How to Backdoor Diffie-Hellman

How to Backdoor Diffie-Hellman – David Wong


Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual-EC in RSA’s B-Safe product, a modified Dual-EC in Juniper’s operating system ScreenOS and a non-prime modulus in the open-source tool socat. Many papers have already discussed the fragility of cryptographic constructions not using nothing-up-my-sleeve numbers, as well as how such numbers can be safely picked. However, the question of how to introduce a backdoor in an already secure, safe and easy to audit implementation has so far rarely been researched (in the public).


David Wong (Twitter: @lyon01_david) is a Security Consultant at the Cryptography Services team of NCC Group. He has been working in Security for over a year now, being part of several publicly funded open source audits such as the OpenSSL and the Let’s Encrypt ones. He has conducted research in many domains in cryptography, publishing whitepapers as well as writing numerous editions of the Cryptography Services private bulletin. He has been a trainer for cryptography courses at BlackHat US 2015 and BlackHat US 2016.