Computational Diffie-Hellman Problem
Manoj Kumar
[email protected]
Abstract
The Symmetric encryption algorithms are fast and efficient but security of the shared
key is critical. The shared secret Key is shared over the the insecure channel and
vulnerable to the attacker. The Diffie-Hellman key exchange provides a mechanism
to compute same shared secret individually at both sender’s and receiver’s end. Security of the Diffie-Hellman key exchange is entirely depends upon the complexity
of computation of the private key. In this report, we explore the Deffie-Hellman key
exchange mechanism and its computational complexity. This report discusses discrete logarithm problem(DLP) and relate it to Computational Deffie-Hellman problem(CDHP).
KEYWORDS: Diffie-Hellman key exchange, Finite Groups,CDHP, DLP
1
Background on Diffie-Hellman key exchange
The Diffie-Hellman key exchange protocol[1] is used to exchange cryptographic keys
securely between two parties over an insecure channel. The symmetric encryption[2]
requires the shared key to be exchanged over the insecure channel. The DiffieHellman key exchange mechanism solves this problem of key exchange by computing identical keys individually at each end.
For any two users Alice and Bob, the Diffie-Hellman key exchange protocol works
in following way.1
Figure 1. Diffie-Hellman key exchange
Source: Google images
• Alice and Bob selects domain parameters p and α in such a way that
pP
αZ
Note - p and α are very large numbers
• Step 1 - Alice generates her private key a
a = KprA ≡ [2, 3.....p − 2]
• Step 2 - Bob generates his private key b
b = KprB ≡ [2, 3.....p − 2]
• Step 3 - Alice generates her public key A
A = KpubA ≡ αa (modP )
• Step 4 - Bob generates his public key B
B = KpubB ≡ αb (modP )
• Step 5 - Alice and Bob exchange their respective public keys with each other
over insecure medium.
• Step 6 - Alice calculate the shared key KAB with the help of Bob’s public key
B and her private key a
KAB ≡ B a (modp)
• Step 7 - Bob calculate the shared key KAB with the help of Alice’s public key
A and her private key b
KAB ≡ Ab (modp)
We can observe that Alice and Bob both calculate same shared Key KAB
1.1
Proof
Following is the proof that the shared key KAB is same for both Alice and Bob. We
know that,
b
A = αa .
Ab = αa = αab
B = αb .
B a = αb = αab
a
(1)
(2)
By (1) and (2), KAB generated by Alice and Bob are equal.
1.2
Use of the shared key(KAB )
Generated the shared keyKAB can be used to encrypt and decrypt data with the symmetric encryption.
Encryption
For any plain text X, we generate cipher text Y using Advance encryption standard
(AES) and the shared key KAB
Y = AESKAB (X)
Decryption
For any cipher text Y, we generate plain text x using AES and the shared key KAB
X = AESKAB (Y )
2
Diffie-Hellman and Finite Groups
The Diffie-Hellman key exchange algorithm can use any finite group to compute the
shared key for Alice and Bob. However, Complexity of computation is critical factor while selecting finite group for DH calculations. For example, computation of
additive group of residue ring Z/mZ is relatively easier than computation of multiplicative group of residue Z/mZ. Following are the examples of groups which are
used and more secure than others:
• Multiplicative group of finite field GF(q) , where q P or 2n for any integer n.
• Elliptic curve’s point a over Finite field.
• The class group of a quadratic number field.
• Hyperelliptic curve
3
Discrete logarithm problem (DLP)
Definition - For any cyclic group Z∗m of order n, where pZ∗m and g be the primitive
element for group Z∗m . For any element yZ∗m , the discrete logarithm problem is to
find any integer x such that:
g x = y(modp)
The DLP [3] is particularly critical in ensuring the security of the Deffie-Hellman key
exchange as the Deffie-Hellman key exchange relies on the difficulty of computation
of the private keys out of known domain parameters, such as A, B, Kp or αab which
are shared over insecure channel.
Example[4] -
For a cyclic group Z4∗ where
y = 41, g = 5, p = 47
we have to calculate,
g x = y(modp)
which is,
5x = 41mod47
The Discrete logarithm problem is to calculate x. In this case, using logarithm, we
can calculate x as 15. However, In practice, values of g and p are very very large
integers, which makes calculation of x computationally unfeasible.
4
Computational Diffie-Hellman problem(CDHP)
In Deffie-Hellman key exchange, the attacker knows A, B and p and g. In order to
intercept the encrypted message, he wants to know KAB .
In this case,
KAB = g ab
This is called the computational Deffie-Helmann problem [5].
Definition - For any cyclic group G with primitive element α where αa , αb and p G.
Computation of αab (modp) is known as the CDHP or computational Diffie-Hellman
problem.
4.1
Solving CDHP
We need following two steps to solve CDHP. We assume that, the attacker already
have all parameter shared over the insecure channel.
Step-1
Compute
a = logα A(modp)
Step-2
Attacker knows a from step-1. Calculate
B a = KAB = αab
it is evident that Step-1 to solve DLP in order to obtain value from αa . If attacker
is able to solve DLP problem, then the Diffie-Hellman key exchange mechanism is
broken. This has been positively tested on the keys generated from weak additive finite groups. However, It is unfeasible to compute Step-1 computationally for attacker
given that a,b, p have large values and algorithm is not using computationally weak
cyclic group. As of now, only known way to solve CDHP is solving DLP first. To
maintain the security of Deffie-Hellman key exchange, one need to make sure that p
is very large and can not be vulnerable to Index-Calculus method. Following table
[4] shows the record of computing DLP.
First Row
Digits(Decimal)
Bit length
Year of Attack
Second Row
58
193
1991
Third Row
65
216
1996
Fourth Row
85
282
1998
Sixth Row
120
399
2001
Seventh Row
135
448
2006
Fourth Row
160
532
2007
To avoid Index-Calculus attack p should be in the range of 21024 − 22048 .
5
Conclusion
Security of the DH key exchange is entirely depends upon the impossibility of computation of the private keys. If it is feasible to solve the DLP for particular finite
group used in the DH key exchange process then that DH key exchange process is
vulnerable. First known step to break any DH mechanism to perform the DLP on
publicly known values. This also leads to the conclusion that for some finite groups
CDHP can be equivalent[6] to the DLP, since only know way to break CDHP goes
through DLP. It is recommended to use very high value of prime p to make it hard for
attacker to compute the private keys and obtain the shared key using the public and
the private keys.
References
[1] E. Rescorla. Diffie-Hellman Key Agreement Method. RFC 2631, The Internet Engineering Task Force, June 1999. https://www.ietf.org/rfc/rfc2631.txt.
[2] IBM Knowledge Center. Symmetric key encryption. http://www.ibm.com/
support/knowledgecenter/SSB23S_1.1.0.13/gtps7/s7symm.html.
[3] Kevin S. McCurley. The discrete logarithm problem.
papers/dlog.pdf.
www.mccurley.org/
[4] Jan Pelzl Christof Paar. Understanding Cryptography. Springer, 2nd edition, 2010.
[5] Huafei Zhu Feng Bao, Robert H. Deng. Variations of the diffie-hellman problem.
pdf.aminer.org/000/314/734/variations_of_diffie_hellman_
problem.pdf, 2003.
[6] David Fifield.
The equivalence of the computational diffie-hellman and discrete logarithm problems in certain groups.
https://www.google.
fi/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&sqi=2&ved=
0ahUKEwiy892qi-LQAhWLBcAKHXOODTMQFghFMAY&url=https%3A%
2F%2Fwww.math.auckland.ac.nz%2F~sgal018%2Fcrypto-book%
2Fch21.pdf&usg=AFQjCNHYD4vWJVgeubmwH8o9DabIxhOk_A&sig2=
Bvz3agcy22KY0bGWoooVMg&bvm=bv.140496471,d.d24&cad=rja, 2012.