = powmod(M, a, p);   // Alice computes (g^m)^a const attackerA = powmod(A, m, p);   // attacker computes (g^a)^m  -&amp;gt; equal const bobSide   = powmod(M, b, p);   // Bob computes (g^m)^b const attackerB = powmod(B, m, p);   // attacker computes (g^b)^m  -&amp;gt; equal console.log(&apos;Alice-attacker secret agrees?&apos;, aliceSide === attackerA); console.log(&apos;Bob-attacker secret agrees?  &apos;, bobSide   === attackerB); console.log(&apos;Do Alice and Bob share a key?&apos;, aliceSide === bobSide); // false // The attacker now holds both session secrets and relays, reading everything.&lt;/code&gt;}&lt;/p&gt;

A key-agreement protocol that also binds the exchanged public values to identities, so that an active attacker cannot substitute its own values undetected. It is what raw Diffie-Hellman is missing.
&lt;h3&gt;The precision that carries the rest of the article&lt;/h3&gt;
&lt;p&gt;Authentication defeats the &lt;em&gt;active&lt;/em&gt; adversary, and only the active adversary. It is orthogonal to the hardness of the group and to input validation. The sections ahead each violate a &lt;em&gt;different&lt;/em&gt; condition, and it is tempting but wrong to think a signature would have saved them.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Authentication closes the man-in-the-middle, and only that. It does not make a weak prime strong, an unvalidated point safe, or a reused ephemeral fresh. Those are three other conditions, each with its own catalog of breaks.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h3&gt;The fix, historically&lt;/h3&gt;
&lt;p&gt;Naming the goal came first. Christoph Guenther&apos;s 1989 identity-based key-exchange work is where the term &lt;em&gt;perfect forward secrecy&lt;/em&gt; is generally said to first appear, attached to the goal that a compromised long-term key should not expose past sessions [@gunther1989]. Diffie, van Oorschot, and Wiener turned it into a concrete protocol in 1992 with &lt;strong&gt;Station-to-Station&lt;/strong&gt;, which authenticates the exchange by having each side &lt;em&gt;sign&lt;/em&gt; the Diffie-Hellman values, and which gave the standard, most-cited formal treatment of the property [@sts1992]. A decade later Hugo Krawczyk distilled the pattern into &lt;strong&gt;SIGMA&lt;/strong&gt;, the &quot;SIGn-and-MAc&quot; template that underlies IKE and, in spirit, the TLS 1.3 handshake; the SIGMA protocols &quot;provide perfect forward secrecy&quot; via a Diffie-Hellman exchange authenticated with &lt;a href=&quot;https://paragmali.com/blog/the-math-held-the-interface-leaked-a-field-guide-to-digital-/&quot; rel=&quot;noopener&quot;&gt;digital signatures&lt;/a&gt; [@sigma2003]. The authenticated-DH family is treated as standard material in the reference texts [@cryptobook], [@hac].&lt;/p&gt;
&lt;p&gt;The coinage is disputed and worth stating carefully: the &lt;em&gt;term&lt;/em&gt; &quot;perfect forward secrecy&quot; traces to Guenther (1989/1990), while Diffie, van Oorschot, and Wiener (1992) gave the standard, most-cited formal treatment via Station-to-Station. Present both and pick neither silently [@gunther1989], [@sts1992].&lt;/p&gt;
&lt;p&gt;Signing the DH values closes the man-in-the-middle. It does nothing for the &lt;em&gt;group&lt;/em&gt; the exchange runs in -- and the original group, the multiplicative integers modulo a prime, turned out to hand the caller two more conditions at once, plus a nation-state-scale way to violate them.&lt;/p&gt;
&lt;h2&gt;5. Generation 1: Finite-Field DH and the Tyranny of the Shared Prime&lt;/h2&gt;
&lt;p&gt;Here is the mechanism underneath Logjam, the small-subgroup CVEs, and those 3072-bit key sizes you have wondered about -- and here is why the original finite-field group hands the caller more traps than any generation since.&lt;/p&gt;
&lt;h3&gt;Finite-field DH, mechanically&lt;/h3&gt;
&lt;p&gt;Pick a large prime $p$, ideally a &lt;strong&gt;safe prime&lt;/strong&gt; of the form $p = 2q + 1$ with $q$ also prime, and a generator $g$ of the large prime-order subgroup. Alice and Bob exchange $g^a \bmod p$ and $g^b \bmod p$ and compute $g^{ab} \bmod p$. The safe-prime shape is not cosmetic: it forces the cofactor down to 2, leaving only the trivial order-two subgroup (the values $1$ and $p-1$). So a small-subgroup attack can pin a key to at most one bit, which is exactly why an implementation must still reject $0$, $1$, and $p-1$ -- a point that becomes concrete below.&lt;/p&gt;

A prime of the form $p = 2q + 1$ where $q$ is also prime. The multiplicative group modulo a safe prime has one large prime-order subgroup of order $q$ and only the trivial order-two subgroup (the values $1$ and $p-1$), a cofactor of 2. That confines any small-subgroup attack to at most one bit, which is why implementations still reject $0$, $1$, and $p-1$.
&lt;h3&gt;The cost that shaped everything&lt;/h3&gt;
&lt;p&gt;Finite-field discrete logs have a &lt;em&gt;sub-exponential&lt;/em&gt; attack. Index calculus, and its modern form the &lt;strong&gt;number field sieve (NFS)&lt;/strong&gt;, runs in heuristic complexity&lt;/p&gt;
&lt;p&gt;$$L_p[1/3,\ (64/9)^{1/3}] = \exp!\left((1.923 + o(1)),(\ln p)^{1/3}(\ln\ln p)^{2/3}\right),$$&lt;/p&gt;
&lt;p&gt;far faster than brute force. The practical consequence: to reach roughly 128-bit security you need a &lt;strong&gt;3072-bit&lt;/strong&gt; prime, an order of magnitude larger than the 256-bit curve that buys the same margin [@sp80057]. That size penalty is the whole reason finite-field DH lost.&lt;/p&gt;

The best known sub-exponential algorithm for factoring and for finite-field discrete logarithms. Its most expensive stage depends only on the modulus (the prime), not on any individual target, which is why a shared prime is a shared weakness.
&lt;h3&gt;Logjam, in full&lt;/h3&gt;
&lt;p&gt;That &quot;depends only on the prime&quot; clause is the entire disaster. The NFS&apos;s expensive first step &quot;is dependent only on this prime,&quot; so if millions of hosts share a handful of 1024-bit primes -- and in 2015 they did -- an adversary precomputes once and then decrypts every connection on that prime cheaply, passively, and indefinitely [@weakdh]. The Logjam researchers estimated that breaking the single most common 1024-bit prime would expose about 18% of the top million HTTPS sites, and a second common prime about 66% of VPNs and 26% of SSH servers [@weakdh]. And there was an &lt;em&gt;active&lt;/em&gt; half: an attacker could downgrade a TLS handshake to 512-bit &lt;code&gt;DHE_EXPORT&lt;/code&gt; parameters, which were breakable in near-real time, with 8.4% of the top million initially vulnerable [@weakdh].&lt;/p&gt;
&lt;p&gt;The paper priced that precomputation directly, and the numbers are the point. Breaking a 512-bit export prime was &lt;em&gt;demonstrated&lt;/em&gt;, not merely estimated: about 89,000 core-hours of work -- &quot;slightly over one week&quot; of wall-clock time spread across a couple of thousand cores -- after which each individual discrete log took a median of 70 seconds [@weakdh]. A 768-bit prime was an academic reach at roughly 36,500 core-years. And a 1024-bit prime was a nation-state one at roughly 45 million core-years of one-time precomputation, a figure the authors judged &quot;not necessarily out of reach for a nation state&quot; [@weakdh]. Every number there is a &lt;em&gt;fixed, per-prime&lt;/em&gt; cost that reading one more connection barely adds to.&lt;/p&gt;

flowchart TD
    P[&quot;One shared 1024-bit prime&quot;] --&amp;gt; NFS[&quot;NFS first step: precompute per prime, about 45M core-years at 1024-bit, done once&quot;]
    NFS --&amp;gt; DB[&quot;Reusable precomputation for that prime&quot;]
    DB --&amp;gt; D[&quot;Per-connection descent: about 70 s at 512-bit&quot;]
    D --&amp;gt; R[&quot;Passively decrypt every session on that prime&quot;]
    P -.-&amp;gt; X[&quot;Active downgrade to 512-bit export group&quot;]
    X --&amp;gt; R
&lt;p&gt;Notice what never happens in that diagram: nobody solves a fresh discrete logarithm. The costly work is done once, against the &lt;em&gt;prime&lt;/em&gt;, and amortized across everyone who shares it.&lt;/p&gt;

Practitioners &quot;believed this was safe as long as new key exchange messages were generated for every connection&quot; -- and were wrong.
&lt;p&gt;They were wrong because a fresh per-connection secret satisfies the &lt;em&gt;freshness&lt;/em&gt; condition while doing nothing about the &lt;em&gt;unshared-group&lt;/em&gt; condition. Both had to hold; only one did [@weakdh].&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; The attacker never computed a fresh discrete logarithm. They precomputed the shared prime once and read everyone on it. The math held; the deployment handed the secret away.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h3&gt;The RSA twin, in one breath&lt;/h3&gt;
&lt;p&gt;Logjam did not travel alone. The same year, and the same relic of 1990s U.S. export-crypto policy, produced its RSA counterpart: &lt;strong&gt;FREAK&lt;/strong&gt;, for &quot;Factoring RSA Export Keys,&quot; publicly disclosed on 3 March 2015 by Karthikeyan Bhargavan and the miTLS team, with the client-side flaw tracked as CVE-2015-0204 [@freak]. A man-in-the-middle downgrades a client to 512-bit export RSA, factors that small modulus cheaply on rented hardware, and reads the session. At disclosure 36.7% of HTTPS servers with browser-trusted certificates still accepted export RSA -- falling to 6.5% as patches landed -- along with 8.5% of the Alexa Top-1M [@freak].&lt;/p&gt;
&lt;p&gt;FREAK downgrades &lt;em&gt;RSA key transport&lt;/em&gt; and is fundamentally an &lt;strong&gt;implementation&lt;/strong&gt; bug, a client-side state-machine slip that accepts a key it never asked for; Logjam downgrades &lt;em&gt;Diffie-Hellman parameters&lt;/em&gt; and is, in the weakdh.org authors&apos; own words, &quot;due to a flaw in the TLS protocol rather than an implementation vulnerability&quot; [@weakdh]. RSA key transport is &lt;a href=&quot;https://paragmali.com/blog/rsa-is-a-trapdoor-not-a-cryptosystem-oaep-pss-and-the-25-yea/&quot; rel=&quot;noopener&quot;&gt;the RSA installment&lt;/a&gt;&apos;s territory, so FREAK stays a mention -- but it is proof that the export-downgrade wound had two matching edges, one for each key-exchange family.&lt;/p&gt;
&lt;p&gt;Two precisions to keep straight. First, Logjam is &lt;em&gt;two&lt;/em&gt; coupled failures, not one: the 512-bit export &lt;em&gt;downgrade&lt;/em&gt; and the shared-prime &lt;em&gt;precomputation&lt;/em&gt;. Second, FREAK is its RSA sibling, not the same attack -- both weaponize leftover 512-bit export keys, but FREAK is an implementation bug in RSA key transport while Logjam is a protocol flaw in Diffie-Hellman parameter negotiation [@weakdh], [@freak].&lt;/p&gt;
&lt;h3&gt;Small-subgroup confinement&lt;/h3&gt;
&lt;p&gt;The safe-prime rule has teeth. If $p$ is &lt;em&gt;not&lt;/em&gt; a safe prime, the group has small subgroups, and an attacker can weaponize them. The attacker sends a carefully chosen element of small order $r$ as its &quot;public key.&quot; The victim raises it to its private exponent $x$, producing an element that depends only on $x \bmod r$, and the attacker -- watching whether the handshake succeeds, or reading the resulting ciphertext -- recovers $x \bmod r$ by trying the $r$ possibilities. Repeat across several small factors and combine with the Chinese Remainder Theorem, and the private exponent falls out.&lt;/p&gt;
&lt;p&gt;This is the &lt;strong&gt;small-subgroup confinement attack&lt;/strong&gt; of Lim and Lee (CRYPTO &apos;97), and it works only when the victim &lt;em&gt;reuses&lt;/em&gt; the private exponent long enough to be probed [@limlee1997], [@twist]. It went live as &lt;strong&gt;CVE-2016-0701&lt;/strong&gt;, where OpenSSL failed to run the subgroup check on X9.42-style (RFC 5114) non-safe-prime parameters while reusing a DH key, letting an attacker &quot;discover a private DH exponent&quot; [@openssl-cve], [@nvd-0701].&lt;/p&gt;

An attack that sends a small-order group element as a public key so that the victim&apos;s response depends only on the private exponent reduced modulo a small number. Repeating across several small factors and applying the Chinese Remainder Theorem recovers a reused private exponent.
&lt;p&gt;{&lt;code&gt;// A NON-safe prime: p is prime but p-1 = 2^3 * 13 * 19 * 53. Insecure sizes. const p = 104729n; const g = 12n;              // a generator of the full multiplicative group function powmod(b, e, m){ let r = 1n; b %= m; while (e &amp;gt; 0n){ if (e &amp;amp; 1n) r = (r*b)%m; b = (b*b)%m; e &amp;gt;&amp;gt;= 1n; } return r; } const x = 8675n;           // Bob&apos;s REUSED private exponent -- the fatal choice const smalls = [13n, 19n, 53n];   // small prime factors of p-1 const residues = []; for (const r of smalls){   const h = powmod(g, (p - 1n) / r, p);   // an element of small order r   const target = powmod(h, x, p);         // the victim returns h^x = h^(x mod r)   let e = 0n;   for (let k = 0n; k &amp;lt; r; k++){ if (powmod(h, k, p) === target){ e = k; break; } }  // tiny search   residues.push([r, e]);   console.log(&apos;recovered x mod &apos; + r + &apos; = &apos; + e); } // Combine the residues with the Chinese Remainder Theorem: let Mtot = 1n; for (const r of smalls) Mtot *= r; let X = 0n; for (const [r, e] of residues){   const Mi = Mtot / r; let inv = 1n;   for (let k = 1n; k &amp;lt; r; k++){ if ((Mi * k) % r === 1n){ inv = k; break; } }   X = (X + e * Mi * inv) % Mtot; } console.log(&apos;reconstructed private exponent x = &apos; + X + &apos;  (true value &apos; + x + &apos;)&apos;);&lt;/code&gt;}&lt;/p&gt;
&lt;p&gt;Keep this attack distinct from the one in the next section. This is small-subgroup confinement: &lt;em&gt;one&lt;/em&gt; group, a &lt;em&gt;low-order element&lt;/em&gt;, Lim-Lee 1997, on finite fields. The invalid-curve attack of Section 6 uses &lt;em&gt;many&lt;/em&gt; curves and an &lt;em&gt;off-curve point&lt;/em&gt;, Biehl-Meyer-Mueller 2000, on elliptic curves. They are routinely conflated and they are not the same [@twist].&lt;/p&gt;
&lt;h3&gt;The fix: take &quot;which prime&quot; away from the caller&lt;/h3&gt;
&lt;p&gt;The response was to stop letting callers choose primes. RFC 7919 defines a fixed menu of named FFDHE groups (&lt;code&gt;ffdhe2048&lt;/code&gt; through &lt;code&gt;ffdhe8192&lt;/code&gt;), every one a safe prime, so a custom, shared, weak, or backdoored modulus is simply not expressible on the wire [@rfc7919]. That is condition #2 pulled inside a &lt;em&gt;named group&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;Why take the choice away so completely? Because a caller-chosen modulus can fail in a way no inspection reveals. In early 2016 the &lt;strong&gt;socat&lt;/strong&gt; networking tool was found to have shipped a hard-coded 1024-bit Diffie-Hellman &lt;code&gt;p&lt;/code&gt; parameter that &lt;em&gt;was not prime&lt;/em&gt; at all, making a key exchange weaker than one over a genuine prime [@socat-secadv7]. The advisory (MSVR-1499) is worth quoting for its candor: because &quot;there is no indication of how these parameters were chosen, the existence of a trapdoor ... cannot be ruled out&quot; [@socat-secadv7].&lt;/p&gt;
&lt;p&gt;The repair generated a fresh 2048-bit prime with OpenSSL&apos;s &lt;code&gt;dhparam&lt;/code&gt;, and the flaw was reported by Santiago Zanella-Beguelin -- a Logjam co-author -- together with Microsoft Vulnerability Research [@socat-secadv7]. A bring-your-own modulus can be weak &lt;em&gt;or&lt;/em&gt; backdoored, and you cannot tell which by looking at it. That single degree of freedom is exactly what named safe-prime groups take away.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Do not generate or ship a custom finite-field DH prime, and never one below 2048 bits. A custom modulus can be weak or even backdoored and you cannot tell by looking -- in 2016 socat shipped a 1024-bit &quot;prime&quot; that was not prime at all. Use a named safe-prime group (&lt;code&gt;ffdhe3072&lt;/code&gt; or larger), or, better for most new work, move to a curve.&lt;/p&gt;
&lt;/blockquote&gt;

The number field sieve has an expensive precomputation stage whose cost &quot;is dependent only on this prime,&quot; followed by a cheap per-target descent [@weakdh]. So the marginal cost of reading one more connection on a broken prime is tiny; the fixed cost is paid once. When a handful of 1024-bit primes cover a large fraction of the internet, that fixed cost buys mass surveillance: the single most common prime makes roughly 18% of top HTTPS sites readable, and a second prime roughly 66% of VPNs [@weakdh].&lt;p&gt;The Logjam paper put a concrete price on the 1024-bit precomputation, and it lands squarely in nation-state territory. Roughly 45 million core-years of one-time work is &quot;a huge computational effort,&quot; the authors wrote, but &quot;not necessarily out of reach for a nation state&quot;: about $8 million of custom ASIC hardware would buy enough capacity to finish the sieving stage in a year, and the linear-algebra hardware was estimated &quot;plausibly on the order of hundreds of millions of dollars&quot; -- on general-purpose machines, the Titan supercomputer&apos;s cores would need 117 years for that stage alone [@weakdh].&lt;/p&gt;
&lt;p&gt;Set that against the roughly $10.5 billion the paper cites for the NSA&apos;s 2012 consolidated cryptologic-program budget, and the arithmetic is uncomfortable [@weakdh]. As a public, &lt;em&gt;measured&lt;/em&gt; front-door datapoint for the same algorithm one size down, the RSA-250 factoring record fell to the number field sieve in February 2020 at a cost of about 2,700 core-years, so the 1024-bit discrete-log estimate extrapolates a demonstrated technique rather than a hypothetical one [@rsa250].
&lt;/p&gt;&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Two conditions leaked at once here: the group was neither strong-per-bit nor unshared, and a reused key turned the exchange into an oracle. The obvious escape is a group where the discrete log is &lt;em&gt;harder per bit&lt;/em&gt; and there is no cheap shared-prime precomputation. That group is an elliptic curve -- and it introduced a sharper oracle of its own.&lt;/p&gt;
&lt;h2&gt;6. Generation 2: Elliptic-Curve DH, and the New Oracle&lt;/h2&gt;
&lt;p&gt;Move the &lt;em&gt;same&lt;/em&gt; Diffie-Hellman protocol onto an elliptic curve and the number field sieve vanishes. A 256-bit key now buys what a 3072-bit prime bought. But the smaller, structure-free group sharpened one of the four conditions into a live, key-recovering oracle.&lt;/p&gt;
&lt;h3&gt;ECDH, mechanically&lt;/h3&gt;
&lt;p&gt;The curve internals belong to &lt;a href=&quot;https://paragmali.com/blog/the-curve-was-hard-the-gap-was-soft-a-field-guide-to-using-e/&quot; rel=&quot;noopener&quot;&gt;the elliptic-curves installment of this series&lt;/a&gt;; here we only need the shape. Replace &quot;exponentiate $g$&quot; with &quot;scalar-multiply the base point $G$&quot;: a private key is a scalar $d$, the public key is the point $Q = dG$, and the shared secret is the point $d_A d_B G$, from which both sides take the x-coordinate [@sp80056a]. The payoff is in the attack cost. On a strong curve the best known attack is the &lt;em&gt;generic&lt;/em&gt; Pollard rho algorithm, running in about $\sqrt{n}$ steps with no sub-exponential index calculus available, so a 256-bit curve delivers roughly 128-bit security -- concretely, rho against P-256 costs about $2^{127.8}$ operations [@rho]. Victor Miller and Neal Koblitz independently proposed elliptic-curve cryptography in the mid-1980s for exactly this reason [@miller1985], [@koblitz1987].&lt;/p&gt;
&lt;h3&gt;The new failure class&lt;/h3&gt;
&lt;p&gt;The smaller group came with a sharper edge. The peer&apos;s point is attacker-controlled, and the standard scalar-multiplication formulas &quot;do not involve the constant coefficient $b$&quot; of the curve equation [@twist]. So if an attacker submits a point that satisfies everything &lt;em&gt;except&lt;/em&gt; lying on the intended curve, the victim&apos;s arithmetic processes it without complaint -- effectively doing the computation on a &lt;em&gt;different, weaker&lt;/em&gt; curve whose group has small subgroups. Scalar-multiplying such a point by a &lt;em&gt;reused&lt;/em&gt; private key turns the operation into a key-extraction oracle, one small residue at a time, combined with the Chinese Remainder Theorem across many curves. This is the &lt;strong&gt;invalid-curve attack&lt;/strong&gt; of Biehl, Meyer, and Mueller (CRYPTO 2000) [@bmm2000], [@twist]. Jager, Schwenk, and Somorovsky made it practical against real TLS servers doing static or reused ECDH at ESORICS 2015, recovering the server&apos;s private key [@jss2015].&lt;/p&gt;

An attack that submits a point lying on a different, weaker curve than the intended one. Because scalar-multiplication formulas ignore the curve&apos;s constant term, the victim computes on the wrong curve and, if it reuses its private key, leaks that key one small residue at a time.

flowchart TD
    A[&quot;Attacker sends a point not on the intended curve&quot;] --&amp;gt; B[&quot;Scalar multiply ignores the curve constant b&quot;]
    B --&amp;gt; C[&quot;Computation lands in a weak subgroup of another curve&quot;]
    C --&amp;gt; D[&quot;Reused key leaks d modulo a small order&quot;]
    D --&amp;gt; E[&quot;Repeat across many curves, then CRT to the full key d&quot;]
&lt;p&gt;This is the place readers most often blur two attacks, so once more, at the point of maximum confusion: Lim-Lee small-subgroup confinement (Section 5) is finite-field, one group, a low-order element; Biehl-Meyer-Mueller invalid-curve (here) is elliptic-curve, many curves, an off-curve point. And the practical TLS demonstration is Jager-Schwenk-Somorovsky&apos;s ESORICS 2015 paper, which is distinct from the same authors&apos; separate USENIX 2015 work [@twist], [@jss2015].&lt;/p&gt;
&lt;h3&gt;The lesson, made mandatory&lt;/h3&gt;
&lt;p&gt;For classic cofactor ECDH the caller &lt;em&gt;must&lt;/em&gt; validate every incoming point: it has to lie on the intended curve &lt;em&gt;and&lt;/em&gt; in the correct prime-order subgroup. NIST SP 800-56A codifies this as full or partial public-key validation [@sp80056a]. It is an explicit, easy-to-forget check the smaller group pushed back onto the implementer -- exactly the caller-facing condition this article tracks.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Reject any peer point that is not on the curve and not in the prime-order subgroup, every time. Miss the check once, on a server that reuses its key, and you have built a private-key-recovery oracle.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;A related but separate ECC failure is worth one pointer so you do not file it under the wrong heading: Curveball (CVE-2020-0601) was a certificate-&lt;em&gt;validation&lt;/em&gt; bug in Windows CryptoAPI, not an ECDH key-agreement break [@nvd-0601]. Same family of &quot;validate the parameter you were handed,&quot; different layer.&lt;/p&gt;
&lt;p&gt;So ECDH shrank the key but still demanded a hand-written on-curve check and constant-time code that an implementer could botch. The next move makes both of those &lt;em&gt;unnecessary by construction&lt;/em&gt; -- a curve where every 32-byte string is a valid input and the arithmetic is constant-time by design.&lt;/p&gt;
&lt;h2&gt;7. Generation 3: X25519, or &quot;Make the Simple Implementation the Safe One&quot;&lt;/h2&gt;
&lt;p&gt;Everything classic ECDH asked the caller to remember -- validate the point, write the arithmetic in constant time -- one curve was designed to make impossible to get wrong. That is the whole point of X25519.&lt;/p&gt;
&lt;h3&gt;What X25519 is&lt;/h3&gt;
&lt;p&gt;X25519 is the Diffie-Hellman function over Curve25519, a Montgomery curve over the prime field $p = 2^{255} - 19$, computing &lt;strong&gt;x-coordinate-only&lt;/strong&gt; DH with a uniform &lt;strong&gt;Montgomery ladder&lt;/strong&gt;. Daniel Bernstein introduced it in 2006, and it was standardized as RFC 7748 in 2016 [@ecdh], [@rfc7748]. Two design decisions are the entire construction, and each one pulls a caller-facing condition inside the primitive.&lt;/p&gt;

A scalar-multiplication algorithm that processes the secret scalar in a fixed sequence of steps, performing the same field operations at every bit regardless of the secret&apos;s value. It computes only the x-coordinate of the result and has no secret-dependent branches.
&lt;h3&gt;Constant-time by construction&lt;/h3&gt;
&lt;p&gt;The ladder is a fixed sequence of roughly 255 iterations, each doing the same field operations no matter what the secret bits are: no secret-dependent branch, no secret-indexed table lookup [@rfc7748]. The timing side channel that a hand-written P-256 ladder can leak simply has no place to live. The primitive absorbed the constant-time requirement so the implementer cannot forget it.&lt;/p&gt;
&lt;h3&gt;Twist-security&lt;/h3&gt;
&lt;p&gt;The second decision is subtler and more beautiful. Curve25519 and its quadratic twist &lt;em&gt;both&lt;/em&gt; have near-prime order, so an attacker who submits an off-curve x-coordinate does not land in a weak subgroup -- it lands in &lt;em&gt;another&lt;/em&gt; strong group where there is nothing to confine a key into. The invalid-curve attack of Section 6 finds no purchase, and it needs no explicit on-curve check to stop it. That is why &quot;the Curve25519 function was carefully designed to allow all 32-byte strings as Diffie-Hellman public keys,&quot; and why Bernstein&apos;s guidance on validating public keys is, bluntly, &quot;Don&apos;t&quot; [@ecdh], [@twist].&lt;/p&gt;

A property of a curve whose quadratic twist also has near-prime order. An attacker who supplies an off-curve x-coordinate is forced into another strong group instead of a weak subgroup, so invalid-curve attacks fail without any explicit point validation.

flowchart TD
    In[&quot;Any 32-byte peer value, trusted or hostile&quot;] --&amp;gt; L[&quot;Montgomery ladder: same steps for every secret bit&quot;]
    L --&amp;gt; Tw[&quot;An off-curve input lands on the twist, another strong group&quot;]
    Tw --&amp;gt; Out[&quot;No weak subgroup to confine a key: validation is structural&quot;]
    L --&amp;gt; Ct[&quot;No secret-dependent branch or lookup: the timing channel is closed&quot;]
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; X25519 is not merely a faster curve. It takes two conditions that classic ECDH left on the implementer -- validate the input, run in constant time -- and makes them structural properties of the primitive. The safety is by construction, not by discipline. That is the shape of the entire history in miniature.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h3&gt;The two rules that trip people up&lt;/h3&gt;
&lt;p&gt;Two details cause most X25519 confusion.&lt;/p&gt;
&lt;p&gt;First, &lt;strong&gt;clamping&lt;/strong&gt;. Before use, the secret scalar is masked with &lt;code&gt;k[0] &amp;amp;= 248; k[31] &amp;amp;= 127; k[31] |= 64&lt;/code&gt; [@rfc7748]. Clamping constrains &lt;em&gt;your own&lt;/em&gt; scalar so your side avoids cofactor and small-order pitfalls. It is emphatically &lt;strong&gt;not&lt;/strong&gt; input validation, and it does nothing to a malicious peer value. X25519 is safe against hostile inputs because of &lt;em&gt;twist security&lt;/em&gt;, not because of clamping.&lt;/p&gt;

The bit-masking applied to an X25519 secret scalar before use, which fixes certain high and low bits. It shapes your own scalar to sidestep cofactor issues, and it performs no check whatsoever on the peer&apos;s public value.
&lt;p&gt;Second, the &lt;strong&gt;cofactor-8 all-zero check&lt;/strong&gt;. Curve25519 has cofactor 8, so a low-order peer input can drive the shared output to the all-zero value. RFC 7748 says implementations &quot;MAY check ... whether the resulting shared secret is the all-zero value and abort if so&quot; -- a MAY, tied to the nuance of contributory behavior, not a MUST [@rfc7748]. Most protocols do not need it because they mix identities and transcripts into the KDF anyway.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Clamping constrains your own scalar; it says nothing about the peer&apos;s value. If you find yourself reasoning that clamping makes an incoming point safe, stop -- the safety comes from twist security. Treat clamping and validation as different jobs.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;A precision that catches even careful readers: X25519 and its larger sibling X448 are the &lt;em&gt;Montgomery, x-coordinate-only&lt;/em&gt; variant of elliptic-curve DH, not the SP 800-56A cofactor ECDH of Section 6, even though &quot;ECDH&quot; is the umbrella term for both. X448 targets a more conservative security level near 224 bits and is defined in the same RFC 7748 [@rfc7748].&lt;/p&gt;
&lt;p&gt;Even here the KDF discipline is stated in the primitive&apos;s own voice: &quot;Both of you can then hash this shared secret and use the result as a key,&quot; never the raw x-coordinate [@ecdh].&lt;/p&gt;
&lt;p&gt;X25519 makes the &lt;em&gt;primitive&lt;/em&gt; misuse-resistant: validated by construction, constant-time by design. It says nothing about the other two conditions -- freshness and authentication -- which remain the protocol&apos;s to enforce. And the first of those, freshness, is the exact hinge on which the property everyone wants from Diffie-Hellman either holds or silently evaporates.&lt;/p&gt;
&lt;h2&gt;8. The Breakthrough: Ephemeral Exchange and (Imperfect) Forward Secrecy&lt;/h2&gt;
&lt;p&gt;This is the property that makes people say &quot;use DHE, not static,&quot; and the one most often stated as if it were automatic. It is not. It is a conjunction, and the failure catalog is its list of unmet conjuncts.&lt;/p&gt;
&lt;h3&gt;Forward secrecy, stated conditionally&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;If&lt;/strong&gt; the Diffie-Hellman secret is freshly generated per session, never reused, destroyed after use, and run over a strong unshared group, &lt;strong&gt;then&lt;/strong&gt; later compromise of the long-term authentication key cannot recover past session keys -- because the ephemeral secret those keys were derived from no longer exists. The long-term key&apos;s only job is to &lt;em&gt;authenticate&lt;/em&gt; the exchange; the session&apos;s confidentiality dies with the ephemeral. Every word of that conditional is load-bearing. Drop &quot;never reused&quot; and you get a static key in disguise; drop &quot;strong unshared group&quot; and Logjam reads you anyway.&lt;/p&gt;

The guarantee that compromising a long-term key does not expose past session keys. It holds only when the per-session ephemeral secret was freshly generated, never reused, destroyed after use, and run over a strong, unshared group. It is a conjunction of those conditions, not an automatic consequence of using DH.

An ephemeral DH key is generated fresh for a single session and discarded immediately after. A static key is long-lived and reused across sessions, providing no forward secrecy. A cached or reused &quot;ephemeral&quot; is, for security purposes, a static key.

flowchart TD
    E[&quot;Fresh ephemeral secret, used then destroyed&quot;] --&amp;gt; H[&quot;Handshake, DH values signed by the long-term key&quot;]
    LT[&quot;Long-term key authenticates only&quot;] --&amp;gt; H
    H --&amp;gt; K[&quot;Session key derived from the ephemeral&quot;]
    K --&amp;gt; D[&quot;Ephemeral destroyed when the session ends&quot;]
    C[&quot;Attacker later steals the long-term key&quot;] --&amp;gt; P[&quot;Past sessions stay secret: the ephemeral is gone&quot;]
    ST[&quot;Static DH: one reused key does everything&quot;] --&amp;gt; O[&quot;Its compromise opens every past session at once&quot;]
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Mode&lt;/th&gt;
&lt;th&gt;Fresh per session?&lt;/th&gt;
&lt;th&gt;Forward secrecy&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Static DH&lt;/td&gt;
&lt;td&gt;No -- one long-lived key&lt;/td&gt;
&lt;td&gt;None; a single key compromise opens all past sessions&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Reused or cached &quot;ephemeral&quot;&lt;/td&gt;
&lt;td&gt;No -- shared across sessions&lt;/td&gt;
&lt;td&gt;Collapses for every session that shares it; also enables Raccoon&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;True ephemeral&lt;/td&gt;
&lt;td&gt;Yes -- destroyed after use&lt;/td&gt;
&lt;td&gt;Yes, conditional on a strong unshared group&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;h3&gt;The honest other half: how the property fails&lt;/h3&gt;
&lt;p&gt;The conditional fails in three documented ways, and each is a row in the catalog.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Ephemeral-key reuse or caching.&lt;/strong&gt; Sold as a performance optimization, reusing an ephemeral turns it into a static key and collapses forward secrecy for every session that shares it. Worse, reuse is the precondition for &lt;strong&gt;Raccoon&lt;/strong&gt; (CVE-2020-1968): in TLS 1.2 and earlier, the premaster secret had its leading zero bytes stripped before the key derivation step, so the exact timing of the KDF leaked the most significant bits of the shared secret, recoverable as an instance of the Hidden Number Problem -- but &lt;em&gt;only&lt;/em&gt; when the server reused its DH key long enough to gather timing samples [@raccoon].&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Shared-prime precomputation.&lt;/strong&gt; This is Logjam again, from the other direction: even a genuinely fresh per-connection ephemeral does not save you if the &lt;em&gt;prime&lt;/em&gt; is shared and precomputed [@weakdh]. It is the reason the paper is titled &lt;em&gt;Imperfect Forward Secrecy&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Static DH.&lt;/strong&gt; No ephemeral at all, so no forward secrecy at all -- the baseline failure that TLS 1.3 later abolished [@rfc8446].&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Caching or reusing a DH &quot;ephemeral&quot; collapses forward secrecy for every session that shares it, and reuse is exactly the condition Raccoon needs to mount its timing oracle. If it is not fresh and destroyed, it is not ephemeral.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The Raccoon authors are blunt about the root condition: reusing a DH key &quot;was already considered bad practice before the attack, as it does not provide forward secrecy&quot; [@raccoon]. The timing oracle was a second penalty on top of the forward-secrecy loss.&lt;/p&gt;
&lt;h3&gt;The discipline beneath it all&lt;/h3&gt;
&lt;p&gt;Why must the raw shared value always be hashed? Because a Diffie-Hellman value &quot;is NOT a uniformly random or pseudorandom string&quot; -- it is a structured group element with detectable bias -- so it must be run through an extract-and-expand KDF before it becomes key material [@rfc5869]. This is the formal echo of the CDH-versus-DDH gap from Section 2, now stated as a standards requirement.&lt;/p&gt;

A Diffie-Hellman value &quot;is NOT a uniformly random or pseudorandom string.&quot; -- RFC 5869, Section 3.3

It is easy to over-claim what forward secrecy buys. It bounds the reach of a *future* compromise: an attacker who steals your long-term key tomorrow cannot decrypt the sessions you completed and destroyed today.&lt;p&gt;It does nothing about the present. An attacker who owns your endpoint &lt;em&gt;during&lt;/em&gt; a live session, or who grabs the ephemeral before you delete it, reads that session in full. Nor does it provide &lt;em&gt;post-compromise&lt;/em&gt; security -- the guarantee that sessions &lt;em&gt;after&lt;/em&gt; a compromise heal once the attacker loses access. That healing is a different property, achieved by ratcheting constructions such as the one in the Signal protocol, and it is out of scope for a single DH exchange. Forward secrecy is a statement about deleted secrets, and only about the past.
&lt;/p&gt;&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Freshness, a strong group, validated inputs, authentication, and a KDF -- five things, and the caller was trusted to remember all of them. The last move in this story stops trusting the caller: it bakes the conditions into named objects and a protocol that refuses to run without them.&lt;/p&gt;
&lt;h2&gt;9. State of the Art (2024-2026): X25519 Everywhere, and the Quantum Clock&lt;/h2&gt;
&lt;p&gt;Here is what a practitioner actually deploys today -- and the single overlay that reframes all of it: every discrete-log DH in this article has an expiration date, and a well-funded adversary can start the clock by simply recording your traffic now.&lt;/p&gt;
&lt;h3&gt;The deployed reality&lt;/h3&gt;
&lt;p&gt;X25519 is the dominant key agreement across TLS 1.3, OpenSSH, WireGuard, and Signal, and the word &quot;dominant&quot; now rests on measured deployment rather than defaults alone. Cloudflare, which terminates a large fraction of the world&apos;s HTTPS and can therefore see it, reports that X25519 &quot;now secures the vast majority of all Internet connections&quot; [@cloudflare-pq]; OpenSSH has shipped Curve25519 key exchange as &quot;the default when both the client and server support it&quot; since version 6.5, back in 2014 [@openssh65], [@ecdh]; and WireGuard and Signal are built on the same primitive [@wireguard], [@pqxdh]. Finite-field DH survives mainly as deprecated-but-present legacy in older TLS and IPsec [@weakdh], [@rfc8446].&lt;/p&gt;
&lt;p&gt;TLS 1.3 turned this whole article&apos;s argument into a requirement: RFC 8446 removed static RSA and static Diffie-Hellman key transport, requires ephemeral (EC)DHE, and restricts negotiation to named groups. The specification states the result directly: &quot;Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy&quot; [@rfc8446]. That is conditions #1, #2, and #4 -- freshness, a vetted group, and authentication -- pulled inside the &lt;em&gt;protocol&lt;/em&gt; as non-optional. The fifty-year move is complete: the four conditions now live in the primitive, the named group, and the protocol, not in the caller&apos;s memory.&lt;/p&gt;
&lt;h3&gt;The quantum overlay&lt;/h3&gt;
&lt;p&gt;There is one problem no key size solves. All discrete-log Diffie-Hellman, finite-field and elliptic-curve alike, falls in polynomial time to Shor&apos;s algorithm on a sufficiently large quantum computer, and &quot;harvest-now, decrypt-later&quot; means an adversary can record your ECDH traffic today and decrypt it once such a machine exists [@rfc9794]. So the field is &lt;em&gt;wrapping&lt;/em&gt; ECDH rather than replacing it.&lt;/p&gt;

An attack strategy in which an adversary records encrypted traffic today and stores it, intending to decrypt it later once a cryptographically relevant quantum computer exists. It makes today&apos;s ECDH confidentiality a future liability.
&lt;p&gt;The wrapper is &lt;strong&gt;X25519MLKEM768&lt;/strong&gt;: it runs an X25519 exchange and an &lt;a href=&quot;https://paragmali.com/blog/the-thirty-year-migration-ships-in-a-pip-install-how-post-qu/&quot; rel=&quot;noopener&quot;&gt;ML-KEM-768&lt;/a&gt; key encapsulation in parallel and feeds &lt;em&gt;both&lt;/em&gt; shared secrets into the KDF, so the session stays secure as long as &lt;em&gt;either&lt;/em&gt; problem remains hard [@ecdhe-mlkem], [@fips203]. Concretely, the client key share is 1216 bytes (1184 for ML-KEM plus 32 for X25519), the server share is 1120 bytes, the negotiated combined secret is 64 bytes, and the TLS codepoint is &lt;code&gt;0x11EC&lt;/code&gt; [@ecdhe-mlkem].&lt;/p&gt;

A public-key primitive in which a sender encapsulates a fresh random key to a recipient&apos;s public key, producing a ciphertext the recipient decapsulates. Unlike Diffie-Hellman, a KEM is inherently interactive and has no non-interactive agreement between two static public keys.
&lt;p&gt;The transition was fast. &lt;strong&gt;OpenSSH 9.9&lt;/strong&gt;, released on 2024-09-19, enabled &lt;code&gt;mlkem768x25519-sha256&lt;/code&gt; by default [@openssh99]. &lt;strong&gt;OpenSSL 3.5&lt;/strong&gt;, a long-term-support release from April 2025, ships a DEFAULT TLS group list that &quot;selects X25519MLKEM768 as one of the predicted keyshares&quot; [@openssl35-release], [@openssl-groups]. Chrome and Cloudflare deployed post-quantum key agreement across their edges [@cloudflare-pq].&lt;/p&gt;

The classical primitives do not vanish. FFDHE and P-256 persist wherever FIPS validation or vendor interop compels them, and FIPS-flavored hybrids such as `SecP256r1MLKEM768` exist for exactly that constraint [@sp80056a]. There is also a plumbing wrinkle: the roughly 1.2 KB hybrid ClientHello may no longer fit in a single TCP segment, which OpenSSL&apos;s documentation calls out along with guidance on ordering group tuples to avoid a silent downgrade [@openssl-groups].
&lt;h3&gt;Two precisions that keep the story honest&lt;/h3&gt;
&lt;p&gt;First, a KEM is &lt;strong&gt;not&lt;/strong&gt; a drop-in Diffie-Hellman. It has no non-interactive static-static agreement, so &lt;code&gt;X25519MLKEM768&lt;/code&gt; is a &lt;em&gt;hybrid KEM handshake&lt;/em&gt;, not &quot;post-quantum Diffie-Hellman.&quot; Second, in messaging, Signal&apos;s &lt;strong&gt;PQXDH&lt;/strong&gt; (2023) is the analog: it adds an ML-KEM encapsulation to the older X3DH design but &quot;still relies on the hardness of the discrete log problem for mutual authentication in this revision,&quot; so X25519 is retained, not retired [@pqxdh], [@x3dh]. Signal described it as &quot;an upgrade to the X3DH specification which we are calling PQXDH&quot; [@pqxdh-blog].&lt;/p&gt;
&lt;p&gt;State the adoption figure carefully. Cloudflare measured post-quantum key agreement at nearly 2% of TLS 1.3 connections in early 2024, with double-digit adoption &lt;em&gt;projected&lt;/em&gt; by year-end rather than measured -- so &quot;roughly 2% in early 2024, rising&quot; is the defensible phrasing without a newer source [@cloudflare-pq].&lt;/p&gt;
&lt;p&gt;X25519 is the default, TLS 1.3 made the discipline mandatory, and the hybrid buys time against Shor. So which primitive, with which parameters, in which case? That is a decision matrix -- and it is not a single winner.&lt;/p&gt;
&lt;h2&gt;10. Competing Approaches: The Decision Matrix and the AKE Families&lt;/h2&gt;
&lt;p&gt;There is no single best key-agreement primitive. The state of the art is a small set of deployed constructions, each dominant in a niche, wrapped by a small set of authentication families. The honest answer is &quot;it depends.&quot;&lt;/p&gt;
&lt;h3&gt;The primitive decision matrix&lt;/h3&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Primitive&lt;/th&gt;
&lt;th&gt;Best classical attack&lt;/th&gt;
&lt;th&gt;Classical security&lt;/th&gt;
&lt;th&gt;Post-quantum&lt;/th&gt;
&lt;th&gt;Public value size&lt;/th&gt;
&lt;th&gt;Peer-input validation&lt;/th&gt;
&lt;th&gt;Best suited for&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;FFDHE-3072&lt;/td&gt;
&lt;td&gt;Sub-exponential NFS&lt;/td&gt;
&lt;td&gt;about 128-bit&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;about 384 bytes&lt;/td&gt;
&lt;td&gt;Subgroup check on a safe prime&lt;/td&gt;
&lt;td&gt;Legacy FIPS or interop only&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ECDH P-256&lt;/td&gt;
&lt;td&gt;Generic rho, about $2^{127.8}$&lt;/td&gt;
&lt;td&gt;about 128-bit&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;65 bytes&lt;/td&gt;
&lt;td&gt;Hand-written on-curve and subgroup MUST&lt;/td&gt;
&lt;td&gt;FIPS, HSM, existing deployments&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;X25519&lt;/td&gt;
&lt;td&gt;Generic rho, about $2^{125.8}$&lt;/td&gt;
&lt;td&gt;about 128-bit&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;32 bytes&lt;/td&gt;
&lt;td&gt;Structural, via twist security&lt;/td&gt;
&lt;td&gt;New classical designs&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;X25519MLKEM768&lt;/td&gt;
&lt;td&gt;Generic rho plus lattice attacks on ML-KEM&lt;/td&gt;
&lt;td&gt;about 128-bit and post-quantum&lt;/td&gt;
&lt;td&gt;Yes, if either half holds&lt;/td&gt;
&lt;td&gt;about 1.2 KB (client share)&lt;/td&gt;
&lt;td&gt;X25519 structural plus KEM ciphertext check&lt;/td&gt;
&lt;td&gt;The post-quantum default going forward&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Two rows carry the weight. &quot;Best classical attack&quot; separates FFDHE&apos;s sub-exponential tax from the curves&apos; generic-only attack, which is why a curve needs a quarter of the bits [@rho], [@sp80057]. &quot;Peer-input validation&quot; separates a hand-written MUST for P-256 and a subgroup check for FFDHE from the structurally-unnecessary case of X25519 [@sp80056a], [@rfc7748]. The head-to-head rules fall out cleanly: &lt;strong&gt;X25519 for new designs; ECDHE with P-256 or FFDHE at 3072 bits and up only where FIPS or interop compels it; and ephemeral, always, for forward secrecy.&lt;/strong&gt;&lt;/p&gt;
&lt;h3&gt;The authentication families&lt;/h3&gt;
&lt;p&gt;A primitive is only half a deployment; something must authenticate the exchange. Four families cover essentially all real usage.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Family&lt;/th&gt;
&lt;th&gt;How DH is authenticated&lt;/th&gt;
&lt;th&gt;Deployed in&lt;/th&gt;
&lt;th&gt;Trade-off&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Signed-DH&lt;/td&gt;
&lt;td&gt;Each side signs the transcript or the DH values&lt;/td&gt;
&lt;td&gt;TLS 1.3, IKEv2, STS and SIGMA&lt;/td&gt;
&lt;td&gt;Simple and well understood; needs a PKI or pinned keys&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Implicitly-authenticated DH&lt;/td&gt;
&lt;td&gt;Long-term and ephemeral keys combine inside the shared-secret formula&lt;/td&gt;
&lt;td&gt;MQV and HMQV, parts of IKE&lt;/td&gt;
&lt;td&gt;Compact, no signatures; subtle to get exactly right&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;DH-pattern frameworks&lt;/td&gt;
&lt;td&gt;Compose several static and ephemeral DH operations&lt;/td&gt;
&lt;td&gt;Noise, WireGuard&apos;s Noise_IK&lt;/td&gt;
&lt;td&gt;Mutual auth plus identity hiding plus KCI resistance&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Asynchronous AKE&lt;/td&gt;
&lt;td&gt;Prekeys let a recipient be offline&lt;/td&gt;
&lt;td&gt;Signal&apos;s X3DH and PQXDH&lt;/td&gt;
&lt;td&gt;Deniable and offline-friendly; more moving parts&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Signed-DH dominates the open web through TLS 1.3, whose handshake is SIGMA in spirit [@rfc8446], [@sigma2003]. WireGuard composes several X25519 operations in the Noise_IK pattern to get mutual authentication, forward secrecy, key-compromise-impersonation resistance, and identity hiding at once [@wireguard]. Signal&apos;s X3DH and its post-quantum successor PQXDH deliver asynchronous, deniable key agreement to an offline recipient [@x3dh], [@pqxdh].&lt;/p&gt;
&lt;h3&gt;The composition hazard&lt;/h3&gt;
&lt;p&gt;One more lesson hides in those families, and it is easy to miss: sub-protocols each proven secure &lt;em&gt;in isolation&lt;/em&gt; can still compose into an insecure whole. The &lt;strong&gt;Triple Handshake attack&lt;/strong&gt; (Bhargavan, Delignat-Lavaud, Fournet, Pironti, and Strub, IEEE Symposium on Security and Privacy 2014) chained a TLS key exchange with session resumption and renegotiation so that two distinct connections could be driven to share the same master secret, which broke client authentication and defeated the countermeasures of the day [@triple-handshake].&lt;/p&gt;
&lt;p&gt;Paired with &lt;strong&gt;key-compromise impersonation&lt;/strong&gt; -- where stealing your long-term key lets an attacker impersonate &lt;em&gt;others&lt;/em&gt; to you -- it is the standing reminder that a secure handshake is not simply the sum of secure steps. It is also the concrete reason TLS 1.3 binds the entire transcript: the &lt;code&gt;Finished&lt;/code&gt; MAC covers the whole handshake, so two runs that differ anywhere cannot be coerced into agreeing [@rfc8446].&lt;/p&gt;
&lt;p&gt;The Triple Handshake attack (2014) and key-compromise impersonation are adjacent AKE-composition pitfalls, not breaks of the signed-DH template itself. They are why TLS 1.3 authenticates the full handshake transcript rather than individual messages [@triple-handshake].&lt;/p&gt;
&lt;h3&gt;Signposts, not sections&lt;/h3&gt;
&lt;p&gt;Several approaches deserve a pointer rather than a treatment. &lt;strong&gt;MQV and HMQV&lt;/strong&gt; are the implicitly-authenticated DH family, with narrow deployment in some IKE and Suite B profiles [@sp80056a]. &lt;strong&gt;DH-based PAKEs and OPRFs&lt;/strong&gt; -- CPace, OPAQUE, SPAKE2 -- use Diffie-Hellman for password-authenticated and oblivious key agreement and are the subject of &lt;a href=&quot;https://paragmali.com/blog/the-doorway-into-the-group-a-field-guide-to-hashing-a-string/&quot; rel=&quot;noopener&quot;&gt;the hash-to-curve and PAKE installment of this series&lt;/a&gt;. &lt;strong&gt;CSIDH&lt;/strong&gt; is the isogeny-based candidate for a genuinely post-quantum Diffie-Hellman analog, and its cautionary neighbor &lt;strong&gt;SIDH/SIKE&lt;/strong&gt; was broken outright in 2022 [@sike-break]. &lt;strong&gt;ElGamal&lt;/strong&gt; is DH&apos;s public-key encryption cousin, not a key-agreement scheme. And &lt;strong&gt;X448&lt;/strong&gt; is the conservative higher-security sibling of X25519. Each is one sentence here by design.&lt;/p&gt;
&lt;p&gt;Every row of those tables assumes the underlying hardness holds. That assumption has a precise shape on each track -- and one hard ceiling above both.&lt;/p&gt;
&lt;h2&gt;11. Theoretical Limits: Where the Hardness Lives, and Its Ceiling&lt;/h2&gt;
&lt;p&gt;Here is what a first course skips: the two Diffie-Hellman tracks do not have the &lt;em&gt;same kind&lt;/em&gt; of hardness, the raw shared secret is provably not a good key, and every scheme in this article dies to the same quantum algorithm.&lt;/p&gt;
&lt;h3&gt;Finite-field DLP is sub-exponential&lt;/h3&gt;
&lt;p&gt;The general number field sieve solves finite-field discrete logs in $L_p[1/3,\ (64/9)^{1/3}]$, and its first step depends only on the prime -- the engine behind Logjam. Because the attack is sub-exponential rather than exponential, key sizes must grow quickly to stay ahead: 3072 bits for 128-bit security, 7680 for 192-bit [@weakdh], [@sp80057]. The Logjam paper&apos;s own field estimates trace that curve concretely: a 512-bit prime falls in near-real time after a one-week, 89,000-core-hour precomputation (a median of 70 seconds per subsequent log); a 768-bit prime is an academic reach at about 36,500 core-years; and a shared 1024-bit prime is a standing nation-state liability at about 45 million core-years of one-time precomputation [@weakdh]. As an independent &lt;em&gt;measured&lt;/em&gt; anchor one size down, the RSA-250 factoring record fell to the number field sieve in February 2020 at about 2,700 core-years [@rsa250].&lt;/p&gt;
&lt;h3&gt;Elliptic-curve DLP is generic square-root, and no better&lt;/h3&gt;
&lt;p&gt;For a strong curve the best known attack is generic Pollard rho at about $0.886\sqrt{\ell}$ operations, and -- this is the deep part -- that &lt;em&gt;matches&lt;/em&gt; Shoup&apos;s generic lower bound of $\Omega(\sqrt{\ell})$ [@shoup1997]. For a well-chosen curve the gap between the best attack and the proven floor is &lt;em&gt;closed&lt;/em&gt;: Curve25519 sits at about $2^{125.8}$ and P-256 at about $2^{127.8}$ [@rho]. The only escapes are specific bad families -- pairing (MOV and Frey-Ruck) reductions and anomalous curves -- which is why rigidity and vetted parameters matter, and which the elliptic-curves installment of this series treats in full.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Target security&lt;/th&gt;
&lt;th&gt;Finite-field DH prime&lt;/th&gt;
&lt;th&gt;Elliptic curve (rho cost)&lt;/th&gt;
&lt;th&gt;Best classical attack&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;128-bit&lt;/td&gt;
&lt;td&gt;3072-bit&lt;/td&gt;
&lt;td&gt;Curve25519 about $2^{125.8}$, P-256 about $2^{127.8}$&lt;/td&gt;
&lt;td&gt;Sub-exponential NFS vs generic rho&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;192-bit&lt;/td&gt;
&lt;td&gt;7680-bit&lt;/td&gt;
&lt;td&gt;P-384 about $2^{191.8}$&lt;/td&gt;
&lt;td&gt;Sub-exponential NFS vs generic rho&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;p&gt;Rho also amortizes across targets: breaking $T$ keys at once costs only about $\sqrt{T}$ times a single break, the elliptic-curve echo of Logjam&apos;s shared-prime amortization, and another reason to prefer a generous subgroup order [@rho].&lt;/p&gt;
&lt;h3&gt;The CDH-DDH gap is why the KDF is a theorem&lt;/h3&gt;
&lt;p&gt;The assumptions form a ladder, but mind the direction: an algorithm that solves the left solves the right, so DLP is at least as hard as CDH, which is at least as hard as DDH (read instead as &lt;em&gt;hardness assumptions&lt;/em&gt;, the implication runs the other way, with DDH-hardness implying CDH-hardness implying DLP-hardness). That last gap is real and not merely conservative. On pairing-friendly curves, DDH is &lt;em&gt;easy&lt;/em&gt; while CDH is plausibly still hard, so the raw $g^{ab}$ can be distinguished from uniform even when it cannot be computed by an attacker [@cryptobook]. That is precisely why RFC 5869 forbids skipping the extract step and insists the shared value be run through a KDF before use [@rfc5869]. Condition #5 is not a style preference; it is a consequence of a proven gap between two assumptions.&lt;/p&gt;
&lt;h3&gt;Forward secrecy&apos;s precise limits&lt;/h3&gt;
&lt;p&gt;Stated formally, forward secrecy protects the past, not the present or future, and only under the conjunction from Section 8: the ephemeral must have been ephemeral and the group strong. Its unmet conjuncts are, exactly, the failure catalog.&lt;/p&gt;
&lt;h3&gt;The ceiling: Shor&lt;/h3&gt;
&lt;p&gt;Above both tracks sits one algorithm that does not care which group you chose. Shor&apos;s algorithm solves discrete logarithms -- finite-field and elliptic-curve -- in polynomial time on a sufficiently large quantum computer, and no key size escapes it [@rfc9794]. This is the one break in the entire article that &lt;em&gt;is&lt;/em&gt; a break of the math rather than a leaked condition.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; Every other failure in this article was a leaked condition -- a shared prime, an unvalidated point, a reused ephemeral, a missing signature. Shor is the only one that breaks the math itself. That is why the answer to Shor is a new problem, ML-KEM wrapped around X25519, and not simply a bigger curve.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;If the theory is this settled -- a closed generic gap on curves, a sub-exponential tax on fields, a proven quantum cliff above both -- then what is left is genuinely open. And what is open is not the math. It is the interface, again.&lt;/p&gt;
&lt;h2&gt;12. Open Problems: What Remains Genuinely Unsettled&lt;/h2&gt;
&lt;p&gt;The discrete log is not the frontier. The frontier is what &quot;post-quantum Diffie-Hellman&quot; even means, whether constant-time can ever be a settled property, and how much broken cryptography is still in the field.&lt;/p&gt;
&lt;h3&gt;A practical post-quantum NIKE&lt;/h3&gt;
&lt;p&gt;Diffie-Hellman is a &lt;strong&gt;non-interactive key exchange&lt;/strong&gt;: two parties who have each merely &lt;em&gt;published&lt;/em&gt; a static public key can agree on a shared secret with no further interaction, and that single property is what makes asynchronous and static-static designs -- X3DH, Noise&apos;s static-static patterns -- possible. A KEM cannot do this. It is inherently interactive: one side encapsulates to the other&apos;s key and returns a ciphertext, so there is no agreement between two published static keys [@ecdhe-mlkem].&lt;/p&gt;

A scheme in which two parties agree on a shared secret purely from each other&apos;s published static public keys, with no live message exchange. Diffie-Hellman is a NIKE; a KEM is not, which is why KEMs cannot directly replace DH in static-static and asynchronous designs.
&lt;p&gt;The only serious candidate for a genuinely post-quantum NIKE is the isogeny scheme &lt;strong&gt;CSIDH&lt;/strong&gt; (Castryck, Lange, Martindale, Panny, and Renes, ASIACRYPT 2018), a commutative supersingular-isogeny group action that offers Diffie-Hellman&apos;s exact static-static, non-interactive interface. Its appeal is size: the paper advertises &quot;public keys of only 64 bytes at a conjectured AES-128 security level, matching NIST&apos;s post-quantum security category I&quot; [@csidh]. But that quantum-security claim is contested. Bonnetain and Schrottenloher analyzed the underlying quantum abelian-hidden-shift attack and concluded that &quot;the parameters proposed by the authors of CSIDH do not meet their expected quantum security&quot; (EUROCRYPT 2020), a finding Peikert reached independently the same year [@bs2020], [@peikert2020].&lt;/p&gt;
&lt;p&gt;The consensus repair is to grow the parameters: the SQALE authors set out to &quot;optimize large CSIDH parameters ... while still achieving the NIST security levels 1, 2, and 3,&quot; which pushes the prime to 1024 bits and beyond, with correspondingly slower group actions [@sqale]. And CSIDH&apos;s close relative &lt;strong&gt;SIDH/SIKE&lt;/strong&gt; was broken outright in 2022, when Castryck and Decru recovered keys against SIKEp434 &quot;in about ten minutes on a single core&quot; [@sike-break]. That is a reminder that young isogeny assumptions can fall catastrophically, and it is why today&apos;s hybrids &lt;em&gt;sidestep&lt;/em&gt; the missing PQ-NIKE rather than solve it [@pqxdh].&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key idea:&lt;/strong&gt; &quot;Post-quantum Diffie-Hellman&quot; is not a solved problem. A KEM is not a drop-in for DH&apos;s non-interactive interface, and the closest true analog -- 64-byte CSIDH -- buys much less quantum security than its key size advertises, so restoring the intended level pushes it to far larger, far slower parameters. The hybrid buys time; it does not resurrect the NIKE.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h3&gt;Deniability versus post-quantum authentication&lt;/h3&gt;
&lt;p&gt;Diffie-Hellman gives messaging protocols a property signatures cannot: &lt;strong&gt;deniability&lt;/strong&gt;. Because a session secret in X3DH is derived from DH values rather than a signature, neither party can later prove to a third party &lt;em&gt;who&lt;/em&gt; they talked to -- the transcript could have been produced by either side alone [@x3dh]. That is a deliberate feature, and it is in tension with the post-quantum migration. Signal&apos;s PQXDH ships post-quantum &lt;em&gt;confidentiality&lt;/em&gt; first, but in its own words it &quot;provides post-quantum forward secrecy ... but still relies on the hardness of the discrete log problem for mutual authentication in this revision&quot; [@pqxdh]. The reason it keeps a DH operation for the authentication step is precisely the open problem: the obvious post-quantum fix -- a post-quantum signature -- is inherently &lt;em&gt;non-deniable&lt;/em&gt;, and a deniable post-quantum authentication scheme is not yet a settled, deployed design.&lt;/p&gt;
&lt;p&gt;This is why PQXDH retains a discrete-log DH operation for mutual authentication even after adding ML-KEM for confidentiality: post-quantum confidentiality has shipped ahead of post-quantum authentication, and the deniability that DH provides has no drop-in post-quantum replacement yet [@pqxdh].&lt;/p&gt;
&lt;h3&gt;Constant-time as a moving target&lt;/h3&gt;
&lt;p&gt;X25519&apos;s ladder removes the timing channel at the &lt;em&gt;primitive&lt;/em&gt; level, but Raccoon showed the same class of leak can live one layer up, in the &lt;em&gt;protocol&lt;/em&gt;, when a premaster secret has its leading zeros stripped before hashing -- and it recurs specifically when a DH key is reused [@raccoon]. Formally-verified constant-time implementations are the structural answer, and they are not yet universal [@rfc7748].&lt;/p&gt;
&lt;h3&gt;The legacy long tail&lt;/h3&gt;
&lt;p&gt;This is a deployment problem, not a math problem. 1024-bit FFDHE, shared and custom primes, static DH, and DHE on TLS 1.2 all persist in the field years after the fixes shipped, and Logjam&apos;s precomputation economics make those &lt;em&gt;shared&lt;/em&gt; 1024-bit primes a standing mass-decryption risk [@weakdh]. RFC 7919&apos;s named groups, the TLS 1.3 ephemeral mandate, and browsers dropping DHE have shrunk the surface, but the migration is incomplete [@rfc7919], [@rfc8446].&lt;/p&gt;
&lt;h3&gt;Hybrid-combiner and downgrade robustness&lt;/h3&gt;
&lt;p&gt;The entire value of &lt;code&gt;X25519MLKEM768&lt;/code&gt; is &quot;secure if &lt;em&gt;either&lt;/em&gt; half holds,&quot; and that guarantee is only as good as the combiner and the negotiation around it: a flawed combiner, or an attacker who forces a downgrade to the weaker half, voids it. RFC 9794 standardizes the post-quantum/traditional vocabulary and OpenSSL&apos;s group-tuple syntax guards the ordering, but end-to-end downgrade-resistance proofs for the deployed handshakes are still being worked out [@ecdhe-mlkem], [@rfc9794], [@openssl-groups].&lt;/p&gt;
&lt;p&gt;Flagged as reasoning, not documented fact: by analogy to every generation before it, the &lt;em&gt;next&lt;/em&gt; wave of post-quantum breaks will most likely again be interface leaks -- bad randomness, unvalidated ciphertexts, non-constant-time decapsulation -- rather than breaks of the lattice problem itself. No source documents a failure that has not yet happened; this is an inference from the pattern of the previous five generations.&lt;/p&gt;
&lt;p&gt;If the open problems are mostly about the interface, then so is the guidance. Here is fifty years of failure compressed into rules you can apply in a design review on Monday.&lt;/p&gt;
&lt;h2&gt;13. The Practical Guide, and the One Sentence Underneath&lt;/h2&gt;
&lt;p&gt;Every rule below is one row of the failure catalog, inverted. If you remember nothing else, remember the diagnostic question, and the four conditions it audits.&lt;/p&gt;
&lt;h3&gt;Decision rules: use X, with parameters Y, in case Z&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;New key agreement, general purpose:&lt;/strong&gt; X25519, ephemeral [@rfc7748], [@ecdh].&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Post-quantum-hardened (the recommended default going forward):&lt;/strong&gt; X25519MLKEM768 [@ecdhe-mlkem], [@openssl35-release], [@openssh99].&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;FIPS, regulated, or HSM-interop:&lt;/strong&gt; ECDHE with P-256 or P-384, ephemeral, with full public-key validation; or the FIPS hybrid &lt;code&gt;SecP256r1MLKEM768&lt;/code&gt; [@sp80056a], [@ecdhe-mlkem].&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Legacy finite-field interop only:&lt;/strong&gt; FFDHE &lt;code&gt;ffdhe3072&lt;/code&gt; or larger, ephemeral, with the subgroup check -- never a custom prime and never one below 2048 bits [@rfc7919], [@weakdh].&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Always, regardless of primitive:&lt;/strong&gt; ephemeral and destroyed after use; validate the peer value appropriately (clamping is not validation); run the shared secret through HKDF; authenticate the exchange; never static DH; never reuse the ephemeral [@rfc5869], [@rfc8446].&lt;/li&gt;
&lt;/ul&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Situation&lt;/th&gt;
&lt;th&gt;Use&lt;/th&gt;
&lt;th&gt;Key parameters&lt;/th&gt;
&lt;th&gt;Because (named break avoided)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;New design, general&lt;/td&gt;
&lt;td&gt;X25519, ephemeral&lt;/td&gt;
&lt;td&gt;32-byte keys, HKDF the secret&lt;/td&gt;
&lt;td&gt;Validation and timing are structural&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;PQ-hardened default&lt;/td&gt;
&lt;td&gt;X25519MLKEM768&lt;/td&gt;
&lt;td&gt;Hybrid, both secrets into the KDF&lt;/td&gt;
&lt;td&gt;Shor and harvest-now-decrypt-later&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;FIPS / HSM / interop&lt;/td&gt;
&lt;td&gt;ECDHE P-256 or P-384, ephemeral&lt;/td&gt;
&lt;td&gt;Full public-key validation&lt;/td&gt;
&lt;td&gt;Invalid-curve attacks&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Legacy FF interop only&lt;/td&gt;
&lt;td&gt;FFDHE &lt;code&gt;ffdhe3072&lt;/code&gt;+, ephemeral&lt;/td&gt;
&lt;td&gt;Subgroup check, never below 2048-bit&lt;/td&gt;
&lt;td&gt;Logjam shared-prime precomputation&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Always&lt;/td&gt;
&lt;td&gt;Ephemeral, validate, KDF, authenticate&lt;/td&gt;
&lt;td&gt;Destroy the ephemeral after use&lt;/td&gt;
&lt;td&gt;Reuse, man-in-the-middle, CDH-DDH gap&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; X25519 for greenfield. X25519MLKEM768 when you need post-quantum hardening. ECDHE-P256 or FFDHE-3072-plus only where FIPS or interop forces your hand. And always: ephemeral, validated, KDF&apos;d, and authenticated.&lt;/p&gt;
&lt;/blockquote&gt;

For TLS, run `openssl s_client -connect example.com:443 -tls1_3` and read the &quot;Negotiated TLS1.3 group&quot; line in the output; it names the group actually chosen, such as `X25519` or `X25519MLKEM768`. To offer only the hybrid and confirm the server supports it, add `-groups X25519MLKEM768` (OpenSSL 3.5 or later). For SSH, `ssh -Q kex` lists the key-exchange methods your client supports, and connecting with `ssh -vv` prints the method actually negotiated, for example `mlkem768x25519-sha256`.

flowchart TD
    A{&quot;New greenfield design?&quot;} -- no --&amp;gt; F{&quot;FIPS or HSM interop required?&quot;}
    A -- yes --&amp;gt; Q{&quot;Post-quantum sensitive?&quot;}
    Q -- yes --&amp;gt; H[&quot;X25519MLKEM768, ephemeral&quot;]
    Q -- no --&amp;gt; X[&quot;X25519, ephemeral&quot;]
    F -- yes --&amp;gt; P[&quot;ECDHE P-256 or P-384, ephemeral, full validation&quot;]
    F -- no --&amp;gt; L[&quot;FFDHE ffdhe3072 or larger, ephemeral, subgroup check&quot;]
&lt;h3&gt;The misuse catalog&lt;/h3&gt;
&lt;p&gt;Each common mistake maps to exactly one named break. Static DH gives no forward secrecy. A reused or cached &quot;ephemeral&quot; collapses forward secrecy and enables Raccoon. A custom, shared, or sub-2048-bit prime invites Logjam, and a non-prime &quot;prime&quot; you cannot audit invites the socat failure. Skipping the on-curve and subgroup check for P-256 ECDH builds an invalid-curve oracle. Treating clamping as validation misreads why X25519 is safe. Using the raw x-coordinate or $g^{ab}$ as a key ignores the CDH-DDH gap. And anonymous DH with no authentication is a standing man-in-the-middle.&lt;/p&gt;
&lt;h3&gt;The failure catalog&lt;/h3&gt;
&lt;p&gt;This is the thesis as evidence: every world-scale Diffie-Hellman break, in one grid, each a violated condition with the math intact underneath. The rows were derived across earlier sections -- Logjam [@weakdh] and its RSA twin FREAK [@freak], small-subgroup confinement [@limlee1997] and CVE-2016-0701 [@openssl-cve], the non-prime socat modulus [@socat-secadv7], the invalid-curve class [@bmm2000] and its practical TLS demonstration [@jss2015], Raccoon [@raccoon], and the KDF requirement [@rfc5869].&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Break&lt;/th&gt;
&lt;th&gt;Year&lt;/th&gt;
&lt;th&gt;Condition violated&lt;/th&gt;
&lt;th&gt;Root cause&lt;/th&gt;
&lt;th&gt;Foreclosed by&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;&lt;tr&gt;
&lt;td&gt;Anonymous-DH MITM&lt;/td&gt;
&lt;td&gt;design gap&lt;/td&gt;
&lt;td&gt;#4 Authentication&lt;/td&gt;
&lt;td&gt;DH values bound to no identity&lt;/td&gt;
&lt;td&gt;STS/SIGMA; TLS 1.3 signatures&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Logjam shared-prime&lt;/td&gt;
&lt;td&gt;2015&lt;/td&gt;
&lt;td&gt;#2 Strong, unshared group&lt;/td&gt;
&lt;td&gt;NFS first step precomputed per shared prime, about 45M core-years at 1024-bit&lt;/td&gt;
&lt;td&gt;RFC 7919 named safe primes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Logjam 512-bit export&lt;/td&gt;
&lt;td&gt;2015&lt;/td&gt;
&lt;td&gt;#2 Strong group (active)&lt;/td&gt;
&lt;td&gt;Downgrade to breakable export parameters&lt;/td&gt;
&lt;td&gt;TLS 1.3 removes export and static DH&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;FREAK (Logjam&apos;s RSA twin)&lt;/td&gt;
&lt;td&gt;2015&lt;/td&gt;
&lt;td&gt;#2 Strong group (active)&lt;/td&gt;
&lt;td&gt;Downgrade to 512-bit export RSA key transport, then factor it&lt;/td&gt;
&lt;td&gt;TLS 1.3 removes export and static RSA&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Small-subgroup (Lim-Lee); CVE-2016-0701&lt;/td&gt;
&lt;td&gt;1997; 2016&lt;/td&gt;
&lt;td&gt;#3 Validation and #1 reuse&lt;/td&gt;
&lt;td&gt;Low-order element vs a reused exponent, no subgroup check&lt;/td&gt;
&lt;td&gt;Safe primes plus the subgroup check&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Non-prime modulus (socat)&lt;/td&gt;
&lt;td&gt;2016&lt;/td&gt;
&lt;td&gt;#2 Strong, unshared group&lt;/td&gt;
&lt;td&gt;A shipped custom 1024-bit &quot;prime&quot; that was composite, possibly backdoored&lt;/td&gt;
&lt;td&gt;RFC 7919 named safe primes; never bring your own&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Invalid-curve (BMM); JSS TLS-ECDH&lt;/td&gt;
&lt;td&gt;2000; 2015&lt;/td&gt;
&lt;td&gt;#3 Validation&lt;/td&gt;
&lt;td&gt;Off-curve point, formulas ignore b, reused key&lt;/td&gt;
&lt;td&gt;Mandatory on-curve and subgroup check; X25519 twist&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Raccoon&lt;/td&gt;
&lt;td&gt;2020&lt;/td&gt;
&lt;td&gt;#1 Freshness (reuse)&lt;/td&gt;
&lt;td&gt;Leading-zero stripping plus a reused DH key gives an MSB timing oracle&lt;/td&gt;
&lt;td&gt;No key reuse; TLS 1.3 key schedule&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ephemeral reuse or caching&lt;/td&gt;
&lt;td&gt;ongoing&lt;/td&gt;
&lt;td&gt;#1 Freshness&lt;/td&gt;
&lt;td&gt;A cached &quot;ephemeral&quot; is a static key; forward secrecy collapses&lt;/td&gt;
&lt;td&gt;Fresh-per-session and destroyed; TLS 1.3&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Static DH&lt;/td&gt;
&lt;td&gt;ongoing&lt;/td&gt;
&lt;td&gt;#1 Freshness&lt;/td&gt;
&lt;td&gt;No ephemeral, so no forward secrecy&lt;/td&gt;
&lt;td&gt;TLS 1.3 ephemeral mandate&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Raw x-coordinate as key&lt;/td&gt;
&lt;td&gt;ongoing&lt;/td&gt;
&lt;td&gt;#5 KDF discipline&lt;/td&gt;
&lt;td&gt;CDH-DDH gap leaves the shared value biased&lt;/td&gt;
&lt;td&gt;HKDF extract, per RFC 5869&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;


No, and this is the field&apos;s most-corrected misconception. Forward secrecy is a *conjunction*: the ephemeral must be freshly generated per session, never reused, destroyed after use, and run over a strong unshared group. Reuse a performance-optimized ephemeral and you have a static key; run over a shared 1024-bit prime and a precomputation reads you anyway, which is why the foundational paper is titled *Imperfect Forward Secrecy*. &quot;Ephemeral, therefore forward-secret&quot; is false without those conditions.


No. Clamping constrains *your own* secret scalar so your side of X25519 avoids cofactor and small-order pitfalls; it does nothing to check or reject a malicious peer value. X25519 is safe against off-curve inputs because of *twist security* -- the curve and its twist are both hard -- not because of clamping. That distinction trips up a lot of otherwise-correct code.


No. A Diffie-Hellman value is a structured group element, not a uniformly random string, and there are groups where it is even distinguishable from random -- the CDH-versus-DDH gap. Always run it through a KDF such as HKDF. Skipping the extract step is exactly what RFC 5869 warns against.


No. Fresh per-connection keys do not help against Logjam&apos;s central result: the number-field-sieve&apos;s expensive step depends only on the *prime*, so a shared or common 1024-bit prime can be precomputed once and then used to passively decrypt every connection on it. Use ffdhe3072 or larger, or move to a curve. Below 2048 bits is indefensible.


X25519 for anything greenfield: 32-byte keys, a single constant-time Montgomery ladder, and twist security that makes the two hardest ECDH mistakes -- timing leaks and missing point validation -- structurally unreachable. Use P-256 where FIPS, an HSM, or an existing deployment compels it, and then with full public-key validation and a constant-time library.


No. ML-KEM is a key encapsulation mechanism, which is inherently interactive and has no non-interactive static-static agreement, so it cannot express the asynchronous and static-static designs DH enables. That is why the post-quantum state of the art is a *hybrid* -- X25519MLKEM768, with X25519&apos;s secret combined with ML-KEM&apos;s -- rather than a like-for-like swap. The closest true post-quantum analog of Diffie-Hellman, the isogeny scheme CSIDH, does keep the non-interactive interface with 64-byte keys, but its quantum security is contested and reaching the intended level forces much larger, slower parameters.


No. Authentication defeats the *active* man-in-the-middle and nothing else -- it is orthogonal to the group&apos;s hardness and to input validation. A signed handshake over a shared 1024-bit prime is still Logjam-exposed, and a signed exchange that skips the on-curve check is still an invalid-curve oracle. Authentication is one of four conditions, not a substitute for the others.

&lt;h3&gt;The one sentence underneath&lt;/h3&gt;
&lt;p&gt;Return to Logjam. Across fifty years, almost no deployed break ever solved a discrete logarithm. Attackers precomputed a shared prime, confined a reused key to a small subgroup, fed an off-curve point to a validation-free server, read the clock while a server stripped leading zeros, shipped a modulus that was not even prime, or simply sat in the middle of an unauthenticated exchange. &quot;Using Diffie-Hellman safely&quot; is not one choice but a stack: a strong unshared group, a validated input, a genuinely fresh-and-destroyed ephemeral, an authenticated exchange, and a KDF beneath them. The fifty-year story is the field pulling each of those off the caller&apos;s shoulders and into the primitive, the named group, and the protocol, so that the simple thing to do became the safe thing to do. Remove any layer and the matching failure class reopens.&lt;/p&gt;

The math held; the deployment handed the secret away.
&lt;p&gt;There is one exception, and it is the horizon. Shor&apos;s algorithm is the single break in this whole story that touches the math itself, which is why today&apos;s ECDH is being &lt;em&gt;wrapped&lt;/em&gt;, not replaced, and why the destination is a hybrid rather than a bigger prime. So audit the exchange the way the whole article has: when a public value you did not generate arrives, and you combine it with a secret you must have freshly generated and will immediately destroy -- is the group strong and unshared, is that incoming value validated, is the exchange authenticated, and does the raw result go through a KDF before anyone calls it a key? Using Diffie-Hellman safely is the discipline of never handing an attacker a condition your protocol forgot to own.&lt;/p&gt;
&lt;p&gt;&amp;lt;StudyGuide slug=&quot;diffie-hellman-and-forward-secrecy&quot; keyTerms={[
  { term: &quot;Diffie-Hellman key agreement&quot;, definition: &quot;Two parties exchange g to the a and g to the b over an open channel and both compute g to the ab, a shared secret an eavesdropper who sees only the public values cannot compute.&quot; },
  { term: &quot;Discrete logarithm problem&quot;, definition: &quot;Given a generator g and the value g to the a, recover the exponent a. Believed hard in well-chosen groups, and the foundation Diffie-Hellman rests on.&quot; },
  { term: &quot;CDH vs DDH&quot;, definition: &quot;Computational Diffie-Hellman is computing the shared secret from the two public values; Decisional Diffie-Hellman is distinguishing it from random. DDH is strictly stronger, which is why the raw output is not yet a key.&quot; },
  { term: &quot;Forward secrecy&quot;, definition: &quot;Compromising a long-term key does not expose past sessions, but only if the per-session ephemeral was fresh, never reused, destroyed after use, and over a strong unshared group. It is a conjunction, not an automatic property.&quot; },
  { term: &quot;Safe prime&quot;, definition: &quot;A prime p equal to 2q plus 1 with q also prime. Its only small subgroup is the trivial order-two one (the values 1 and p minus 1, a cofactor of 2), so a small-subgroup attack can confine a key to at most one bit; implementations still reject 0, 1, and p minus 1.&quot; },
  { term: &quot;Number field sieve&quot;, definition: &quot;The best known sub-exponential attack on finite-field discrete logs. Its expensive first step depends only on the prime, so a shared prime is a shared weakness and the engine behind Logjam.&quot; },
  { term: &quot;Invalid-curve attack&quot;, definition: &quot;Sending a point on a different, weaker curve; because scalar-multiplication formulas ignore the curve constant, the victim computes on the wrong curve and leaks a reused private key.&quot; },
  { term: &quot;Twist security&quot;, definition: &quot;A curve whose quadratic twist also has near-prime order, so an off-curve input lands in another hard group. It makes X25519 safe against invalid inputs with no explicit validation.&quot; },
  { term: &quot;Clamping&quot;, definition: &quot;Bit-masking an X25519 secret scalar. It constrains your own scalar and is not validation of the peer value.&quot; },
  { term: &quot;Harvest-now decrypt-later&quot;, definition: &quot;Recording encrypted traffic today to decrypt once a quantum computer exists, which makes present-day ECDH confidentiality a future liability and motivates the post-quantum hybrids.&quot; }
]} questions={[
  { q: &quot;Why was Logjam possible even when servers generated a fresh key per connection?&quot;, a: &quot;Freshness and an unshared group are two different conditions. The number-field-sieve first step depends only on the prime, so a shared prime can be precomputed once and used to read every connection on it, no matter how fresh the per-connection secret is.&quot; },
  { q: &quot;What are the four conditions plus the discipline beneath them?&quot;, a: &quot;A fresh ephemeral, a strong and unshared group, a validated peer input, and an authenticated exchange, with a KDF beneath all four. Every named break is exactly one of these violated.&quot; },
  { q: &quot;Why is X25519 preferred over classic P-256 ECDH for new work?&quot;, a: &quot;Twist security makes input validation structural and the Montgomery ladder is constant-time by construction, so the two hardest ECDH mistakes, missing validation and timing leaks, are unreachable rather than merely avoided.&quot; },
  { q: &quot;Why must the raw shared secret be run through a KDF?&quot;, a: &quot;A Diffie-Hellman value is a structured group element, not a uniform string, and the CDH-DDH gap means it can even be distinguishable from random. RFC 5869 requires extracting a key from it rather than using it raw.&quot; },
  { q: &quot;Why is the post-quantum answer a hybrid rather than a bigger curve?&quot;, a: &quot;Shor&apos;s algorithm breaks all discrete-log DH in polynomial time regardless of key size, so the fix is to add a different hard problem, ML-KEM, wrapped around X25519, so the session is safe if either problem holds.&quot; }
]} /&amp;gt;&lt;/p&gt;
</content:encoded><category>diffie-hellman</category><category>forward-secrecy</category><category>x25519</category><category>ecdh</category><category>ffdhe</category><category>key-agreement</category><category>post-quantum-crypto</category><category>applied-cryptography</category><author>noreply@paragmali.com (Parag Mali)</author></item></channel></rss>