Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
dhparam generates insecure groups (non-quadratic generators) #342
It has recently come to my attention that the dhparam-command of both openssl and libressl generates insecure groups: When I request a generator (2 or 5), the library will search for a safe-prime (good) for which this generator is not a square (terrible). Yes, the squares represent a subgroup and therefore reduce the group-size, but it has precisely halve the size and unlike the entire group prime-order. The result of this is that DDH becomes easy to solve, meaning that you cannot use those parameters for things like ElGamal-encryption without enabling distinction-attacks.
This was noticed (apparently without understanding the implications) 15 years ago but the person who did decided to just add the following comment instead of fixing it:
This is a serious security-issue and I know of at least one serious protocol intended for real-world-usage (with security-proof!) that get's completely broken by this.
I planed to submit this issue to both libraries, but for some reason the openssl-github won't let me do it, so I'll see towards informing them later.