Key Exchange
All security guarantees of symmetric-key cryptography stem from the basic assumption that the sender and the receiver know a secret key that the adversary doesn't. It's finally time to face the obvious follow-up question: Where does this secret key come from?
This chapter is about how two users, who have no shared secrets, can obtain a shared secret even in the presence of an eavesdropper.
13.1. Cyclic groups
This chapter builds towards a key exchange protocol based on an algebraic structure called a cyclic group. The concept is best illustrated by an example involving multiplication modulo a prime:
The following sage code prints the powers of 2 mod 13:
Notice that every number from appears above. In other words:
Every element of can be written as a power of 2 (mod 13).
This example shows that 2 is a special element mod 13. Other elements are not so special:
Not every element of can be written as a power of 3:
Only 1, 3, and 9 are powers of 3 mod 13.
A set is called a group if it has an operation defined on its elements, which we will write as multiplication, that satisfies the following rules:
-
Closure: For any , their product is also in .
-
Identity: There is a special element such that for all .
-
Associativity: For any , we have .
-
Inverses: For any , there is an element such that .
The order of a group is its cardinality, .
The group is called a cyclic group if there is a special element , called a generator, such that:
That is, every element of can be written as a power of . In these expressions, means:
Generators of cyclic group are also sometimes called primitive roots.
The set is a group whose operation is multiplication mod 13. Recall from section 3.4 that since 13 is prime, every element in this set has a multiplicative inverse. Furthermore, this group is cyclic with 2 as a generator. This group has order 12.
A cyclic group can have more than one generator. See if you can find another generator of .
If is prime, then the set , called the multiplicative group mod , is a cyclic group with respect to multiplication-mod-.
Multiplicative groups modulo a prime are a good mental model of cyclic groups. However, there are much better choices of cyclic groups for cryptography, which we will see later. Therefore, the results in this chapter are presented abstractly, in terms of an unspecified cyclic group.
If is cyclic with order , then its elements can be written as . Thus:
-
One way to sample uniformly from is to first sample an exponent uniformly from and output .
-
Exponents in the group work mod . In other words, we have:
Finding a generator: To do cryptography in a cyclic group, you need to know a generator of the group. A generator can be found by trial and error, if you know the prime factorization of the group's order. We won't prove the following fundamental fact about groups:
Let be an element (not necessarily a generator) of a group , and define the order of as the smallest positive integer such that . Then for any , the order of divides the order of the group .
Another way to define the order of is the cardinality of the set . If is a generator, then its order is exactly . In a previous example we showed that, with respect to arithmetic mod 13, has order 3, which indeed divides the order of the group .
Now, suppose we want to check whether is a generator of . In other words, we want to check whether has order . We simply need to check whether for any proper divisor of . So raise to the power for every prime divisor of . If none of these exponentiations result in 1, then must have order and be a generator.
13.1.1. The discrete logarithm problem
Since every element in a cyclic group can be written as some power of the generator, a natural question is: Given an element of the group, which power of the generator is it?
The discrete logarithm problem in a cyclic group is:
Given an element of the group, and a generator , find an integer such that .
This problem is called a logarithm problem because it involves solving for the unknown exponent in an expression like . But discrete logarithms are different from your usual logarithms in a few important ways:
-
The solution to a discrete logarithm problem is always an integer (hence, “discrete”).
-
In some cyclic groups, the discrete logarithm problem is computationally hard. There is no known polynomial-time algorithm.
This second point is relevant to cryptography: It means that in some cyclic groups, the operation is easy to compute, but its inverse is hard to compute.
Measuring Efficiency: We need to be careful when talking about the efficiency of algorithms dealing with huge numbers. Consider the following algorithm for solving the discrete log problem in a cyclic group of order :
I previously claimed that there is no polynomial-time algorithm for discrete log (at least in some groups), but isn't this a -time algorithm that works for any group?
Indeed, this algorithm is , but is not the length of the algorithm's input! The algorithm receives just one group element as input, and if the group has order , each group element can be written in bits. The running time of this elementary discrete log algorithm, as a function of its actual input length , is ; it is not a polynomial-time algorithm. As we will see later in this chapter, cryptography based on cyclic groups requires groups where is huge (e.g., , ), so an algorithm running in time is useless.
When we say that the discrete logarithm problem is hard, we mean there is no known algorithm for discrete log that runs in polynomial time as a function of in a group of order .
The defining property of a cyclic group is that every element can be written as . Given , it is hard to compute , but while reasoning about cryptography, it usually makes things much easier if you express every group element in this way, as a power of the generator. For example, if some cryptographic algorithm receives a group element and computes , it will probably aid your understanding of the algorithm to think about as (for some that might be hard to compute) and as .
13.1.2. Efficient exponentiations
Cryptography based on cyclic groups involves a lot of exponentiation, computing expressions like . This is meant to be the “easy” direction, compared to the “hard” direction of computing discrete logarithms. So it's important to understand exactly how these expressions can be computed efficiently, in polynomial time in the number of bits required to write each group element.
For the sake of concreteness, let's consider multiplicative groups modulo a prime and use the prime as an example. You can trust me that 2 is a generator of this group. How would you compute an expression like ? Even sage, which handles huge integers with ease, seems to have problems:
What went wrong? We have just asked sage to first evaluate as an integer, and then reduce it mod . But that huge integer would require 1234567891011 bits (154 GB) to write down, which is beyond what sage is willing to use. And this is with a “small” exponent, a 40-bit integer. Imagine if the exponent were 256 bits long!
Concept 1: Reduce as you go: The best trick for modular arithmetic is that if you need the final answer mod , then you can/should reduce all intermediate steps mod . In other words, you can compute an expression like by performing many multiplications, and these should be multiplications mod , not multiplications over the integers. Hopefully this makes sense, because, after all, we are thinking of a cyclic group whose operation is multiplication-mod-, not multiplication over the integers.
We can ask sage to use multiplication-mod- by creating a Mod object, which overloads multiplication (and therefore exponentiation) appropriately:
Concept 2: Exponentiation by squaring: Your mental model for evaluating an expression like might be something like this:
But this can't possibly be how sage does it, because it can compute instantly. It could not have possibly performed 1234567891011 multiplications. And indeed, this simple exponentiation algorithm runs in time, which is exponential in the number of bits required to write .
A much better way to exponentiate can be illustrated with the following example:
Every “” or “” in this expression represents one multiplication that must be performed, and you can see that this expression computes using not 18 multiplications, but only 6.
This exponentiation strategy is called repeated squaring, and can be written recursively:
Remember, the multiplications and squarings in this algorithm should use the cyclic group operation (in our running example, multiplication-mod-) so that intermediate values are consistently reduced mod .
The total cost of this algorithm is multiplications, because at each recursive level it performs at most 2 multiplications, then recurses on a new exponent roughly half the size. Its running time is polynomial in the number of bits in .
Any implementation of this exponentiation algorithm on a real computer will almost surely leave side-effects that leak information about the exponent. And when we use cyclic groups for cryptography, the exponent is usually the secret key. So you should never actually use this exponentiation algorithm for cryptography. See exercise 13.3 for an illustration of the problem, and see exercise 13.4 for a better alternative.
13.2. Diffie-Hellman key exchange
In 1978, Whitfield Diffie and Martin Hellman published New Directions in Cryptography, the most important paper in the history of cryptography. In this paper they describe an ingenious method for two users to generate a shared secret key “from nothing.” Their method is interactive: The two users, who share no secrets, exchange messages with each other until they can both compute a common key. Yet anyone observing their communication will not be able to learn this key. In their method, amazingly, you learn more by participating than by observing.
The Diffie-Hellman protocol uses a cyclic group with generator . The main idea is that the users exchange public messages and , and define as their shared secret. The user who sent knows the secret and can compute the key as ; the other user knows and can compute the secret as . (The usual rules of exponents hold in any cyclic group.) However, an outside observer who sees and will have difficulty computing .
Let be a cyclic group with generator and order . the Diffie-Hellman key exchange (DHKE) protocol is defined as follows:
Here's how to interpret a protocol diagram like this: Each user's actions are specified sequentially, starting from the top and proceeding downward. Arrows indicate messages from one user to the other. Thus, Alice samples and computes , while Bob (simultaneously) samples and computes . Alice sends to Bob and Bob sends to Alice. Finally, Alice computes and Bob computes .
Here is one possible execution of DHKE using the multiplicative group over prime , with generator 2. The order of the group is . Here is the interaction from Alice's point of view:
And from Bob's point of view:
In this example, both Alice and Bob compute the same key. These are large numbers for humans, but they are still too small to provide good security; see below.
13.2.1. Passive Security
To keep things simple, in this chapter we focus on the most basic security property for a key exchange protocol: security against a completely passive eavesdropper. An adversary who merely observes the victims' interaction should not be able to learn their shared key. More precisely, the victims' shared key should look pseudorandom from the adversary's point of view.
The security condition can be formalized by saying that the following two libraries are indistinguishable:
In other words, no adversary should be able to distinguish the real key from a truly uniform, unrelated key, even after seeing the DHKE transcript. Remember, in a real application of DHKE the users will use the resulting shared key for symmetric-key cryptography. But in this attack scenario, the libraries give the key to the adversary; this is our way of saying “the DHKE shared key is just as good as a truly uniform key, no matter what it is used for.”
Given the earlier contents of this chapter, you might be expecting a proof of how DHKE is secure in this sense, assuming that the discrete logarithm problem is hard in the cyclic group . Unfortunately, no such proof is known. Instead, the Diffie-Hellman protocol is so fundamental that we simply treat its (passive) security as a “fundamental” assumption about cyclic groups, and give it a nice name:
Let be a cyclic group with order and generator . The decisional Diffie-Hellman (DDH) assumption in is that the libraries and , shown above, are indistinguishable.
The DDH assumption is equivalent to the statement that the DHKE protocol is passively secure. It is a useful assumption, which can be used to prove the security of many other more complicated constructions.
Disclaimer: Key exchange, as defined in this chapter, is unauthenticated. Passive security means: The two protocol participants—whoever they may be!—agree on a key that looks pseudorandom to an eavesdropper. Passive security gives no guarantees about the identity of those participants. In the real world there is rarely much use in agreeing on a key shared with “whoever might be on the other end of this connection.” Usually, one has a clear intent about their KE partner's identity.
Think of this chapter not as the complete story of key exchange, but just the beginning. What we are calling passive security is the bare minimum level of protection you might want in a key exchange protocol. Incorporating authentication into key exchange is the subject of chapter 18.
13.2.2. Choosing a strong cyclic group
Although we have built intuition about cyclic groups using multiplicative groups , these are not the best choice for Diffie-Hellman, for a few reasons. The most glaring one is that DDH is false in ! There is an efficient algorithm that, given , can determine whether is even or odd, and this is enough to contradict the DDH assumption. The exercises explore this fact in more depth.
Quadratic Residues: The problem with has something to do with the fact that it has elements, which is even when is an odd prime. If we want the DDH assumption to hold in a cyclic group, it is helpful if the group's order does not have small prime factors, like 2 in this case. One way to eliminate this factor of 2 is to consider the subgroup of quadratic residues mod .
The group of quadratic residues modulo , written , is the set of all squares in :
In particular, when is cyclic, consists of all the elements of with even exponents:
Thus, is also cyclic, with as its generator.
When is an odd prime, squaring-mod- is a 2-to-1 function, just like it is in the real numbers. Thus, contains exactly half of the elements of , so . The best chance to ensure problems like DDH and discrete logarithm are hard is when is itself prime. If and are both prime, then is called a safe prime. The DDH assumption is widely believed to hold in the group of quadratic residues modulo a safe prime.
Avoid DDH altogether: Exercise 13.8 proposes another way around the deficiencies of . It is possible to prove security of a modified variant of DHKE, under a slightly weaker assumption about the cyclic group. Although DDH does not hold in , this weaker assumption is widely believed to hold.
Elliptic curves: The best cyclic groups for Diffie-Hellman are not based on multiplication mod , but on an entirely different algebraic structure called an elliptic curve. These groups are introduced in more detail in section 13.4.
13.3. Key exchange in the abstract
The Diffie-Hellman protocol is just one example of a key exchange protocol. In this section we formalize key exchange as an abstract cryptographic primitive.
Key exchange is more cumbersome to formalize than other primitives because it is inherently interactive. The security guarantee for KE involves two users interacting, and we need to be able to reason about the messages they exchange as well as their final output. Below is one possible approach for formalizing arbitrary interactive protocols:
A (2-party) protocol consists of two programs and containing special send and recv commands. We write
to denote the result of running and in the natural way: whenever executes “send ”, the value is passed to the next recv command in , and vice versa. The output of “” is a triple, where:
-
is the protocol's transcript, a sequence of all messages sent between and during the execution.
-
is the final output of .
-
is the final output of .
The Diffie-Hellman protocol can be expressed as the following pair of programs alice and bob:
Let be 2-party protocol where both users output a value from . Then is a key exchange (KE) protocol if the two parties terminate with matching outputs. More formally, the following code outputs with probability 1:
The protocol satisfies passive security if the following two libraries are indistinguishable:
Key exchange is also commonly called key agreement.
I like to think of as describing a world in which Alice and Bob run a key exchange protocol as a decoy but then a magical fairy gives them both an unrelated key that they use for their symmetric-key cryptography.
Remember, this is a definition of passive security, against an adversary who merely observes the victims' interaction. It implies no guarantees for the victim when an adversary participates in the protocol and possibly deviates from the specification. It provides no guarantees about the identities of the KE participants. Chapter 18 is devoted to these security properties.
13.4. ☆ Elliptic curves
In section 13.2.1 we discussed as a group in which the DDH assumption is believed to hold, when is a safe prime. However, that discussion conveniently ignored the question of how big should be. This is a question about concrete security. We typically choose parameters so that the best known attacks require effort. For example, the best known attacks against PRFs are simple brute-force, so we can choose -bit PRF keys. The best known attack against collision resistance is a birthday attack which is faster than brute-force, so we choose hash functions whose output length is .
The best known way to break DDH in is to solve the discrete logarithm problem mod . The best known discrete log algorithms are not polynomial-time, but considerably faster than brute force. Here is a table showing, for a few target values , how large must be so that the fastest known discrete log algorithms would require effort:
| 128 | |
| 192 | |
| 256 |
In other words, DHKE over requires group elements that are at least 3072 bits long. Since the cost of modular exponentiation algorithms scale with the cube of the input size, these huge groups are an expensive choice.
This section is a brief overview of a completely different kind of cyclic group, called an elliptic curve group, which (disappointingly) has very little to do with ellipses. These groups lack much of the structure of and , which is a good thing, since that additional structure is precisely what can make the discrete logarithm problem easier. The best known discrete log algorithms on elliptic curve groups require time in a group of order . Thus, we can make the discrete log problem require effort by choosing an elliptic curve group with order only . Concretely, elliptic curves allow us to use Diffie-Hellman with 256-bit group elements instead of 3072-bit group elements.
13.4.1. Elliptic curves over the real numbers
We will first build some geometric intuition for elliptic curves by investigating curves defined over the real numbers. Cryptographic applications use curves defined using modular arithmetic, which we will discuss later.
Let and be two fixed constants. The elliptic curve consists of all points that satisfy the equation:
Below are a few representative shapes that an elliptic curve can take:
Point addition: Given two points on an elliptic curve, there is a special way to “add” them, resulting in another point on the curve. This point addition operation is somewhat complicated, but it can be derived by understanding how straight lines intersect the elliptic curve.
Given an elliptic curve, define an addition operation as follows:
-
Include a special point at infinity, which lies on every vertical line (think of it as both the north and south poles, simultaneously). This point at infinity is considered to be an element of the elliptic curve, and it is called 0, since it is the addition operation's neutral element.
-
If any line intersects the elliptic curve at three points , , and , we say that . The three points are counted with multiplicity— that is, we can have when the line is tangent to the curve. The three points may also include the point at infinity, when the line is vertical.
In each of the following pictures, the points , , and sum to zero:
In the second picture, the line is tangent to the curve at . In the third picture, is the point at infinity.
Definition 13.4.3 might seem unsatisfying as a definition of an addition operation. But we can use it to define addition in a more concrete, procedural way.
If is a point on an elliptic curve, then “” is the point obtained by reflecting across the -axis. (The special point at infinity is its own reflection across the -axis.)
Let be the reflection of across the -axis. Then the line through and is vertical, so it also intersects the curve at the point at infinity . (We might also have , if the point is on the -axis. Then the line we must consider is the tangent line at , which (if it exists) will also be vertical because the curve is symmetric across the -axis.) This is the scenario illustrated in the third picture in example 13.4.4. Since , , and are the intersection points between a line and the curve, we have
Since , we then have . Thus, is “.”
Point addition can be performed procedurally in the following way:
Let and be two points on an elliptic curve. To find :
-
Imagine the line through and . If , then the line is tangent to the curve; if one of and is zero (the point at infinity), then the line is vertical.
-
Denote by the third intersection point of that line with the curve.
-
Since , we have . In other words, is the reflection of across the -axis.
Each of the following pictures illustrates how to find given and :
Additive notation for groups: These rules define an addition operation for points on an elliptic curve, and that operation satisfies the necessary rules for a mathematical group.
Before now, we have written the operation of a (cyclic) group as multiplication, a reasonable choice for groups like whose operation is multiplication-mod-. With elliptic curves, it is the convention to write their operation as addition. We can rephrase the axioms of cyclic groups using additive notation:
-
There is a special element such that for all . In elliptic curve groups, this neutral element is the point at infinity.
-
Associativity: For all , we have . This fact is notoriously tedious to prove for elliptic curve groups, and it is hard to gain any intuition from the geometry of the problem.
-
Inverses: For every there is an element such that .
-
A generator of a cyclic group (in additive notation) is an element such that
Expressions like are usually written as or , so exponentiation becomes “scalar multiplication.” When using additive notation, we generally write group elements (including the generator) in uppercase and scalars in lowercase, in an attempt to reduce confusion.
-
Keeping in mind that (with terms), the discrete logarithm problem in additive notation is: Given and a generator , find an integer such that (with terms). Of course the name “logarithm” is not as prominently reflected in additive notation.
If you want to become a cryptographer, it's imperative that you develop very passionate feelings about additive vs. multiplicative notation.
13.4.2. Elliptic curves modulo a prime
Elliptic curves over the real numbers are helpful for developing a geometric intuition. But cryptography uses elliptic curves defined over the integers mod , where is a prime. Such a curve consists of all points — where now and belong to — that satisfy the curve equation .
Group addition works by expressing the geometric steps from definition 13.4.3 algebraically and “simply” performing that algebraic manipulation mod . Some of these steps, like finding the line passing through two points, require division, and thus must be prime to ensure the existence of multiplicative inverses.
Most of the examples so far have used the curve . Here are the points that satisfy this equation mod (point at infinity not shown):
Three points are highlighted, showing .
As you can see, geometric intuition is limited when working mod , and it's best to rely on algebra alone.
There are many choices for an elliptic curve; how should you choose one? The easy answer is to not choose your own but to use a standard, vetted curve from a reputable library. The choices that motivate standard elliptic curves are beyond the scope of this short introduction.
Curve25519 is a popular elliptic curve, defined by
with arithmetic operations modulo .
13.4.3. Elliptic curves in Sage
Here is how I used Sage to list all points on the curve from example 13.4.8:
Zmod(29) tells Sage to generate a curve with operations mod 29. The list [-2,4] gives parameters of the curve equation. If you wonder why Sage prints the curve equation as when we asked for a coefficient of , it's because .
The .points() method will return all of the points on the curve (so don't do this for a curve with points). But if you print a point on the curve, it will display in a different coordinate system that we will not discuss. (This alternate coordinate system avoids special cases to handle the point at infinity.) These point objects can be converted to a more familiar pair with the .xy() method, which will raise an exception for the point at infinity, since it has no coordinates.
To convert an pair to a elliptic curve point object, whose addition operation is overloaded appropriately, you can just use the elliptic curve object E as a constructor:
13.4.4. Pitfalls and fine print
A complete treatment of elliptic curves is well beyond the scope of this book. To give you a peek into the guts of elliptic curves, here are a few issues that arise:
Degenerate curves: The right-hand side of the elliptic curve equation is a cubic expression of , and usually has three distinct roots. However, if then the cubic has repeated roots. We call the elliptic curve degenerate in this case. Degenerate curves have points with an undefined tangent, and the curve addition law breaks down for these points.
We always restrict our attention to and that avoid this degeneracy condition.
Curve Equations: The point addition algorithm for elliptic curves involves many special cases, like when , when one of is the point at infinity, when is the point at infinity, and so on. These special cases can be tricky to implement correctly, and if one is not careful, the running time of the point addition algorithm may leak information about secret exponents (scalars).
One way to improve the point addition algorithm is to use a different kind of defining equation for the curve. So far we have considered only curves defined by , known as a Weierstrass curve equation. Other curve equations are possible, notably:
-
Edwards curves are defined by .
-
Montgomery curves are defined by .
Not every curve can be expressed by these special kinds of curve equation, but those that can enjoy improved point addition algorithms: faster, and with fewer special cases than Weierstrass curves.
Twists: If is on an elliptic curve, then so is , and these are the only two points on the curve with this coordinate. Thus, it is common to communicate points on the curve using only their -coordinate, plus one bit representing the sign of .
However, not every coordinate corresponds to a point on the curve. For example, in the elliptic curve over , there is no point with -coordinate 5, because the right-hand side of the curve equation evaluates to , but there is no satisfying .
For every elliptic curve there is a companion curve, called the twist. Interestingly, every -coordinate corresponds to a point either on the primary curve or its twist, and never both: The two curves exactly partition the set of -coordinates. The twist of our example curve has the form , where can be any non-square (non-quadratic-residue)—say, 3 in our example above.
Twists can be problematic. Suppose a victim is running DHKE, so they expect to receive an elliptic curve element and “exponentiate” it with their secret Diffie-Hellman exponent (apologies for mixing additive and multiplicative terminology here). If group elements are communicated using only their -coordinates, and an adversary sends an coordinate from the twist, then the victim will perform the exponentiation over the twist curve. It is possible that the discrete logarithm problem is much easier on the twist curve than on the primary curve, in which case this attack would make it easier for an adversary to recover the secret exponent. This problem can be dealt with in two ways (not mutually exclusive):
-
Always check whether a point lies on the intended curve before performing operations on it.
-
Choose a cryptographically strong elliptic curve whose twist is also strong.
Cofactors and Small Subgroups: Many cryptographic applications of cyclic groups require a group of prime order. Unfortunately, elliptic curve groups often do not have prime order. For example, Edwards and Montgomery curve equations always produce a group whose order is a multiple of 4. If we want to take advantage of the algorithmic benefits of those curve equations, we need a way to cope with their composite order. Below is a general discussion of composite-order groups, which is not specific to elliptic curves. Therefore, we will use multiplicative notation.
Suppose is a cyclic group of composite order , with generator . Thus, , and everything “in the exponent” happens mod . Now consider the powers of :
There are only possible values before completing a cycle. We say that generates a cyclic subgroup of order .
The math of elliptic curves often gives us a cyclic group of order , where is very small and is a huge prime. Usually, or ; this value is called the cofactor of the curve. Given such an elliptic curve, we can just take to be the generator, and everything will happen in the prime ()-order subgroup. Problem solved, right? Not so fast!
Imagine a situation in which a victim receives a group element from an untrusted source and computes , where is secret. The computation will work fine, not just for elements of the prime-order subgroup, but for the entire composite-order group as well. In particular, an adversary could choose from the order- subgroup (such a subgroup exists because divides the overall order). The result of will remain in the order- subgroup. But because is so small, it is easy to compute discrete logarithms in the order- subgroup by brute force. Thus, the adversary can compute the discrete log , leaking some information about the secret which would not be possible if the computation remained in the desired order- subgroup.
These problems can be avoided by always ensuring that untrusted group elements are in the desired subgroup. The easiest way to do this is to raise an element to the power; this is called clearing the cofactor. An alternative approach is proposed later in exercise 15.29.
Exercises
-
h A group is commutative if for all . Prove that every cyclic group is commutative.
Use the fact that every element in can be written in the form .
-
What are all the generators of ?
-
h Simple power analysis (SPA) is a physical attack in which the adversary observes how much voltage is drawn by the CPU while an algorithm is running. In this exercise, you will show an SPA attack against the repeated-squaring method of exponentiation, shown in section 13.1.2.
The repeated-squaring algorithm involves multiplication and squaring steps. Suppose that by monitoring a CPU's voltage it is easy to determine whether it is performing a multiplication or squaring. (This is a very realistic assumption.) Then an SPA attack is equivalent to having the printed output of the following modified algorithm:
Describe how you can completely recover the exponent , given the printed output of this program.
Express the concepts “ is odd,” “ is even,” “,” and “” strictly in terms of the bits of .
-
Fill in the missing details of the following recursive algorithm for exponentiation, while obeying the following invariants:
-
On input , the algorithm should return a pair .
-
No matter whether is even or odd, the algorithm should perform 1 recursive call, then 1 squaring and 1 multiplication.
Explain why this method of exponentiation is immune to the simple power analysis attack described in exercise 13.3.
-
-
Rewrite the recursive algorithms from exercises 13.3 and 13.4 as iterative algorithms. Your algorithms should iterate over the bits of the exponent.
-
Suppose you are given an element from a cyclic group . Assume that the discrete logarithm problem is hard in ; however, I have generously agreed to tell you the discrete logarithm of any single element, except . Explain a strategy by which you can efficiently learn the discrete logarithm of .
-
Suppose there is a polynomial-time algorithm that solves the discrete logarithm problem in . Show that and are not indistinguishable. Or, equivalently, show an attack against the passive security of DHKE over .
-
The computational Diffie-Hellman (CDH) assumption states that it is hard to compute given and . It is defined formally by saying that the following two libraries are indistinguishable:
:return:return:return:returnHashed DHKE is a variant of DHKE in which the parties exchange and as usual, but use as their output instead of just . Prove that hashed DHKE is a passively secure key exchange in the random oracle model (modeling as a random oracle), if CDH holds in the cyclic group.
-
Suppose there is a polynomial-time algorithm that on input can determine whether is even. Show that the DDH assumption is false in . Or, equivalently, show an attack against the passive security of DHKE over .
-
Recall the additive notation for cyclic groups:
-
Closure: For any , their sum .
-
Identity: There is a special element such that for all .
-
Inverses: For any , there is an element such that .
-
Associative: For any , we have .
-
Cyclic: There is a special element such that
-
Prove that the additive group , with operation addition mod , satisfies the definition of a cyclic group, for any , not just prime . Be explicit about the group's generator.
-
Translate the statement of the DDH assumption from multiplicative to additive notation.
-
Does the DDH assumption hold in ? Is the discrete logarithm problem hard in ?
-
-
Suppose you have eavesdropped on three DHKE sessions between the same pair of users. They are using as their cyclic group. So for each you have observed and in the following:
Now suppose you later learn that Alice chose to be consecutive integers, and similarly Bob chose to be consecutive. You also obtain the value of .
-
Describe how you can efficiently compute and .
-
What are and in the following scenario?
-
-
Use the rules that define elliptic curve addition to derive the fact that for all on the curve.
Chapter Notes
The exponentiation algorithm referenced in exercise 13.4 is called the Montgomery ladder and is due to Montgomery [166].
Diffie-Hellman key exchange was proposed by Whitfield Diffie and Martin Hellman [83]. Regarding the name of the protocol, Martin Hellman has later stated:
If you're going to put names on it, it should be called Diffie-Hellman-Merkle key exchange, since it's actually based on a concept of Merkle's. We give him credit for that in the paper, but it was in a paper by Diffie and Hellman, so it's called Diffie-Hellman key exchange. [221]
“Merkle” refers to Ralph Merkle, who in 1974 (several years before Diffie and Hellman had their idea) proposed a different method for key exchange in a proposal for an undergraduate class project [159]. Hellman also credits John Gill for suggesting modular exponentiation as a function that is easy to compute and difficult to invert.
The DDH assumption was first explicitly considered by Brands [52].
Edwards proposed his curve equation in 2007 [94]. Bernstein and Lange proposed a generalization called twisted Edwards curves [37].