Small subgroup confinement attack explained

In cryptography, a subgroup confinement attack, or small subgroup confinement attack, on a cryptographic method that operates in a large finite group is where an attacker attempts to compromise the method by forcing a key to be confined to an unexpectedly small subgroup of the desired group.

Several methods have been found to be vulnerable to subgroup confinement attack, including some forms or applications of Diffie–Hellman key exchange and DH-EKE.

References

• On Diffie–Hellman key agreement with short exponents . Springer-Verlag . P. C. van Oorschot, M. J. Wiener. . Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques . May 1996 . . Saragossa, Spain . 332–343 . 3-540-61186-X.
• Strong Password-Only Authenticated Key Exchange . D. Jablon . ACM SIGCOMM Computer Communication Review. October 1996 . 26 . 5 . 5–26 . 10.1145/242896.242897. 2870433 . free .
• A key recovery attack on discrete log-based schemes using a prime order subgroup . Springer-Verlag . C.H. Lim and P.J. Lee. . Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology . 1998 . . 249–263 . 3-540-63384-7.