5 Sep
2015
5 Sep
'15
7:07 a.m.
On Sat, Sep 05, 2015 at 06:37:09AM +0000, Alfonso De Gregorio wrote:
(*) It would be interesting to look at the story of RFC-2631, as Bernstein, Lange, and Niederhagen did for the Dual EC standard https://projectbullrun.org/dual-ec/
2631 is on wikipedia's page for DH. Another concern for backdoor is the FIPS in this thread, which requires small subgroup (as low as 160 bits). Having in mind for generic primes DL is subexponential (IIRC something like GNFS), the complexity of DL in small subgroup is questionable. Just to note so far this thread questions: 1. DH's RFC 2. DSA as implemented by openssl 3. FIPS requiring small subgroup. -- georgi