Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

Georgi Guninski guninski at guninski.com
Sat Sep 5 00:07:49 PDT 2015

On Sat, Sep 05, 2015 at 06:37:09AM +0000, Alfonso De Gregorio wrote:
> (*) It would be interesting to look at the story of RFC-2631, as
> Bernstein, Lange, and Niederhagen did for the Dual EC standard
> https://projectbullrun.org/dual-ec/

2631 is on wikipedia's page for DH.

Another concern for backdoor is the FIPS in this thread,
which requires small subgroup (as low as 160 bits).

Having in mind for generic primes DL is subexponential
(IIRC something like GNFS), the complexity of DL in
small subgroup is questionable.

Just to note so far this thread questions:

1. DH's RFC
2. DSA as implemented by openssl
3. FIPS requiring small subgroup.


More information about the cypherpunks mailing list