Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

Alfonso De Gregorio alfonso.degregorio at gmail.com
Sat Sep 5 00:41:11 PDT 2015

On Sat, Sep 5, 2015 at 7:07 AM, Georgi Guninski <guninski at guninski.com> wrote:
> On Sat, Sep 05, 2015 at 06:37:09AM +0000, Alfonso De Gregorio wrote:
>> (*) It would be interesting to look at the story of RFC-2631, as
>> Bernstein, Lange, and Niederhagen did for the Dual EC standard
>> https://projectbullrun.org/dual-ec/
> 2631 is on wikipedia's page for DH.

Sure, the questions are: What is the origin of the current wording of
the standard, that opens an avenue for lax checks for group
parameters? Or, if, as you correctly pointed out, an implementation
MAY NOT check group parameters, which entity deserves credit for it?

Interestingly, a review of revisions (using rfcdiff) shows that the
current wording was introduced in draft #1 of draft-ietf-smime-x942
This is dated October 1998. Yet, it is still not clear if the diff is
to be attributed to Rescorla, or any other contributor to the this
standardization effort.


-- Alfonso

More information about the cypherpunks mailing list