13
Public-Key Cryptography

Key Exchange

All security guarantees of symmetric-key cryptography stem from the basic assumption that the sender and the receiver know a secret key that the adversary doesn't. It's finally time to face the obvious follow-up question: Where does this secret key come from?

This chapter is about how two users, who have no shared secrets, can obtain a shared secret even in the presence of an eavesdropper.

13.1. Cyclic groups

This chapter builds towards a key exchange protocol based on an algebraic structure called a cyclic group. The concept is best illustrated by an example involving multiplication modulo a prime:

Example 13.1.1 (Powers of 2 mod 13)

The following sage code prints the powers of 2 mod 13:

sage: [ 2^i % 13 for i in range(13) ] [1, 2, 4, 8, 3, 6, 12, 11, 9, 5, 10, 7, 1]

Notice that every number from {1,,12}\{1, \ldots, 12\} appears above. In other words:

Every element of {1,,12}\{1, \ldots, 12\} can be written as a power of 2 (mod 13).

This example shows that 2 is a special element mod 13. Other elements are not so special:

Example 13.1.2 (Powers of 3 mod 13)

Not every element of {1,,12}\{1, \ldots, 12\} can be written as a power of 3:

sage: [ 3^i % 13 for i in range(13) ] [1, 3, 9, 1, 3, 9, 1, 3, 9, 1, 3, 9, 1]

Only 1, 3, and 9 are powers of 3 mod 13.

Definition 13.1.3 (Cyclic groups)

A set G\G is called a group if it has an operation defined on its elements, which we will write as multiplication, that satisfies the following rules:

  • Closure: For any A,BGA,B \in \G, their product ABA\cdot B is also in G\G.

  • Identity: There is a special element 1G\hl{1} \in G such that 1A=A1=A1 \cdot A = A \cdot 1 = A for all AGA \in \G.

  • Associativity: For any A,B,CGA,B,C \in \G, we have (AB)C=A(BC)(A\cdot B)\cdot C = A\cdot (B\cdot C).

  • Inverses: For any AGA \in \G, there is an element A1GA^{-1} \in \G such that AA1=1A \cdot A^{-1} = 1.

The order of a group is its cardinality, G|\G|.

The group is called a cyclic group if there is a special element gGg \in \G, called a generator, such that:

G={g0,g1,g2,}. \G = \{ g^0, g^1, g^2, \ldots \}.

That is, every element of G\G can be written as a power of GG. In these expressions, gig^i means:

gi=gggi times. g^i = \underbrace{g \cdot g \cdots g}_{i\text{ times}}.

Generators of cyclic group are also sometimes called primitive roots.

Example 13.1.4 (Multiplicative group mod 13)

The set {1,,12}\{1, \ldots, 12\} is a group whose operation is multiplication mod 13. Recall from section 3.4 that since 13 is prime, every element in this set has a multiplicative inverse. Furthermore, this group is cyclic with 2 as a generator. This group has order 12.

A cyclic group can have more than one generator. See if you can find another generator of {1,,12}\{1, \ldots, 12\}.

Fact 13.1.5 (Multiplicative groups)

If n\nmod is prime, then the set Zn:={1,,n1}\hl{\Z_\nmod^*} := \{1, \ldots, \nmod-1\}, called the multiplicative group mod n\nmod, is a cyclic group with respect to multiplication-mod-n\nmod.

Multiplicative groups modulo a prime are a good mental model of cyclic groups. However, there are much better choices of cyclic groups for cryptography, which we will see later. Therefore, the results in this chapter are presented abstractly, in terms of an unspecified cyclic group.

If GG is cyclic with order n\nmod, then its elements can be written as {g0,g1,,gn1}\{ g^0, g^1, \ldots, g^{\nmod-1} \}. Thus:

  • One way to sample uniformly from G\G is to first sample an exponent aa uniformly from Zn\Z_\nmod and output gag^a.

  • Exponents in the group work mod n\nmod. In other words, we have:

    ga=ga%n. g^a = g^{a \pct \nmod}.

Finding a generator: To do cryptography in a cyclic group, you need to know a generator of the group. A generator can be found by trial and error, if you know the prime factorization of the group's order. We won't prove the following fundamental fact about groups:

Theorem 13.1.6 (Lagrange's theorem)

Let gg be an element (not necessarily a generator) of a group G\G, and define the order of gg as the smallest positive integer kk such that gk=1g^k = 1. Then for any gGg \in \G, the order of gg divides the order of the group G|\G|.

Another way to define the order of gg is the cardinality of the set {g0,g1,}\{ g^0, g^1, \ldots \}. If gg is a generator, then its order is exactly G|\G|. In a previous example we showed that, with respect to arithmetic mod 13, g=3g=3 has order 3, which indeed divides the order of the group Z13=12| \Z_{13}^* | = 12.

Now, suppose we want to check whether gg is a generator of Zn+1\Z_{\nmod+1}^*. In other words, we want to check whether gg has order n\nmod. We simply need to check whether gk=1g^k = 1 for any proper divisor kk of n\nmod. So raise gg to the power n/q\nmod/q for every prime divisor qq of n\nmod. If none of these exponentiations result in 1, then gg must have order n\nmod and be a generator.

13.1.1. The discrete logarithm problem

Since every element in a cyclic group can be written as some power of the generator, a natural question is: Given an element of the group, which power of the generator is it?

Definition 13.1.7 (Discrete logarithm)

The discrete logarithm problem in a cyclic group G\G is:

Given an element AGA \in \G of the group, and a generator gg, find an integer aa such that A=gaA = g^a.

This problem is called a logarithm problem because it involves solving for the unknown exponent in an expression like A=gaA = g^a. But discrete logarithms are different from your usual logarithms in a few important ways:

  • The solution to a discrete logarithm problem is always an integer (hence, “discrete”).

  • In some cyclic groups, the discrete logarithm problem is computationally hard. There is no known polynomial-time algorithm.

This second point is relevant to cryptography: It means that in some cyclic groups, the operation agaa \mapsto g^a is easy to compute, but its inverse gaag^a \mapsto a is hard to compute.

Measuring Efficiency: We need to be careful when talking about the efficiency of algorithms dealing with huge numbers. Consider the following algorithm for solving the discrete log problem in a cyclic group of order nn:

dlog(A,g)\subname{dlog}(A,g):
U:=1U := 1
for a=1a = 1 to nn:
U:=UgU := U \cdot g // so, U=gaU = g^a
if U==AU == A: return aa

I previously claimed that there is no polynomial-time algorithm for discrete log (at least in some groups), but isn't this a O(n)O(n)-time algorithm that works for any group?

Indeed, this algorithm is O(n)O(n), but nn is not the length of the algorithm's input! The algorithm receives just one group element as input, and if the group has order n2kn \approx 2^k, each group element can be written in kk bits. The running time of this elementary discrete log algorithm, as a function of its actual input length kk, is O(2k)O(2^k); it is not a polynomial-time algorithm. As we will see later in this chapter, cryptography based on cyclic groups requires groups where nn is huge (e.g., n2256n\approx 2^{256}, n23072n\approx 2^{3072}), so an algorithm running in O(n)O(n) time is useless.

When we say that the discrete logarithm problem is hard, we mean there is no known algorithm for discrete log that runs in polynomial time as a function of kk in a group of order 2k{} \approx 2^k.

Cyclic Group Strategy

The defining property of a cyclic group is that every element can be written as gag^a. Given gag^a, it is hard to compute aa, but while reasoning about cryptography, it usually makes things much easier if you express every group element in this way, as a power of the generator. For example, if some cryptographic algorithm receives a group element AA and computes AbA^b, it will probably aid your understanding of the algorithm to think about AA as gag^a (for some aa that might be hard to compute) and AbA^b as gabg^{ab}.

13.1.2. Efficient exponentiations

Cryptography based on cyclic groups involves a lot of exponentiation, computing expressions like gag^a. This is meant to be the “easy” direction, compared to the “hard” direction of computing discrete logarithms. So it's important to understand exactly how these expressions can be computed efficiently, in polynomial time in the number of bits required to write each group element.

For the sake of concreteness, let's consider multiplicative groups modulo a prime and use the prime p=21305p = 2^{130}-5 as an example. You can trust me that 2 is a generator of this group. How would you compute an expression like 21234567891011%p2^{1234567891011} \pct p? Even sage, which handles huge integers with ease, seems to have problems:

sage: p = 2^130 - 5 sage: 2^1234567891011 % p gmp: overflow in mpz type ... [long error trace] ...

What went wrong? We have just asked sage to first evaluate 212345678910112^{1234567891011} as an integer, and then reduce it mod pp. But that huge integer would require 1234567891011 bits (154 GB) to write down, which is beyond what sage is willing to use. And this is with a “small” exponent, a 40-bit integer. Imagine if the exponent were 256 bits long!

Concept 1: Reduce as you go: The best trick for modular arithmetic is that if you need the final answer mod pp, then you can/should reduce all intermediate steps mod pp. In other words, you can compute an expression like 21232^{123\ldots} by performing many multiplications, and these should be multiplications mod pp, not multiplications over the integers. Hopefully this makes sense, because, after all, we are thinking of a cyclic group whose operation is multiplication-mod-pp, not multiplication over the integers.

We can ask sage to use multiplication-mod-pp by creating a Mod object, which overloads multiplication (and therefore exponentiation) appropriately:

sage: p = 2^130 - 5 sage: Mod(2,p)^1234567891011 1068597062080415276269476214759584759335

Concept 2: Exponentiation by squaring: Your mental model for evaluating an expression like XBX^B might be something like this:

exp(X,B)\subname{exp}(X,B):
R=1R = 1
do BB times:
R:=RXR := R \cdot X
return RR

But this can't possibly be how sage does it, because it can compute 212345678910112^{1234567891011} instantly. It could not have possibly performed 1234567891011 multiplications. And indeed, this simple exponentiation algorithm runs in O(B)O(B) time, which is exponential in the number of bits required to write BB.

A much better way to exponentiate can be illustrated with the following example:

X19=XX18=X(X9)2=X(XX8)2=X(X(X4)2)2=X(X((X2)2)2)2.\begin{aligned} X^{19} &= X \cdot X^{18} \\ &= X \cdot (X^9)^2 \\ &= X \cdot (X \cdot X^8)^2 \\ &= X \cdot \bigl(X \cdot (X^4)^2\bigr)^2 \\ &= X \cdot \Bigl(X \cdot \bigl((X^2)^2\bigr)^2\Bigr)^2.\end{aligned}

Every “\cdot or “2{}^2 in this expression represents one multiplication that must be performed, and you can see that this expression computes X19X^{19} using not 18 multiplications, but only 6.

This exponentiation strategy is called repeated squaring, and can be written recursively:

XB={X if B=1(XB/2)2 if B even X(X(B1)/2)2 if B oddX^B = \begin{cases} X & \text{ if } B=1 \\ (X^{B/2})^2 & \text{ if } B \text{ even } \\ X \cdot (X^{(B-1)/2})^2 & \text{ if } B \text{ odd} \end{cases} \qquad
exp(X,B)\subname{exp}(X,B):
if B=1B=1: return XX
if BB even: return exp(X,B/2)2\subname{exp}(X, B/2)^2
if BB odd: return Xexp(X,(B1)/2)2X \cdot \subname{exp}(X, (B-1)/2)^2

Remember, the multiplications and squarings in this algorithm should use the cyclic group operation (in our running example, multiplication-mod-pp) so that intermediate values are consistently reduced mod pp.

The total cost of this algorithm is O(logB)O(\log B) multiplications, because at each recursive level it performs at most 2 multiplications, then recurses on a new exponent roughly half the size. Its running time is polynomial in the number of bits in BB.

A Word of Warning

Any implementation of this exponentiation algorithm on a real computer will almost surely leave side-effects that leak information about the exponent. And when we use cyclic groups for cryptography, the exponent is usually the secret key. So you should never actually use this exponentiation algorithm for cryptography. See exercise 13.3 for an illustration of the problem, and see exercise 13.4 for a better alternative.

13.2. Diffie-Hellman key exchange

In 1978, Whitfield Diffie and Martin Hellman published New Directions in Cryptography, the most important paper in the history of cryptography. In this paper they describe an ingenious method for two users to generate a shared secret key “from nothing.” Their method is interactive: The two users, who share no secrets, exchange messages with each other until they can both compute a common key. Yet anyone observing their communication will not be able to learn this key. In their method, amazingly, you learn more by participating than by observing.

The Diffie-Hellman protocol uses a cyclic group with generator gg. The main idea is that the users exchange public messages gag^a and gbg^b, and define gabg^{ab} as their shared secret. The user who sent gag^a knows the secret aa and can compute the key as (gb)a=gab(g^b)^a = g^{ab}; the other user knows bb and can compute the secret as (ga)b=gab(g^a)^b = g^{ab}. (The usual rules of exponents hold in any cyclic group.) However, an outside observer who sees gag^a and gbg^b will have difficulty computing gabg^{ab}.

Construction 13.2.1 (Diffie-Hellman key exchange)

Let G\G be a cyclic group with generator gg and order n\nmod. the Diffie-Hellman key exchange (DHKE) protocol is defined as follows:

Here's how to interpret a protocol diagram like this: Each user's actions are specified sequentially, starting from the top and proceeding downward. Arrows indicate messages from one user to the other. Thus, Alice samples aa and computes A=gaA = g^a, while Bob (simultaneously) samples bb and computes B=gbB = g^b. Alice sends AA to Bob and Bob sends BB to Alice. Finally, Alice computes BaB^a and Bob computes AbA^b.

Example 13.2.2 (Diffie-Hellman key exchange)

Here is one possible execution of DHKE using the multiplicative group over prime n=21305\nmod=2^{130}-5, with generator 2. The order of the group is n1\nmod-1. Here is the interaction from Alice's point of view:

sage: n = 2^130 - 5 # public parameter sage: a = randint(1,n-1) ; a 304028492560340294515078782581715611040 sage: A = Mod(2,n)^a ; A 370357377479180867559394640020346155675 # send A to Bob, receive B from Bob. # B as below sage: K1 = B^a ; K1 1087423090988990376731415418853222411310

And from Bob's point of view:

sage: n = 2^130 - 5 # public parameter sage: b = randint(1,n-1) ; b 1192072256120008086850988768974086707698 sage: B = Mod(2,n)^b ; B 607924105783790299638248790534209950313 # send B to Alice, receive A from Alice. # A as above sage: K2 = A^b ; K2 1087423090988990376731415418853222411310

In this example, both Alice and Bob compute the same key. These are large numbers for humans, but they are still too small to provide good security; see below.

13.2.1. Passive Security

To keep things simple, in this chapter we focus on the most basic security property for a key exchange protocol: security against a completely passive eavesdropper. An adversary who merely observes the victims' interaction should not be able to learn their shared key. More precisely, the victims' shared key should look pseudorandom from the adversary's point of view.

The security condition can be formalized by saying that the following two libraries are indistinguishable:

Lddh-realG\lib{ddh-real}^\G
aZna \gets \Z_\nmod
bZnb \gets \Z_\nmod
// (ga,gb)(g^a, g^b) are the DHKE
// \quad protocol messages
// gabg^{ab} is the resulting key
ddh.get()\subname{ddh.get}(\,):
return (ga,gb,gab)(g^a, g^b, g^{ab})
\indist
Lddh-randG\lib{ddh-rand}^\G
aZna \gets \Z_\nmod
bZnb \gets \Z_\nmod
cZnc \gets \Z_\nmod
// (ga,gb)(g^a, g^b) are the DHKE
// \quad protocol messages
// gcg^c is an independent,
// \quad uniformly distributed key
ddh.get()\subname{ddh.get}(\,):
return (ga,gb,gc)(g^a, g^b, g^c)

In other words, no adversary should be able to distinguish the real key from a truly uniform, unrelated key, even after seeing the DHKE transcript. Remember, in a real application of DHKE the users will use the resulting shared key for symmetric-key cryptography. But in this attack scenario, the libraries give the key to the adversary; this is our way of saying “the DHKE shared key is just as good as a truly uniform key, no matter what it is used for.”

Given the earlier contents of this chapter, you might be expecting a proof of how DHKE is secure in this sense, assuming that the discrete logarithm problem is hard in the cyclic group G\G. Unfortunately, no such proof is known. Instead, the Diffie-Hellman protocol is so fundamental that we simply treat its (passive) security as a “fundamental” assumption about cyclic groups, and give it a nice name:

Definition 13.2.3 (Decisional Diffie-Hellman assumption)

Let G\G be a cyclic group with order n\nmod and generator gg. The decisional Diffie-Hellman (DDH) assumption in G\G is that the libraries Lddh-realG\lib{ddh-real}^\G and Lddh-randG\lib{ddh-rand}^\G, shown above, are indistinguishable.

The DDH assumption is equivalent to the statement that the DHKE protocol is passively secure. It is a useful assumption, which can be used to prove the security of many other more complicated constructions.

Disclaimer: Key exchange, as defined in this chapter, is unauthenticated. Passive security means: The two protocol participants—whoever they may be!—agree on a key that looks pseudorandom to an eavesdropper. Passive security gives no guarantees about the identity of those participants. In the real world there is rarely much use in agreeing on a key shared with “whoever might be on the other end of this connection.” Usually, one has a clear intent about their KE partner's identity.

Think of this chapter not as the complete story of key exchange, but just the beginning. What we are calling passive security is the bare minimum level of protection you might want in a key exchange protocol. Incorporating authentication into key exchange is the subject of chapter 18.

13.2.2. Choosing a strong cyclic group

Although we have built intuition about cyclic groups using multiplicative groups Zn\Z^*_\nmod, these are not the best choice for Diffie-Hellman, for a few reasons. The most glaring one is that DDH is false in Zn\Z^*_\nmod! There is an efficient algorithm that, given gaZng^a \in \Z^*_\nmod, can determine whether aa is even or odd, and this is enough to contradict the DDH assumption. The exercises explore this fact in more depth.

Quadratic Residues: The problem with Zn\Z_\nmod^* has something to do with the fact that it has n1\nmod-1 elements, which is even when n\nmod is an odd prime. If we want the DDH assumption to hold in a cyclic group, it is helpful if the group's order does not have small prime factors, like 2 in this case. One way to eliminate this factor of 2 is to consider the subgroup of quadratic residues mod n\nmod.

Definition 13.2.4 (Quadratic residues)

The group of quadratic residues modulo n\nmod, written QRn\QR^*_\nmod, is the set of all squares in Zn\Z^*_\nmod:

QRn={X2XZn} \QR^*_\nmod = \{ X^2 \mid X \in \Z^*_\nmod \}

In particular, when Zn\Z^*_\nmod is cyclic, QRn\QR^*_\nmod consists of all the elements of Zn\Z^*_\nmod with even exponents:

QRn={g2,g4,g6,}. \QR^*_\nmod = \{ g^2, g^4, g^6, \ldots \}.

Thus, QRn\QR^*_\nmod is also cyclic, with g2g^2 as its generator.

When n\nmod is an odd prime, squaring-mod-n\nmod is a 2-to-1 function, just like it is in the real numbers. Thus, QRn\QR^*_\nmod contains exactly half of the elements of Zn\Z^*_\nmod, so (n1)/2(\nmod-1)/2. The best chance to ensure problems like DDH and discrete logarithm are hard is when (n1)/2(\nmod-1)/2 is itself prime. If n\nmod and (n1)/2(\nmod-1)/2 are both prime, then n\nmod is called a safe prime. The DDH assumption is widely believed to hold in the group of quadratic residues QRn\QR^*_\nmod modulo a safe prime.

Avoid DDH altogether: Exercise 13.8 proposes another way around the deficiencies of Zn\Z^*_\nmod. It is possible to prove security of a modified variant of DHKE, under a slightly weaker assumption about the cyclic group. Although DDH does not hold in Zn\Z^*_\nmod, this weaker assumption is widely believed to hold.

Elliptic curves: The best cyclic groups for Diffie-Hellman are not based on multiplication mod n\nmod, but on an entirely different algebraic structure called an elliptic curve. These groups are introduced in more detail in section 13.4.

13.3. Key exchange in the abstract

The Diffie-Hellman protocol is just one example of a key exchange protocol. In this section we formalize key exchange as an abstract cryptographic primitive.

Key exchange is more cumbersome to formalize than other primitives because it is inherently interactive. The security guarantee for KE involves two users interacting, and we need to be able to reason about the messages they exchange as well as their final output. Below is one possible approach for formalizing arbitrary interactive protocols:

Definition 13.3.1 (Abstract interactive protocol)

A (2-party) protocol consists of two programs P1P_1 and P2P_2 containing special send and recv commands. We write

(T,Y1,Y2):=(P1P2) (T, Y_1, Y_2) := (\hl{P_1 \rightleftharpoons P_2})

to denote the result of running P1P_1 and P2P_2 in the natural way: whenever P1P_1 executes “send XX, the value XX is passed to the next recv command in P2P_2, and vice versa. The output of “P1P2P_1 \rightleftharpoons P_2 is a triple, where:

  • TT is the protocol's transcript, a sequence of all messages sent between P1P_1 and P2P_2 during the execution.

  • Y1Y_1 is the final output of P1P_1.

  • Y2Y_2 is the final output of P2P_2.

Example 13.3.2 (Diffie-Hellman as an abstract protocol)

The Diffie-Hellman protocol can be expressed as the following pair of programs alice and bob:

alice()\subname{alice}(\,):
aZna \gets \Z_\nmod
A:=gaA := g^a
send AA
recv BB
return BaB^a
\rightleftharpoons
bob()\subname{bob}(\,):
bZnb \gets \Z_\nmod
B:=gbB := g^b
recv AA
send BB
return AbA^b
returns\quad\text{returns}\quad ((A,B)transcript,BaAlice’s output,AbBob’s output)\Bigl( \underbrace{(A,B)}_{\text{\small transcript}}, \underbrace{B^a}_{\text{\small Alice's output}}, \underbrace{A^b}_{\text{\small Bob's output}} \Bigr)
Definition 13.3.3 (Abstract key exchange: correctness and security)

Let (P1,P2)(P_1, P_2) be 2-party protocol where both users output a value from K\K. Then (P1,P2)(P_1,P_2) is a key exchange (KE) protocol if the two parties terminate with matching outputs. More formally, the following code outputs true\mytrue with probability 1:

(T,K1,K2):=(P1P2)(T,\key_1,\key_2) := (P_1 \rightleftharpoons P_2)
return K1==K2\key_1 == \key_2

The protocol satisfies passive security if the following two libraries are indistinguishable:

Lke-real\lib{ke-real}
(T,K1,K2):=(P1P2)(T, \key_1, \key_2) := (P_1 \rightleftharpoons P_2)
ke.eavesdrop()\subname{ke.eavesdrop}(\,):
return (T,K1)(T, \key_1)
\indist
Lke-rand\lib{ke-rand}
(T,K1,K2):=(P1P2)(T, \key_1, \key_2) := (P_1 \rightleftharpoons P_2)
KK\hl{\key' \gets \K}
ke.eavesdrop()\subname{ke.eavesdrop}(\,):
return (T,K)(T, \hl{\key'})

Key exchange is also commonly called key agreement.

I like to think of Lke-rand\lib{ke-rand} as describing a world in which Alice and Bob run a key exchange protocol as a decoy but then a magical fairy gives them both an unrelated key K\key' that they use for their symmetric-key cryptography.

Remember, this is a definition of passive security, against an adversary who merely observes the victims' interaction. It implies no guarantees for the victim when an adversary participates in the protocol and possibly deviates from the specification. It provides no guarantees about the identities of the KE participants. Chapter 18 is devoted to these security properties.

13.4. ☆ Elliptic curves

In section 13.2.1 we discussed QRp\QR^*_\pmod as a group in which the DDH assumption is believed to hold, when p\pmod is a safe prime. However, that discussion conveniently ignored the question of how big p\pmod should be. This is a question about concrete security. We typically choose parameters so that the best known attacks require 2λ2^\secpar effort. For example, the best known attacks against PRFs are simple brute-force, so we can choose λ\secpar-bit PRF keys. The best known attack against collision resistance is a birthday attack which is faster than brute-force, so we choose hash functions whose output length is 2λ2\secpar.

The best known way to break DDH in QRp\QR^*_\pmod is to solve the discrete logarithm problem mod p\pmod. The best known discrete log algorithms are not polynomial-time, but considerably faster than brute force. Here is a table showing, for a few target values λ\secpar, how large p\pmod must be so that the fastest known discrete log algorithms would require 2λ2^\secpar effort:

λ\secpar p\pmod
128 >23072{} > 2^{3072}
192 >27680{} > 2^{7680}
256 >215360{} > 2^{15360}

In other words, DHKE over QRp\QR^*_\pmod requires group elements that are at least 3072 bits long. Since the cost of modular exponentiation algorithms scale with the cube of the input size, these huge groups are an expensive choice.

This section is a brief overview of a completely different kind of cyclic group, called an elliptic curve group, which (disappointingly) has very little to do with ellipses. These groups lack much of the structure of Zp\Z^*_\pmod and QRp\QR^*_\pmod, which is a good thing, since that additional structure is precisely what can make the discrete logarithm problem easier. The best known discrete log algorithms on elliptic curve groups require time 2k/22^{k/2} in a group of order 2k2^k. Thus, we can make the discrete log problem require 2λ2^\secpar effort by choosing an elliptic curve group with order only 22λ2^{2\secpar}. Concretely, elliptic curves allow us to use Diffie-Hellman with 256-bit group elements instead of 3072-bit group elements.

13.4.1. Elliptic curves over the real numbers

We will first build some geometric intuition for elliptic curves by investigating curves defined over the real numbers. Cryptographic applications use curves defined using modular arithmetic, which we will discuss later.

Definition 13.4.1 (Elliptic curve)

Let aa and bb be two fixed constants. The elliptic curve Ea,b\mathcal{E}_{a,b} consists of all points (X,Y)(X,Y) that satisfy the equation:

Y2=X3+aX+b. Y^2 = X^3 + a X + b.
Example 13.4.2 (Elliptic curve shapes)

Below are a few representative shapes that an elliptic curve can take:

Point addition: Given two points on an elliptic curve, there is a special way to “add” them, resulting in another point on the curve. This point addition operation is somewhat complicated, but it can be derived by understanding how straight lines intersect the elliptic curve.

Definition 13.4.3 (Elliptic curve point addition, indirect definition)

Given an elliptic curve, define an addition operation as follows:

  • Include a special point at infinity, which lies on every vertical line (think of it as both the north and south poles, simultaneously). This point at infinity is considered to be an element of the elliptic curve, and it is called 0, since it is the addition operation's neutral element.

  • If any line intersects the elliptic curve at three points AA, BB, and CC, we say that A+B+C=0A+B+C=0. The three points are counted with multiplicity— that is, we can have B=CB=C when the line is tangent to the curve. The three points may also include the point at infinity, when the line is vertical.

Example 13.4.4 (Lines intersecting elliptic curves)

In each of the following pictures, the points AA, BB, and CC sum to zero:

In the second picture, the line is tangent to the curve at B=CB=C. In the third picture, CC is the point at infinity.

Definition 13.4.3 might seem unsatisfying as a definition of an addition operation. But we can use it to define addition in a more concrete, procedural way.

Observation 13.4.5 (Elliptic curve point negation)

If AA is a point on an elliptic curve, then “A-A is the point obtained by reflecting AA across the xx-axis. (The special point at infinity is its own reflection across the xx-axis.)

Proof:

Let BB be the reflection of AA across the xx-axis. Then the line through AA and BB is vertical, so it also intersects the curve at the point at infinity C=0C=0. (We might also have B=AB=A, if the point is on the xx-axis. Then the line we must consider is the tangent line at AA, which (if it exists) will also be vertical because the curve is symmetric across the xx-axis.) This is the scenario illustrated in the third picture in example 13.4.4. Since AA, BB, and CC are the intersection points between a line and the curve, we have

A+B+C=0. A + B + C =0.

Since C=0C=0, we then have A+B=0A+B=0. Thus, BB is “A-A.

Point addition can be performed procedurally in the following way:

Observation 13.4.6 (Procedure for elliptic curve point addition)

Let AA and BB be two points on an elliptic curve. To find A+BA+B:

  1. Imagine the line through AA and BB. If A=BA=B, then the line is tangent to the curve; if one of AA and BB is zero (the point at infinity), then the line is vertical.

  2. Denote by CC the third intersection point of that line with the curve.

  3. Since A+B+C=0A+B+C = 0, we have A+B=CA+B = -C. In other words, A+BA+B is the reflection of CC across the xx-axis.

Example 13.4.7 (Elliptic curve point addition)

Each of the following pictures illustrates how to find A+BA+B given AA and BB:

Additive notation for groups: These rules define an addition operation for points on an elliptic curve, and that operation satisfies the necessary rules for a mathematical group.

Before now, we have written the operation of a (cyclic) group as multiplication, a reasonable choice for groups like Zp\Z_\pmod^* whose operation is multiplication-mod-p\pmod. With elliptic curves, it is the convention to write their operation as addition. We can rephrase the axioms of cyclic groups using additive notation:

  • There is a special element 0G0 \in \G such that A+0=AA + 0 = A for all AGA \in \G. In elliptic curve groups, this neutral element is the point at infinity.

  • Associativity: For all A,B,CGA,B,C \in \G, we have (A+B)+C=A+(B+C)(A+B)+C = A+(B+C). This fact is notoriously tedious to prove for elliptic curve groups, and it is hard to gain any intuition from the geometry of the problem.

  • Inverses: For every AGA \in \G there is an element AG-A \in \G such that A+(A)=0A + (-A) = 0.

  • A generator of a cyclic group G\G (in additive notation) is an element GG such that

    G={G,G+G,G+G+G,}. \G = \{G, \quad G+G, \quad G+G+G, \quad \ldots \}.

    Expressions like G+G+GG+G+G are usually written as 3G3G or [3]G[3]G, so exponentiation becomes “scalar multiplication.” When using additive notation, we generally write group elements (including the generator) in uppercase and scalars in lowercase, in an attempt to reduce confusion.

  • Keeping in mind that gi=gggg^i = g \cdot g \cdots g (with ii terms), the discrete logarithm problem in additive notation is: Given AGA \in \G and a generator GG, find an integer aa such that A=aG=G+G++GA = aG = G + G+ \cdots +G (with aa terms). Of course the name “logarithm” is not as prominently reflected in additive notation.

If you want to become a cryptographer, it's imperative that you develop very passionate feelings about additive vs. multiplicative notation.

13.4.2. Elliptic curves modulo a prime

Elliptic curves over the real numbers are helpful for developing a geometric intuition. But cryptography uses elliptic curves defined over the integers mod pp, where pp is a prime. Such a curve consists of all points (X,Y)(X,Y) — where now XX and YY belong to Zp\Z_\pmod — that satisfy the curve equation Y2=X3+aX+bY^2 = X^3 + aX + b.

Group addition works by expressing the geometric steps from definition 13.4.3 algebraically and “simply” performing that algebraic manipulation mod pp. Some of these steps, like finding the line passing through two points, require division, and thus pp must be prime to ensure the existence of multiplicative inverses.

Example 13.4.8

Most of the examples so far have used the curve Y2=X32X+4Y^2 = X^3 - 2X + 4. Here are the points that satisfy this equation mod p=29p=29 (point at infinity not shown):

Three points are highlighted, showing (8,6)+(25,8)=(21,1)(8,6) + (25,8) = (21,1).

As you can see, geometric intuition is limited when working mod pp, and it's best to rely on algebra alone.

There are many choices for an elliptic curve; how should you choose one? The easy answer is to not choose your own but to use a standard, vetted curve from a reputable library. The choices that motivate standard elliptic curves are beyond the scope of this short introduction.

Example 13.4.9 (Curve25519)

Curve25519 is a popular elliptic curve, defined by

Y2=X3+486662X2+X, Y^2 = X^3 + 486662 X^2 + X,

with arithmetic operations modulo p=225519p = 2^{255}-19.

13.4.3. Elliptic curves in Sage

Here is how I used Sage to list all points on the curve from example 13.4.8:

sage: E = EllipticCurve(Zmod(29), [-2,4]) sage: E Elliptic Curve defined by y^2 = x^3 + 27*x + 4 over Ring of integers modulo 29

Zmod(29) tells Sage to generate a curve with operations mod 29. The list [-2,4] gives parameters of the curve equation. If you wonder why Sage prints the curve equation as Y2=X3+27X+4Y^2 = X^3 \hl{+27}X + 4 when we asked for a coefficient of 2-2, it's because 22927-2 \equiv_{29} 27.

The .points() method will return all of the points on the curve (so don't do this for a curve with 22562^{256} points). But if you print a point on the curve, it will display in a different coordinate system that we will not discuss. (This alternate coordinate system avoids special cases to handle the point at infinity.) These point objects can be converted to a more familiar (X,Y)(X,Y) pair with the .xy() method, which will raise an exception for the point at infinity, since it has no (X,Y)(X,Y) coordinates.

sage: for p in E.points(): ....: try: ....: print( p.xy() ) ....: except: ....: print( "inf" ) inf (0, 2) (0, 27) (3, 5) ...

To convert an (X,Y)(X,Y) pair to a elliptic curve point object, whose addition operation is overloaded appropriately, you can just use the elliptic curve object E as a constructor:

sage: (E(8,6) + E(25,8)).xy() (21, 1)

13.4.4. Pitfalls and fine print

A complete treatment of elliptic curves is well beyond the scope of this book. To give you a peek into the guts of elliptic curves, here are a few issues that arise:

Degenerate curves: The right-hand side of the elliptic curve equation X3+aX+bX^3 + aX + b is a cubic expression of XX, and usually has three distinct roots. However, if 4a3+27b2=04a^3 + 27 b^2=0 then the cubic has repeated roots. We call the elliptic curve degenerate in this case. Degenerate curves have points with an undefined tangent, and the curve addition law breaks down for these points.

We always restrict our attention to aa and bb that avoid this degeneracy condition.

Curve Equations: The point addition algorithm for elliptic curves involves many special cases, like when A=BA=B, when one of A,BA,B is the point at infinity, when A+BA+B is the point at infinity, and so on. These special cases can be tricky to implement correctly, and if one is not careful, the running time of the point addition algorithm may leak information about secret exponents (scalars).

One way to improve the point addition algorithm is to use a different kind of defining equation for the curve. So far we have considered only curves defined by Y2=X3+aX+bY^2 = X^3 + aX +b, known as a Weierstrass curve equation. Other curve equations are possible, notably:

  • Edwards curves are defined by X2+Y2=1+dX2Y2X^2 + Y^2 = 1 + d X^2 Y^2.

  • Montgomery curves are defined by bY2=X3+aX2+XbY^2 = X^3 + aX^2 + X.

Not every curve can be expressed by these special kinds of curve equation, but those that can enjoy improved point addition algorithms: faster, and with fewer special cases than Weierstrass curves.

Twists: If (X,Y)(X,Y) is on an elliptic curve, then so is (X,Y)(X,-Y), and these are the only two points on the curve with this XX coordinate. Thus, it is common to communicate points on the curve using only their XX-coordinate, plus one bit representing the sign of YY.

However, not every XX coordinate corresponds to a point on the curve. For example, in the elliptic curve Y2=X32X+4Y^2 = X^3 - 2X + 4 over Z29\Z_{29}, there is no point with XX-coordinate 5, because the right-hand side of the curve equation evaluates to X32X+4=5325+4293X^3 - 2X + 4 = 5^3 - 2\cdot 5 + 4 \equiv_{29} 3, but there is no YY satisfying Y2293Y^2 \equiv_{29} 3.

For every elliptic curve there is a companion curve, called the twist. Interestingly, every XX-coordinate corresponds to a point either on the primary curve or its twist, and never both: The two curves exactly partition the set of XX-coordinates. The twist of our example curve Y2=X32X+4Y^2 = X^3 - 2X + 4 has the form Y2=c(X32X+4)Y^2 = c (X^3 - 2X + 4), where cc can be any non-square (non-quadratic-residue)—say, 3 in our example above.

Twists can be problematic. Suppose a victim is running DHKE, so they expect to receive an elliptic curve element and “exponentiate” it with their secret Diffie-Hellman exponent (apologies for mixing additive and multiplicative terminology here). If group elements are communicated using only their XX-coordinates, and an adversary sends an XX coordinate from the twist, then the victim will perform the exponentiation over the twist curve. It is possible that the discrete logarithm problem is much easier on the twist curve than on the primary curve, in which case this attack would make it easier for an adversary to recover the secret exponent. This problem can be dealt with in two ways (not mutually exclusive):

  • Always check whether a point lies on the intended curve before performing operations on it.

  • Choose a cryptographically strong elliptic curve whose twist is also strong.

Cofactors and Small Subgroups: Many cryptographic applications of cyclic groups require a group of prime order. Unfortunately, elliptic curve groups often do not have prime order. For example, Edwards and Montgomery curve equations always produce a group whose order is a multiple of 4. If we want to take advantage of the algorithmic benefits of those curve equations, we need a way to cope with their composite order. Below is a general discussion of composite-order groups, which is not specific to elliptic curves. Therefore, we will use multiplicative notation.

Suppose G\G is a cyclic group of composite order rsr \cdot s, with generator gg. Thus, G={g0,g1,g2,,grs=g0}\G = \{g^0, g^1, g^2, \ldots, g^{rs} = g^0 \}, and everything “in the exponent” happens mod rsrs. Now consider the powers of grg^r:

(gr)0=g0,(gr)1=gr,(gr)2=g2r,,(gr)s=grs=g0. (g^r)^0 = g^0, \quad (g^r)^1 = g^r, \quad (g^r)^2 = g^{2r}, \ldots,\quad (g^r)^s = g^{rs} = g^0 .

There are only ss possible values before completing a cycle. We say that grg^r generates a cyclic subgroup of order ss.

The math of elliptic curves often gives us a cyclic group of order rsr\cdot s, where rr is very small and ss is a huge prime. Usually, r=4r=4 or r=8r=8; this value is called the cofactor of the curve. Given such an elliptic curve, we can just take grg^r to be the generator, and everything will happen in the prime (ss)-order subgroup. Problem solved, right? Not so fast!

Imagine a situation in which a victim receives a group element AA from an untrusted source and computes AxA^x, where xx is secret. The computation AxA^x will work fine, not just for elements of the prime-order subgroup, but for the entire composite-order group as well. In particular, an adversary could choose AA from the order-rr subgroup (such a subgroup exists because rr divides the overall order). The result of AxA^x will remain in the order-rr subgroup. But because rr is so small, it is easy to compute discrete logarithms in the order-rr subgroup by brute force. Thus, the adversary can compute the discrete log x%rx \pct r, leaking some information about the secret xx which would not be possible if the computation remained in the desired order-ss subgroup.

These problems can be avoided by always ensuring that untrusted group elements are in the desired subgroup. The easiest way to do this is to raise an element to the rr power; this is called clearing the cofactor. An alternative approach is proposed later in exercise 15.29.

Exercises

  1. h A group G\G is commutative if AB=BAAB = BA for all A,BGA,B \in \G. Prove that every cyclic group is commutative.

    Use the fact that every element in G\G can be written in the form gxg^x.

  2. What are all the generators of Z13\Z_{13}^*?

  3. h Simple power analysis (SPA) is a physical attack in which the adversary observes how much voltage is drawn by the CPU while an algorithm is running. In this exercise, you will show an SPA attack against the repeated-squaring method of exponentiation, shown in section 13.1.2.

    The repeated-squaring algorithm involves multiplication and squaring steps. Suppose that by monitoring a CPU's voltage it is easy to determine whether it is performing a multiplication or squaring. (This is a very realistic assumption.) Then an SPA attack is equivalent to having the printed output of the following modified algorithm:

    exp(X,B)\subname{exp}(X,B):
    if B=1B=1: return XX
    if BB even:
    R:=exp(X,B/2)2R := \subname{exp}(X, B/2)^2
    print “square” {}
    if BB odd:
    R:=Xexp(X,(B1)/2)2R := X \cdot \subname{exp}(X, (B-1)/2)^2
    print “square” {}
    print “multiply” {}
    return RR

    Describe how you can completely recover the exponent BB, given the printed output of this program.

    Express the concepts “BB is odd,” “BB is even,” “B/2B/2,” and “(B1)/2(B-1)/2 strictly in terms of the bits of BB.

  4. Fill in the missing details of the following recursive algorithm for exponentiation, while obeying the following invariants:

    • On input (X,B)(X,B), the algorithm should return a pair (XB,XB+1)(X^B, X^{B+1}).

    • No matter whether BB is even or odd, the algorithm should perform 1 recursive call, then 1 squaring and 1 multiplication.

    // should return a pair: (XB,XB+1)(X^B, X^{B+1}):
    betterexp(X,B)\subname{betterexp}(X,B):
    if B=0B=0: return (1,X)(1,X)
    if BB even:
    (U,V):=betterexp(X,B/2)(U,V) := \subname{betterexp}(X, B/2)
    // fill in the blanks:
    // one squaring, one multiplication
    if BB odd:
    (U,V):=betterexp(X,(B1)/2)(U,V) := \subname{betterexp}(X, (B-1)/2)
    // fill in the blanks:
    // one squaring, one multiplication

    Explain why this method of exponentiation is immune to the simple power analysis attack described in exercise 13.3.

  5. Rewrite the recursive algorithms from exercises 13.3 and 13.4 as iterative algorithms. Your algorithms should iterate over the bits of the exponent.

  6. Suppose you are given an element AA from a cyclic group G\G. Assume that the discrete logarithm problem is hard in G\G; however, I have generously agreed to tell you the discrete logarithm of any single element, except AA. Explain a strategy by which you can efficiently learn the discrete logarithm of AA.

  7. Suppose there is a polynomial-time algorithm that solves the discrete logarithm problem in G\G. Show that Lddh-realG\lib{ddh-real}^\G and Lddh-randG\lib{ddh-rand}^\G are not indistinguishable. Or, equivalently, show an attack against the passive security of DHKE over G\G.

  8. The computational Diffie-Hellman (CDH) assumption states that it is hard to compute gabg^{ab} given gag^a and gbg^b. It is defined formally by saying that the following two libraries are indistinguishable:

    Lcdh-real\lib{cdh-real}
    aZna \gets \Z_\nmod
    bZnb \gets \Z_\nmod
    cdh.get()\subname{cdh.get}(\,):
    return (ga,gb)(g^a, g^b)
    cdh.test(X)\subname{cdh.test}(X):
    return X==gabX == g^{ab}
    \indist
    Lcdh-fake\lib{cdh-fake}
    aZna \gets \Z_\nmod
    bZnb \gets \Z_\nmod
    cdh.get()\subname{cdh.get}(\,):
    return (ga,gb)(g^a, g^b)
    cdh.test(X)\subname{cdh.test}(X):
    return false\myfalse

    Hashed DHKE is a variant of DHKE in which the parties exchange gag^a and gbg^b as usual, but use H(gab)\ro(g^{ab}) as their output instead of just gabg^{ab}. Prove that hashed DHKE is a passively secure key exchange in the random oracle model (modeling H\ro as a random oracle), if CDH holds in the cyclic group.

  9. Suppose there is a polynomial-time algorithm that on input gaGg^a \in \G can determine whether aa is even. Show that the DDH assumption is false in G\G. Or, equivalently, show an attack against the passive security of DHKE over G\G.

  10. Recall the additive notation for cyclic groups:

    • Closure: For any A,BGA,B \in \G, their sum A+BGA \hl{+} B \in \G.

    • Identity: There is a special element 0G\hl{0} \in G such that 0+A=A0 \hl{+} A = A for all AGA \in \G.

    • Inverses: For any AGA \in \G, there is an element AG\hl{{-A}} \in \G such that A+(A)=0A \hl{+} \hl{(-A)}= \hl{0}.

    • Associative: For any A,B,CGA,B,C \in \G, we have (A+B)+C=A+(B+C)(A+B)+C = A+(B+C).

    • Cyclic: There is a special element gGg \in \G such that

      G={g,g+g,g+g+g,,g++gi times,}. \G = \{ g, \quad g+g, \quad g+g+g, \ldots, \quad \underbrace{g+\cdots+g}_{i \text{ times}}, \ldots \}.
    1. Prove that the additive group Zn\Z_\nmod, with operation addition mod n\nmod, satisfies the definition of a cyclic group, for any n\nmod, not just prime n\nmod. Be explicit about the group's generator.

    2. Translate the statement of the DDH assumption from multiplicative to additive notation.

    3. Does the DDH assumption hold in Zn\Z_\nmod? Is the discrete logarithm problem hard in Zn\Z_\nmod?

  11. Suppose you have eavesdropped on three DHKE sessions between the same pair of users. They are using Zn\Z_\nmod^* as their cyclic group. So for each i{1,2,3}i \in \{1,2,3\} you have observed AiA_i and BiB_i in the following:

    Now suppose you later learn that Alice chose a1,a2,a3a_1, a_2, a_3 to be consecutive integers, and similarly Bob chose b1,b2,b3b_1, b_2, b_3 to be consecutive. You also obtain the value of K2\key_2.

    1. Describe how you can efficiently compute K1\key_1 and K3\key_3.

    2. What are K1\key_1 and K3\key_3 in the following scenario?

      n=1070538477844925558346742185962074457246009909490481180812555120827296369772531487275839473750055867983962815645557115890338108592063470237662685058208470435896631457473692427395437049096290744587009810907170636836528660370698233089143831493001369304965665492345148039330577168709331538411634016221721g=2A1=1037797565320021724146377497526479653112494893566203752644966232886785053133688308755692884169294571337976918667742856159151525011741827216107686024550948098265033995799432853918701021959063865833881200694509119050597210611682953107392278106002581522501641634878928892553668004817191171214602943561786B1=901697775949936253907049992659094952630481123473588678420595948841402174300000881648108423314154966611325820842764731317869613414549140160973118813037043902279187471332718799558657031384932585955321343983286876169101435759485390824261319705010405974688309919098849215361769891736907630437062385181077K2=737062786094183117391522734445098197788358661110754984423292245833445605116638567048922522967380237783103398098652109191477968418343209424300008301942837157875001158506915678403286616052346777340253660078147930230017123489482155651484349401636382342648869132571383684092041811473740996293032962275942\begin{aligned} n &= \longnum{1070538477844925558346742185962074457246009909490481180812555120827296369772531487275839473750055867983962815645557115890338108592063470237662685058208470435896631457473692427395437049096290744587009810907170636836528660370698233089143831493001369304965665492345148039330577168709331538411634016221721} \\ g &= 2 \\ A_1 &= \longnum{1037797565320021724146377497526479653112494893566203752644966232886785053133688308755692884169294571337976918667742856159151525011741827216107686024550948098265033995799432853918701021959063865833881200694509119050597210611682953107392278106002581522501641634878928892553668004817191171214602943561786} \\ B_1 &= \longnum{901697775949936253907049992659094952630481123473588678420595948841402174300000881648108423314154966611325820842764731317869613414549140160973118813037043902279187471332718799558657031384932585955321343983286876169101435759485390824261319705010405974688309919098849215361769891736907630437062385181077} \\ K_2 &= \longnum{737062786094183117391522734445098197788358661110754984423292245833445605116638567048922522967380237783103398098652109191477968418343209424300008301942837157875001158506915678403286616052346777340253660078147930230017123489482155651484349401636382342648869132571383684092041811473740996293032962275942} \end{aligned}
  12. Use the rules that define elliptic curve addition to derive the fact that A+0=AA+0=A for all AA on the curve.

Chapter Notes

The exponentiation algorithm referenced in exercise 13.4 is called the Montgomery ladder and is due to Montgomery [166].

Diffie-Hellman key exchange was proposed by Whitfield Diffie and Martin Hellman [83]. Regarding the name of the protocol, Martin Hellman has later stated:

If you're going to put names on it, it should be called Diffie-Hellman-Merkle key exchange, since it's actually based on a concept of Merkle's. We give him credit for that in the paper, but it was in a paper by Diffie and Hellman, so it's called Diffie-Hellman key exchange. [221]

“Merkle” refers to Ralph Merkle, who in 1974 (several years before Diffie and Hellman had their idea) proposed a different method for key exchange in a proposal for an undergraduate class project [159]. Hellman also credits John Gill for suggesting modular exponentiation as a function that is easy to compute and difficult to invert.

The DDH assumption was first explicitly considered by Brands [52].

Edwards proposed his curve equation in 2007 [94]. Bernstein and Lange proposed a generalization called twisted Edwards curves [37].

  1. Previous Chapter12. Random Oracles and Other Idealized Models
  2. Next Chapter14. Public-Key Encryption