Computational Diffie-Hellman Problem Manoj Kumar [email protected] Abstract The Symmetric encryption algorithms are fast and efficient but security of the shared key is critical. The shared secret Key is shared over the the insecure channel and vulnerable to the attacker. The Diffie-Hellman key exchange provides a mechanism to compute same shared secret individually at both sender’s and receiver’s end. Security of the Diffie-Hellman key exchange is entirely depends upon the complexity of computation of the private key. In this report, we explore the Deffie-Hellman key exchange mechanism and its computational complexity. This report discusses discrete logarithm problem(DLP) and relate it to Computational Deffie-Hellman problem(CDHP). KEYWORDS: Diffie-Hellman key exchange, Finite Groups,CDHP, DLP 1 Background on Diffie-Hellman key exchange The Diffie-Hellman key exchange protocol[1] is used to exchange cryptographic keys securely between two parties over an insecure channel. The symmetric encryption[2] requires the shared key to be exchanged over the insecure channel. The DiffieHellman key exchange mechanism solves this problem of key exchange by computing identical keys individually at each end. For any two users Alice and Bob, the Diffie-Hellman key exchange protocol works in following way.1 Figure 1. Diffie-Hellman key exchange Source: Google images • Alice and Bob selects domain parameters p and α in such a way that pP αZ Note - p and α are very large numbers • Step 1 - Alice generates her private key a a = KprA ≡ [2, 3.....p − 2] • Step 2 - Bob generates his private key b b = KprB ≡ [2, 3.....p − 2] • Step 3 - Alice generates her public key A A = KpubA ≡ αa (modP ) • Step 4 - Bob generates his public key B B = KpubB ≡ αb (modP ) • Step 5 - Alice and Bob exchange their respective public keys with each other over insecure medium. • Step 6 - Alice calculate the shared key KAB with the help of Bob’s public key B and her private key a KAB ≡ B a (modp) • Step 7 - Bob calculate the shared key KAB with the help of Alice’s public key A and her private key b KAB ≡ Ab (modp) We can observe that Alice and Bob both calculate same shared Key KAB 1.1 Proof Following is the proof that the shared key KAB is same for both Alice and Bob. We know that, b A = αa . Ab = αa = αab B = αb . B a = αb = αab a (1) (2) By (1) and (2), KAB generated by Alice and Bob are equal. 1.2 Use of the shared key(KAB ) Generated the shared keyKAB can be used to encrypt and decrypt data with the symmetric encryption. Encryption For any plain text X, we generate cipher text Y using Advance encryption standard (AES) and the shared key KAB Y = AESKAB (X) Decryption For any cipher text Y, we generate plain text x using AES and the shared key KAB X = AESKAB (Y ) 2 Diffie-Hellman and Finite Groups The Diffie-Hellman key exchange algorithm can use any finite group to compute the shared key for Alice and Bob. However, Complexity of computation is critical factor while selecting finite group for DH calculations. For example, computation of additive group of residue ring Z/mZ is relatively easier than computation of multiplicative group of residue Z/mZ. Following are the examples of groups which are used and more secure than others: • Multiplicative group of finite field GF(q) , where q P or 2n for any integer n. • Elliptic curve’s point a over Finite field. • The class group of a quadratic number field. • Hyperelliptic curve 3 Discrete logarithm problem (DLP) Definition - For any cyclic group Z∗m of order n, where pZ∗m and g be the primitive element for group Z∗m . For any element yZ∗m , the discrete logarithm problem is to find any integer x such that: g x = y(modp) The DLP [3] is particularly critical in ensuring the security of the Deffie-Hellman key exchange as the Deffie-Hellman key exchange relies on the difficulty of computation of the private keys out of known domain parameters, such as A, B, Kp or αab which are shared over insecure channel. Example[4] - For a cyclic group Z4∗ where y = 41, g = 5, p = 47 we have to calculate, g x = y(modp) which is, 5x = 41mod47 The Discrete logarithm problem is to calculate x. In this case, using logarithm, we can calculate x as 15. However, In practice, values of g and p are very very large integers, which makes calculation of x computationally unfeasible. 4 Computational Diffie-Hellman problem(CDHP) In Deffie-Hellman key exchange, the attacker knows A, B and p and g. In order to intercept the encrypted message, he wants to know KAB . In this case, KAB = g ab This is called the computational Deffie-Helmann problem [5]. Definition - For any cyclic group G with primitive element α where αa , αb and p G. Computation of αab (modp) is known as the CDHP or computational Diffie-Hellman problem. 4.1 Solving CDHP We need following two steps to solve CDHP. We assume that, the attacker already have all parameter shared over the insecure channel. Step-1 Compute a = logα A(modp) Step-2 Attacker knows a from step-1. Calculate B a = KAB = αab it is evident that Step-1 to solve DLP in order to obtain value from αa . If attacker is able to solve DLP problem, then the Diffie-Hellman key exchange mechanism is broken. This has been positively tested on the keys generated from weak additive finite groups. However, It is unfeasible to compute Step-1 computationally for attacker given that a,b, p have large values and algorithm is not using computationally weak cyclic group. As of now, only known way to solve CDHP is solving DLP first. To maintain the security of Deffie-Hellman key exchange, one need to make sure that p is very large and can not be vulnerable to Index-Calculus method. Following table [4] shows the record of computing DLP. First Row Digits(Decimal) Bit length Year of Attack Second Row 58 193 1991 Third Row 65 216 1996 Fourth Row 85 282 1998 Sixth Row 120 399 2001 Seventh Row 135 448 2006 Fourth Row 160 532 2007 To avoid Index-Calculus attack p should be in the range of 21024 − 22048 . 5 Conclusion Security of the DH key exchange is entirely depends upon the impossibility of computation of the private keys. If it is feasible to solve the DLP for particular finite group used in the DH key exchange process then that DH key exchange process is vulnerable. First known step to break any DH mechanism to perform the DLP on publicly known values. This also leads to the conclusion that for some finite groups CDHP can be equivalent[6] to the DLP, since only know way to break CDHP goes through DLP. It is recommended to use very high value of prime p to make it hard for attacker to compute the private keys and obtain the shared key using the public and the private keys. References [1] E. Rescorla. Diffie-Hellman Key Agreement Method. RFC 2631, The Internet Engineering Task Force, June 1999. https://www.ietf.org/rfc/rfc2631.txt. [2] IBM Knowledge Center. Symmetric key encryption. http://www.ibm.com/ support/knowledgecenter/SSB23S_1.1.0.13/gtps7/s7symm.html. [3] Kevin S. McCurley. The discrete logarithm problem. papers/dlog.pdf. www.mccurley.org/ [4] Jan Pelzl Christof Paar. Understanding Cryptography. Springer, 2nd edition, 2010. [5] Huafei Zhu Feng Bao, Robert H. Deng. Variations of the diffie-hellman problem. pdf.aminer.org/000/314/734/variations_of_diffie_hellman_ problem.pdf, 2003. [6] David Fifield. The equivalence of the computational diffie-hellman and discrete logarithm problems in certain groups. https://www.google. fi/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&sqi=2&ved= 0ahUKEwiy892qi-LQAhWLBcAKHXOODTMQFghFMAY&url=https%3A% 2F%2Fwww.math.auckland.ac.nz%2F~sgal018%2Fcrypto-book% 2Fch21.pdf&usg=AFQjCNHYD4vWJVgeubmwH8o9DabIxhOk_A&sig2= Bvz3agcy22KY0bGWoooVMg&bvm=bv.140496471,d.d24&cad=rja, 2012.
© Copyright 2024 Paperzz