How to Backdoor Diffie-Hellman

Presented at ToorCon San Diego 18 (2016), Oct. 15, 2016, 4:30 p.m. (50 minutes)

Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual-EC in RSA’s B-Safe product, a modified Dual-EC in Juniper’s operating system ScreenOS and a non-prime modulus in the open-source tool socat. Many papers have already discussed the fragility of cryptographic constructions not using nothing-up-my-sleeve numbers, as well as how such numbers can be safely picked. However, the question of how to introduce a backdoor in an already secure, safe and easy to audit implementation has so far rarely been researched (in the public).


  • David Wong
    David Wong is a Security Consultant at the Cryptography Services team of NCC Group. He has been part of several publicly funded open source audits such as the OpenSSL and the Let’s Encrypt ones. He has conducted research in many domains in cryptography, publishing whitepapers as well as writing numerous editions of the Cryptography Services private bulletin. He has been a giving a cryptography course at BlackHat US and talked at various conferences like NCC Group’s open forum and Defcon’s crypto village. Prior to NCC Group, David graduated from the University of Bordeaux with a Masters in Cryptography, and prior to this from the University of Lyon and McMaster University with a Bachelor in Mathematics.

Similar Presentations: