The Diffie-Hellman key exchange is a method of securely exchanging cryptographic keys over a public channel. In various systems, the protocol uses a multiplicative group of integers modulo p, where p is a prime. A public value g is a primitive root of modulo p and is raised to an exponent that is secret on each side of the cryptographic transaction. Due to the features of multiplicative groups, the exchange of two primitive roots, each raised to a secret for one of the parties, can be combined together to form a shared secret between the two parties. Due to the discrete logarithm problem, an eavesdropper is unable to easily derive the shared secret.
In 1992, Daniel M. Gordon published a paper entitled “Designing and detecting trapdoors for discrete log cryptosystems”, CRYPTO '92, Lecture Notes in Computer Science vo. 740, pp. 66-75. In the paper, Gordon realized that special primes are vulnerable to the special number field sieve, meaning that the primes are not as secure as believed. Further, Gordon realized that such special primes could have their special structure fairly well hidden. Thus, an attacker can use this backdoor to find other parties' secret agreed key after observing the public messages exchanged during any Diffie-Hellman key agreement session.
Further, security risks associated with a selected field size p may include other vulnerabilities, in addition to Gordon's attack. These may include, for example: potential vulnerability to the special number field sieve, either hidden as in Gordon's attacks, or open; potential vulnerability to other secret algorithms against the discrete logarithm problem that may only affect a random Diffie-Hellman field size with small probability; potential vulnerability of a weak Diffie-Hellman problem, even if the discrete logarithm problem remains hard; a threat of small subgroup attacks; and non-optimal efficiency of arithmetic among Diffie-Hellman moduli of comparable security. While some methods attempt to reduce some of the potential vulnerabilities above, no current methods address all of the above potential vulnerabilities.