Possible crypto backdoor in RFC-2631 Diffie-Hellman Key Agreement Method
Georgi Guninski
guninski at guninski.com
Sun Sep 6 01:27:09 PDT 2015
On Sun, Sep 06, 2015 at 07:56:07AM +0000, Peter Gutmann wrote:
>
> I haven't seen anything about this (so far) that doesn't class it as a purely
> certificational weakness. Consider the following equivalent of the flaw, but
OK, you might be right.
Summary of my verbiage on this list is here:
https://j.ludost.net/blog/archives/2015/09/05/rfc-2631_fips_186-3_and_openssls_implementation_of_dsa_appear_broken_and_possibly_backdoored/index.html
besides DH:
2) openssl 1.0.1p accepts composite $q$ in DSA
3) fips 160? forces small subgroup as low as 160 bits
and openssl 1.0.1p insists on this.
The repeat, the DL is subexponential in the whole group
of order $p-1$ and I don't exclude the possibility to
be easier in the small forced subgroup.
Have fun,
--
georgi
More information about the cypherpunks
mailing list