Bypassing Elliptic Curve Co-Factor Diffie Hellman security in OpenSSL beta

  • Dmitry Belyavsky (Creator)
  • Billy Brumley (Creator)
  • Jesus Chi Dominguez (Creator)
  • Luis Rivera Zamarripa (Creator)
  • Igor Ustinov (Creator)



This document is for reproducing one of the research results from the manuscript "Set It and Forget It! Turnkey ECC for Instant Integration", to appear at the 2020 Annual Computer Security Applications Conference (ACSAC). This is one of the vulnerabilities included under ECCKAT, Section 3.4 ("OpenSSL: ECC CDH vulnerability").

It demonstrates bypassing Elliptic Curve Co-factor Diffie Hellman (ECC CDH) security, which should fail to derive a shared key if a peer point is not a multiple of the generator. Here the generator is for the NIST B-233 binary curve.

The vulnerability was in a development version of OpenSSL 1.1.1, fixed before the official release of OpenSSL 1.1.1 (Sep 2018).
Date made available31 Aug 2020
Date of data production2020

Field of science, Statistics Finland

  • 213 Electronic, automation and communications engineering, electronics
  • Set It and Forget It! Turnkey ECC for Instant Integration

    Belyavsky, D., Brumley, B. B., Chi-Domínguez, J.-J., Rivera-Zamarripa, L. & Ustinov, I., 2020, Annual Computer Security Applications Conference (ACSAC). ACM, p. 760-771 12 p. 3427291

    Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

    Open Access
    5 Citations (Scopus)
    17 Downloads (Pure)

Cite this