{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,17]],"date-time":"2026-04-17T07:37:38Z","timestamp":1776411458848,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":71,"publisher":"ACM","license":[{"start":{"date-parts":[[2015,10,12]],"date-time":"2015-10-12T00:00:00Z","timestamp":1444608000000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"NSF","award":["CNS-1409505"],"award-info":[{"award-number":["CNS-1409505"]}]},{"name":"NSF","award":["DGE-1256260"],"award-info":[{"award-number":["DGE-1256260"]}]},{"name":"NSF","award":["EFRI-1441209"],"award-info":[{"award-number":["EFRI-1441209"]}]},{"name":"NSF","award":["CNS-1518741"],"award-info":[{"award-number":["CNS-1518741"]}]},{"name":"NSF","award":["CNS-1345254"],"award-info":[{"award-number":["CNS-1345254"]}]},{"name":"ONR","award":["N00014-11-1-0470"],"award-info":[{"award-number":["N00014-11-1-0470"]}]},{"name":"ERC","award":["259639"],"award-info":[{"award-number":["259639"]}]},{"name":"ANR","award":["ANR-12-BS02-001-01"],"award-info":[{"award-number":["ANR-12-BS02-001-01"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2015,10,12]]},"DOI":"10.1145\/2810103.2813707","type":"proceedings-article","created":{"date-parts":[[2015,10,6]],"date-time":"2015-10-06T11:22:12Z","timestamp":1444130532000},"page":"5-17","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":276,"title":["Imperfect Forward Secrecy"],"prefix":"10.1145","author":[{"given":"David","family":"Adrian","sequence":"first","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}]},{"given":"Karthikeyan","family":"Bhargavan","sequence":"additional","affiliation":[{"name":"INRIA Paris-Rocquencourt, Paris, France"}]},{"given":"Zakir","family":"Durumeric","sequence":"additional","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}]},{"given":"Pierrick","family":"Gaudry","sequence":"additional","affiliation":[{"name":"INRIA Nancy-Grand Est, CNRS and Universit\u00e9 de Lorraine, Nancy, France"}]},{"given":"Matthew","family":"Green","sequence":"additional","affiliation":[{"name":"Johns Hopkins University, Baltimore, MD, USA"}]},{"given":"J. Alex","family":"Halderman","sequence":"additional","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}]},{"given":"Nadia","family":"Heninger","sequence":"additional","affiliation":[{"name":"University of Pennsylvania, Philadelphia, PA, USA"}]},{"given":"Drew","family":"Springall","sequence":"additional","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}]},{"given":"Emmanuel","family":"Thom\u00e9","sequence":"additional","affiliation":[{"name":"INRIA Nancy-Grand Est, CNRS and Universit\u00e9 de Lorraine, Nancy, France"}]},{"given":"Luke","family":"Valenta","sequence":"additional","affiliation":[{"name":"University of Pennsylvania, Philadelphia, PA, USA"}]},{"given":"Benjamin","family":"VanderSloot","sequence":"additional","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}]},{"given":"Eric","family":"Wustrow","sequence":"additional","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}]},{"given":"Santiago","family":"Zanella-B\u00e9guelin","sequence":"additional","affiliation":[{"name":"Microsoft Research, Cambridge, United Kingdom"}]},{"given":"Paul","family":"Zimmermann","sequence":"additional","affiliation":[{"name":"INRIA Nancy-Grand Est, CNRS and Universit\u00e9 de Lorraine, Nancy, France"}]}],"member":"320","published-online":{"date-parts":[[2015,10,12]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"upshape cado-nfs, an implementation of the number field sieve algorithm","author":"Bai S.","year":"2014","unstructured":"S. Bai, C. Bouvier, A. Filbois, P. Gaudry, L. Imbert, A. Kruppa, F. Morain, E. Thom\u00e9, and P. Zimmermann.upshape cado-nfs, an implementation of the number field sieve algorithm, 2014. Release 2.1.1."},{"key":"e_1_3_2_1_2_1","unstructured":"R. Barbulescu. Algorithmes de logarithmes discrets dans les corps finis. PhD thesis Universit\u00e9 de Lorraine France 2013."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-55220-5_1"},{"key":"e_1_3_2_1_4_1","volume-title":"NIST Special Publication 800--57: Recommendation for Key Management","author":"Barker E.","year":"2007","unstructured":"E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid. NIST Special Publication 800--57: Recommendation for Key Management, 2007."},{"key":"e_1_3_2_1_5_1","volume-title":"How to find smooth parts of integers","author":"Bernstein D. J.","year":"2004","unstructured":"D. J. Bernstein. How to find smooth parts of integers, 2004. http:\/\/cr.yp.to\/factorization\/smoothparts-20040510.pdf."},{"key":"e_1_3_2_1_6_1","volume-title":"Selected Areas in Cryptography","author":"Bernstein D. J.","year":"2014","unstructured":"D. J. Bernstein and T. Lange. Batch NFS. In Selected Areas in Cryptography, 2014."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.39"},{"key":"e_1_3_2_1_8_1","volume-title":"New record for discrete logarithm in a prime finite field of 180 decimal digits","author":"Bouvier C.","year":"2014","unstructured":"C. Bouvier, P. Gaudry, L. Imbert, H. Jeljeli, and E. Thom\u00e9. New record for discrete logarithm in a prime finite field of 180 decimal digits, 2014. http:\/\/caramel.loria.fr\/p180.txt."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.5555\/646767.704307"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1007\/11745853_12"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.2307\/2153413"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4684-9316-0"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/646753.704876"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.1976.1055638"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.5555\/2534766.2534818"},{"key":"e_1_3_2_1_16_1","volume-title":"Diffie-Hellman group exchange for the secure shell (SSH) transport layer protocol. RFC","author":"Friedl M.","year":"2006","unstructured":"M. Friedl, N. Provos, and W. Simpson. Diffie-Hellman group exchange for the secure shell (SSH) transport layer protocol. RFC 4419, Mar. 2006."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/ITCC.2005.173"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-72540-4_27"},{"key":"e_1_3_2_1_19_1","volume-title":"IETF Internet Draft","author":"Gillmor D.","year":"2015","unstructured":"D. Gillmor. Negotiated finite field Diffie-Hellman ephemeral parameters for TLS. IETF Internet Draft, May 2015."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.5555\/646757.705533"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1137\/0406010"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC2409"},{"key":"e_1_3_2_1_23_1","volume-title":"NDSS","author":"Jager T.","year":"2013","unstructured":"T. Jager, K. G. Paterson, and J. Somorovsky. One bad apple: Backwards compatibility attacks on state-of-the-art cryptography. In NDSS, 2013."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1090\/S0025-5718-02-01482-5"},{"key":"e_1_3_2_1_25_1","volume-title":"Internet key exchange protocol version 2 (IKEv2). RFC","author":"Kaufman C.","year":"2014","unstructured":"C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, and T. Kivinen. Internet key exchange protocol version 2 (IKEv2). RFC 7296, Oct. 2014."},{"key":"e_1_3_2_1_26_1","volume-title":"IP authentication header. RFC","author":"Kent S.","year":"2005","unstructured":"S. Kent. IP authentication header. RFC 4302, Dec. 2005."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"crossref","unstructured":"S. Kent. IP encapsulating security payload (ESP). RFC 4303 Dec. 2005.","DOI":"10.17487\/rfc4303"},{"key":"e_1_3_2_1_28_1","volume-title":"Cofactorisation strategies for the number field sieve and an estimate for the sieving step for factoring 1024 bit integers","author":"Kleinjung T.","year":"2006","unstructured":"T. Kleinjung. Cofactorisation strategies for the number field sieve and an estimate for the sieving step for factoring 1024 bit integers, 2006. http:\/\/www.hyperelliptic.org\/tanja\/SHARCS\/talks06\/thorsten.pdf."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.5555\/1881412.1881436"},{"key":"e_1_3_2_1_30_1","volume-title":"IETF Internet Draft","author":"Langley A.","year":"2010","unstructured":"A. Langley, N. Modadugu, and B. Moeller. Transport layer security (TLS) false start. IETF Internet Draft, 2010."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1007\/BFb0091534"},{"key":"e_1_3_2_1_32_1","volume-title":"Jefferies","author":"Lipacis M.","year":"2012","unstructured":"M. Lipacis. Semiconductors: Moore stress = structural industry shift. Technical report, Jefferies, 2012."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.5555\/646759.705837"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.5555\/646761.706028"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382206"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.21236\/ADA465466"},{"key":"e_1_3_2_1_37_1","volume-title":"May","year":"2015","unstructured":"Microsoft Security Bulletin MS15-055. Vulnerability in Schannel could allow information disclosure, May 2015. https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms15-055.aspx."},{"key":"e_1_3_2_1_38_1","volume-title":"FIPS PUB 186--4: Digital signature standard","author":"NIST.","year":"2013","unstructured":"NIST. FIPS PUB 186--4: Digital signature standard, 2013."},{"key":"e_1_3_2_1_39_1","unstructured":"Oak Ridge National Laboratory. Introducing Titan 2012. https:\/\/www.olcf.ornl.gov\/titan."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC2412"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.1978.1055817"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1007\/BF01933667"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jalgor.2004.11.004"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1090\/S0025-5718-00-01308-9"},{"key":"e_1_3_2_1_45_1","volume-title":"Proc. Sympos. Pure Math.","volume":"20","author":"Shanks D.","year":"1971","unstructured":"D. Shanks. Class number, a theory of factorization, and genera. In Proc. Sympos. Pure Math., volume 20. 1971."},{"key":"e_1_3_2_1_46_1","volume-title":"Der Spiegel","year":"2014","unstructured":"Spiegel Staff. Prying eyes: Inside the NSA's war on Internet security. Der Spiegel, Dec 2014. http:\/\/www.spiegel.de\/international\/germany\/inside-the-nsa-s-war-on-internet-security-a-1010361.html."},{"key":"e_1_3_2_1_47_1","volume-title":"Sage Mathematics Software (Version 6.5)","author":"Stein W.","year":"2015","unstructured":"W. Stein et al. Sage Mathematics Software (Version 6.5). The Sage Development Team, 2015. http:\/\/www.sagemath.org."},{"key":"e_1_3_2_1_48_1","volume-title":"The scalable TLS unwrapping daemon","year":"2012","unstructured":"stud: The scalable TLS unwrapping daemon, 2012. https:\/\/github.com\/bumptech\/stud\/blob\/19a7f19686bcdbd689c6fbea31f68a276e62d886\/stud.c#L593."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1006\/jsco.2002.0533"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/191177.191231"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.5555\/1754495.1754535"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.5555\/1267167.1267171"},{"key":"e_1_3_2_1_53_1","volume-title":"SSL options","author":"Wagnon J.","year":"2013","unstructured":"J. Wagnon. SSL profiles part 5: SSL options, 2013. https:\/\/devcentral.f5.com\/articles\/ssl-profiles-part-5-ssl-options."},{"key":"e_1_3_2_1_54_1","volume-title":"GMP-ECM","author":"Zimmermann P.","year":"2012","unstructured":"P. Zimmermann et al. GMP-ECM, 2012. https:\/\/gforge.inria.fr\/projects\/ecm."},{"key":"e_1_3_2_1_55_1","volume-title":"Aug.","author":"APEX","year":"2009","unstructured":"APEX active\/passive exfiltration. Media leak, Aug. 2009. http:\/\/www.spiegel.de\/media\/media-35671.pdf."},{"key":"e_1_3_2_1_56_1","unstructured":"Fielded capability: End-to-end VPN SPIN 9 design review. Media leak. http:\/\/www.spiegel.de\/media\/media-35529.pdf."},{"key":"e_1_3_2_1_57_1","unstructured":"FY 2013 congressional budget justification. Media leak. http:\/\/cryptome.org\/2013\/08\/spy-budget-fy13.pdf."},{"key":"e_1_3_2_1_58_1","unstructured":"GALLANTWAVE@scale. Media leak. http:\/\/www.spiegel.de\/media\/media-35514.pdf."},{"key":"e_1_3_2_1_59_1","unstructured":"Innov8 experiment profile. Media leak. http:\/\/www.spiegel.de\/media\/media-35509.pdf."},{"key":"e_1_3_2_1_60_1","volume-title":"Sept.","author":"VPN","year":"2010","unstructured":"Intro to the VPN exploitation process. Media leak, Sept. 2010. http:\/\/www.spiegel.de\/media\/media-35515.pdf."},{"key":"e_1_3_2_1_61_1","unstructured":"LONGHAUL -- WikiInfo. Media leak. http:\/\/www.spiegel.de\/media\/media-35533.pdf."},{"key":"e_1_3_2_1_62_1","unstructured":"POISONNUT -- WikiInfo. Media leak. http:\/\/www.spiegel.de\/media\/media-35519.pdf."},{"key":"e_1_3_2_1_63_1","unstructured":"SIGINT strategy. Media leak. http:\/\/www.nytimes.com\/interactive\/2013\/11\/23\/us\/politics\/23nsa-sigint-strategy-document.html."},{"key":"e_1_3_2_1_64_1","unstructured":"SPIN 15 VPN story. Media leak. http:\/\/www.spiegel.de\/media\/media-35522.pdf."},{"key":"e_1_3_2_1_65_1","unstructured":"TURMOIL\/APEX\/APEX high level description document. Media leak. http:\/\/www.spiegel.de\/media\/media-35513.pdf."},{"key":"e_1_3_2_1_66_1","volume-title":"Aug.","author":"MOIL","year":"2009","unstructured":"TURMOIL IPsec VPN sessionization. Media leak, Aug. 2009. http:\/\/www.spiegel.de\/media\/media-35528.pdf."},{"key":"e_1_3_2_1_67_1","volume-title":"Oct.","author":"MOIL","year":"2009","unstructured":"TURMOIL VPN processing. Media leak, Oct. 2009. http:\/\/www.spiegel.de\/media\/media-35526.pdf."},{"key":"e_1_3_2_1_68_1","unstructured":"VALIANTSURF (VS): Capability levels. Media leak. http:\/\/www.spiegel.de\/media\/media-35517.pdf."},{"key":"e_1_3_2_1_69_1","unstructured":"VALIANTSURF -- WikiInfo. Media leak. http:\/\/www.spiegel.de\/media\/media-35527.pdf."},{"key":"e_1_3_2_1_70_1","unstructured":"VPN SigDev basics. Media leak. http:\/\/www.spiegel.de\/media\/media-35520.pdf."},{"key":"e_1_3_2_1_71_1","unstructured":"What your mother never told you about SIGDEV analysis. Media leak. http:\/\/www.spiegel.de\/media\/media-35551.pdf."}],"event":{"name":"CCS'15: The 22nd ACM Conference on Computer and Communications Security","location":"Denver Colorado USA","acronym":"CCS'15","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2810103.2813707","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2810103.2813707","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2810103.2813707","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T09:33:16Z","timestamp":1763458396000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2810103.2813707"}},"subtitle":["How Diffie-Hellman Fails in Practice"],"short-title":[],"issued":{"date-parts":[[2015,10,12]]},"references-count":71,"alternative-id":["10.1145\/2810103.2813707","10.1145\/2810103"],"URL":"https:\/\/doi.org\/10.1145\/2810103.2813707","relation":{},"subject":[],"published":{"date-parts":[[2015,10,12]]},"assertion":[{"value":"2015-10-12","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}