-
backdoor_generator.sage is a script to generate the backdoored DH parameters.
-
dhparams_exporter.py is a script to export your backdoored parameters to go code (the attack in /attack is coded in go) or to an ASN.1 DER encoded file (for anything OpenSSL).
-
backdoor_generator_tests.sage is a script that tests the attacks.
The obvious way of building a backdoor is to ease the discrete logarithm problem of one of the public key. This can be achieved by making one of the following discrete logarithm easier:
- Pollard Rho (
O(sqrt(p))withpthe order of the base) - NFS (depends on the modulus)
- SNFS (depends on the modulus as well)
- Pohlig-Hellman (
O(sqrt(q))withqlargest factor of the order)
In order to make the backdoor NOBUS we use a composite modulus, there are two methods here: hide in the composite modulus a small subgroup generated by a specific generator (CM-HSS), or hide in the composite modulus a smooth order that we can use with Pohlig-Hellman (CM-HSO). These methods are documented in backdoor_generator.sage and are detailed in /whitepaper.tex (work in progress paper).