Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method

Alfonso De Gregorio alfonso.degregorio at gmail.com
Sat Sep 5 08:40:24 PDT 2015

On Sat, Sep 5, 2015 at 3:25 PM, Georgi Guninski <guninski at guninski.com> wrote:
> I mean: non-proper DH is implementation which doesn't return
> error/aborts if $q$ is composite. $q$ is defined in the RFC.

I'm not aware of any implementation that fails to abort is q is composite.

As a case in point, OpenSSL versions implementing X9.42 DH
(1.0.2-Beta2 and above) test both p and q for primality:

int DH_check(const DH *dh, int *ret)
   /* ... */

    if (dh->q) {
        /* ... */
        if (!BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL))
            *ret |= DH_CHECK_Q_NOT_PRIME;


    if (!BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL))
        *ret |= DH_CHECK_P_NOT_PRIME;
    else if (!dh->q) {
       /* ... */

I have no evidence though that application built on OpenSSL call
DH_check() function every time they need to.


-- Alfonso

More information about the cypherpunks mailing list