[Cryptography] Defending against weak/trapdoored keys

[Henry Baker]

Here's my (hopefully non-lame) attempt to fix DH to defend against weak and/or trapdoored primes/ECC-groups.

Threat model:

Alice & Bob generally trust one another; however, neither Alice nor Bob trusts the other's prime or ECC group, although each trusts his/her own.

Eve, as usual, can see all of Alice & Bob's communications, but is otherwise passive.  Eve may have previously provided weak/trapdoored primes/ECC-groups to either or both of Alice and Bob, who then in turn use these weak primes/groups "unwittingly".

The basic idea is to make the DH exchange fully symmetrical, where Alice provides Bob with her prime/group, and Bob provides Alice with his prime/group.  In the off chance that either provides the other with a prime/group that the recipient doesn't like, they can force a redo.  In particular, if they happen to select the same prime/group, then both will likely force a redo.

After both sets of simple (asymmetric) DH exchanges, Alice & Bob share secret1 from Alice's prime/group and secret2 from Bob's prime/group.

Both Alice and Bob compute (secret1 XOR secret2) to produce the shared secret for session symmetric crypto.

Yes, this protocol requires 2X the amount of computation, but processor power is becoming the least of our worries.

Does this protocol work?