On Sat, Sep 5, 2015 at 3:25 PM, Georgi Guninski <guninski@guninski.com> wrote: ...
I mean: non-proper DH is implementation which doesn't return error/aborts if $q$ is composite. $q$ is defined in the RFC.
I'm not aware of any implementation that fails to abort is q is composite. As a case in point, OpenSSL versions implementing X9.42 DH (1.0.2-Beta2 and above) test both p and q for primality: int DH_check(const DH *dh, int *ret) { /* ... */ if (dh->q) { /* ... */ if (!BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL)) *ret |= DH_CHECK_Q_NOT_PRIME; } and if (!BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL)) *ret |= DH_CHECK_P_NOT_PRIME; else if (!dh->q) { /* ... */ } I have no evidence though that application built on OpenSSL call DH_check() function every time they need to. Cheers, -- Alfonso