public key cryptosystems diffie hellmangauss.ececs.uc.edu/courses/c6053/lectures/pdf/dh.pdf ·...

Public Key Cryptosystems Diffie Hellman

Public Key Cryptosystems Diffie HellmanGet two parties to share a secret number that no one else knows

Public Key Cryptosystems Diffie HellmanGet two parties to share a secret number that no one else knows

Receiver Sender

Public Key Cryptosystems Diffie HellmanGet two parties to share a secret number that no one else knowsCan only use an insecure communications channel for exchange

Receiver Sender

Attacker


Sender

Attacker

p,g

p: prime & (p1)/2 primeg: less than p n = gk mod p for all 0<n<p and some k

Receiver

(see http://gauss.ececs.uc.edu/Courses/c6053/lectures/Math/Group/group.html)

Public Key Cryptosystems Diffie HellmanA safe prime p: p = 2q + 1 where q is also prime Example: 479 = 2*239 + 1

If p is a safe prime, then p1 has large prime factor, namely q.

If all the factors of p1 are less than logcp, then the problem of solving the discrete logarithm modulo p is in P (it's easy). Therefore, for cryptosystems based on discrete logarithm (such as DiffieHellman) it is required that p1 has at least one large prime factor.

Public Key Cryptosystems Diffie HellmanA strong prime p: p is large p1 has large prime factors (p = aq+1 for integer a and prime q) q1 has large prime factors (q = br+1 for integer b, prime r) p+1 has large prime factors.

A “large” safe prime is likely to be a strong prime.

The performance of some algorithms that factor n = p*q where p and q are prime numbers depends on how large each is they are slower if one of the factors is a large prime.


Important property:

(ga mod p)b mod p = (gb mod p)a mod p

p: prime & (p1)/2 primeg: less than p n = gk mod p for all 0<n<p and some k

(see http://gauss.ececs.uc.edu/Courses/c6053/lectures/Math/Modpow/modulo.html)


Important property:


Example: p = 563, g = 5, a = 9, b = 14

59 mod 563 = 1953125 mod 563 = 78

7814 = 308549209196654470906527744 mod 563 = 117


Important property:


Example: p = 563, g = 5, a = 9, b = 14

59 mod 563 = 1953125 mod 563 = 78

7814 = 308549209196654470906527744 mod 563 = 117

514 mod 563 = 6103515625 mod 563 = 534

5349 = 153312511596308814665178256828300148736 mod 563 = 117


Receiver Sender

Attacker

563, 5


Receiver Sender

Attacker

563, 5

9


Receiver Sender

Attacker

563, 5

914


Receiver Sender

Attacker

563, 5

91478

59 mod 563 = 78


Receiver Sender

Attacker

563, 5

914

7814 mod 563 = 117


Receiver Sender

Attacker

563, 5

914

117


Receiver Sender

Attacker

563, 5

914

534 mod 563 = 1179

534

117

514 mod 563 = 534


Receiver Sender

Attacker

563, 5

914

117 117

Public Key Cryptosystems Diffie HellmanVulnerability to the "Maninthemiddle" attack

Receiver Sender

Attacker

563, 5

914

34


Receiver Sender

Attacker

563, 5

914

34

78


Receiver Sender

Attacker

563, 5

914

34 250


Receiver Sender

Attacker

563, 5

914

34

205

250


Receiver Sender

Attacker

563, 5

914

34

459

250


Receiver Sender

Attacker

563, 5

914

34

534

459

250


Receiver Sender

Attacker

563, 5

914

34

459

250

459


Receiver Sender

Attacker

563, 5

914

34

459

250

459

205


Receiver Sender

Attacker

563, 5

914

34

459

250

459

250

Public Key Cryptosystems Diffie HellmanFixing the vulnerability to the "Maninthemiddle" attack

Receiver Sender

Attacker

563, 5

78534

205

Public Key Cryptosystems Diffie HellmanWhere is the security?

Attacker sees A=g a mod p, B=g

b mod p but does not know a, b

Public Key Cryptosystems Diffie HellmanWhere is the security?

Attacker sees A=g a mod p, B=g

b mod p but does not know a, b

Attacker needs to compute K=gab mod p from the above.Can be done if it is feasible to take the logp A and logp B

This is called the discrete logarithm problem.

Computing the discrete logarithm of a number modulo p takes roughly the same amount of time as factoring the product of two primes the same size as p, which is what the security of the RSA cryptosystem relies on. Thus, the DiffieHellman protocol is roughly as secure as RSA.

Public Key Cryptosystems Diffie HellmanSigning a message: Let p, q, r be primes such that p = 2q+1, and q = 2r+1

Let m be the message to be signed.

Let x be a permanent secret key owned by the signer

Let gx mod q be the public key associated with x





Generate a random secret y with public key gy mod p Let Y = (gy mod p) mod q; calculate the signature s: Find a, b, c s.t. ax + by = c mod q Send: a,b,c,Y Receiver has: gx mod q, p, q





Generate a random secret y with public key gy mod p Let Y = (gy mod p) mod q; calculate the signature s: Find a, b, c s.t. ax + by = c mod q Send: a,b,c,Y Receiver has: gx mod q, p, q

Verify: (gx mod p)a × (gy mod p)b = gc mod q





Generate a random secret y with public key gy mod p Let Y = (gy mod p) mod q; calculate the signature s: Find a, b, c s.t. ax + by = c mod q the following are possibilities for a,b,c: a=m, b=Y, c=s ; a=1, b=Ym, c=s ; a=1, b=Ym, c=ms; a=1, b=Ym, c=Ys ; a=1, b=ms, c=Ys

Public Key Cryptosystems Diffie HellmanSigning a message: Why is the y needed?

Try this: s = x*m mod q – x is secret, q is public and safe to check the signature do this (receiver knows x):

gs mod q = (gx mod q)m mod q


Try this: s = x*m mod q – x is secret, q is public and safe to check the signature do this (receiver knows x):

gs mod q = (gx mod q)m mod q

But then x = s/m mod q revealing the secret x so that is why the extra secret y is used


Can't do this: s = xm mod q – to check the signature do

this: gs mod p = (gx mod q)m mod q But then x = s/m mod q revealing the secret x

A different y must be chosen for each signature Otherwise, if you have two sets of a, b, c for the same x, y, you can solve for the secrets x and y!!!


A different y must be chosen for each signature Otherwise, if you have two sets of a, b, c for the same x, y, you can solve for the secrets x and y.

El Gamal and DSA have a = 1, b = Ym, c = Ys

public key cryptosystems diffie hellmangauss.ececs.uc.edu/courses/c6053/lectures/pdf/dh.pdf ·...

Documents