如何经营服装店F AST GENERATORS FOR THE
DIFFIE-HELLMAN KEY AGREEMENT PROTOCOL
AND MALICIOUS STANDARDS
BOAZ TSABAN
Abstract.The Diffie-Hellman key agreement protocol is bad
on taking large powers of a generator of a prime-order cyclic group.
Some generators allow faster exponentiation.We show that to
hydepark
a large extent,using the fast generators is as cure as using a
randomly chon generator.On the other hand,we show that if
there is some ca in which fast generators are less cure,then
this could be ud by a malicious authority to generate a standard
08xxx comfor the Diffie-Hellman key agreement protocol which has a hidden
trapdoor.
1.Introduction
The Diffie-Hellman key agreement protocol[3]is one of the most celebrated means for two parties,say Alice and Bob,to agree on a cret key over an incure communication channel.Alice and Bob make their computations in some previouslyfixed cyclic group G with an agreed generator g.The protocol is defined as follows:
(1)Alice choos a random1a∈{1,...,|G|−1},and nds g a to
Bob.
(2)Bob choos a random b∈{1,...,|G|−1},and nds g b to
Alice.
The agreed key is g ab,which can be computed both by Alice((g b)a) and by Bob((g a)b).
Due to the Pohlig-Hellman attack[6](which exploits the Chine Remainder Theorem),it is preferred that the order of the group be prime,which is henceforth assumed.
Consider,for example,the ca g∈F∗p.Let q be the(prime)order of the generated group G= g ≤F∗p.Computing g x for x∈{1,...,q−1} consists of squaring and multiplying.If g=2,then the multiplication Key words and phras.Diffie-Hellman Problem,Discrete Logarithm Problem, fast generators,trapdoor.
1Throughout the paper,by random we mean uniformly random and independent of earlier samples.
1
2BOAZ TSABAN
operation amounts to shifting and taking modular reduction.For h∈F∗p,
2h mod p= 2h h<p/2
中法网校
2h−p p/2≤h
which is computationally negligible in comparison to multiplying by a random g.In standard square-and-multiply implementations this saves about33%of the computational complexity of evaluating g x(in fact, squaring can often be done more efficiently than general multiplication, so this saves more).Thus,if2∈G,we may wish to cho it as our generator.
We show that,in the common interpretation,this can be done with no loss of curity.On the other hand,we show that if there is a conceivable way to make some generators weaker than random ones, then this can be ud by an authority of standards tofind parameters for the Diffie-Hellman protocol with a trapdoor allowing the authority to exploit the weakness.In the appendix we give an example of a public-key cryptosystem bad on this phenomenon.
The results also apply to choices of efficient generators in other ,low hamming weight polynomials in F∗q m.
fart
2.A fast generator is almost as cure
Let G= g be a cyclic group of prime order p.Let f∈G be any element except the identity.Then f is a generator of G.In the intended application,f is chon so that the computation of f x is more efficient(we call f a fast generator),or that its usage is convenient for some other reason.
Fix h∈G.An algorithm DH h(depending on h)is said to solve the Diffie-Hellman Problem(DHP)for ba h if,for each x,y∈{1,...,p−1},DH h(h x,h y)=h xy.
Henceforth,for a number r∈{1,...,p−1},r−1mod p denotes the element s of{1,...,p−1}such that sr=1(mod p).
The following theorem is presumably known to specialists,but we have not been able tofind a reference.The method of proof,however, is standard.
Theorem1.Assume that for some f∈G\{1},there exists an algo-rithm DH f to solve the DHP for ba f,in running time T(f).Then for each g∈G\{1},there is an algorithm DH g which solves the DHP for ba g in running time O(T(f)·log p).
Proof.Given g,there exists a unique r∈{1,...,p−1}such that g=f r.
FAST DIFFIE HELLMAN AND MALICIOUS STANDARDS3 Lemma2.Given f r,we can compute f r−1mod p using at most2log p queries to DH f.
Proof.By Fermat’s Little Theorem,r p−1=1(mod p),and therefore
r p−2=r−1(mod p).
We can compute f r−1=f r p−2using DH f in a square-and-multiply manner:Write p−2in ba2as b0+b1·2+···+b n·2n,b n=0 (then n≤log2p).Let f0=f r.For each i=1,2,...,n compute h i=DH f(f i−1,f i−1),and let f i=h i if b n−i=1,and f i=DH f(h i,f0) otherwi.Then f n=f r p−2. Now,assume that we are given g x,g y and we wish tofind g xy.Recall that g=f r.Compute f r−1as in Lemma2,and proceed with
DH f(f r−1,g y)=DH f(f r−1,f ry)=f r−1ry=f y,
and
DH f(g x,f y)=DH f(f rx,f y)=f rxy=g xy.
Remark3(Amplification).Theorem1generalizes to various other t-tings.For example,assume that DH f only solves the DHP with prob-abilityǫ,i.e.,for each z=xy(mod p),
Pr[DH f(f x,f y)=f xy]≥Pr[DH f(f x,f y)=f z]+ǫ.
Then DH f can be transformed to an algorithm which succeeds in prob-ability arbitrarily clo to1:Choo random r,s∈{1,...,p−1}, compute f xr=(f x)r,f ys=(f s)y,and h=DH f(f xr,f ys).If the output h was correct,then
三级 英语h=f xrys=f xyrs.
Let t=(rs)−1(mod p).Then,in the ca of correct output h,h t= f xy.We can repeat this O(1/ǫ2)times to get f xy as the most frequent value almost certainly.
Having the algorithm transformed to one which succeeds in proba-bility very clo to1,the arguments in the proof of Theorem1apply. The asrtions apply to all problems mentioned in this paper.
The cloly related Discrete Logarithm Problem is much easier to deal with:An algorithm DL h is said to solve the Discrete Logarithm Problem(DLP)for ba h if,for each x∈{1,...,p−1},DL h(h x)=x. Theorem4.Assume that f∈G\{1},and there exists an algorithm DL f to solve the DLP for ba f,in running time T(f).Then for each g∈G\{1},there is an algorithm DL g which solves the DLP for ba g in running time O(T(f)).
4BOAZ TSABAN
Proof.Given g x,find x using the following quence of computations: r=DL f(g),rx=DL f(f rx)=DL f(g x),s=r−1mod p,and x= srx.
A cloly related problem remains open:An algorithm DDH h is said to solve the Decisional Diffie-Hellman Problem(DDH)for ba h[1] if,for each x,y,z∈{1,...,p−1},DDH h(h x,h y,h z)=1if,and only if,z=xy.
Problem5.Assume that f∈G\{1},and there exists an algorithm DDH f to solve the DDH for ba f,in running time T(f).Does there exist,for each g∈G\{1},an algorithm DDH g which solves the DDH for ba g in running time polynomial in T(f)·log p?
Remark6.Menezes has pointed out to us that in[2]it is shown that using2as a generator for certain discrete logarithm bad signature schemes is vulnerable to forgeries,whereas in[7]it is shown that using a random generator in the schemes is provably cure(this is sum-marized in[9]).This can be contrasted with the results of the current ction,and motivate the discussions in the remainder of the paper.
3.Malicious standards
One can stillfigure out models of curity for which it is not clear that using fast generators is as cure as using a random generator. For example,assume that the following holds.
Scenario7(Malicious Diffie-Hellman(MDH)).
(1)There exist f∈G\{1},a function F,and an efficient algorithm
DH f such that for each x,y∈{1,...,p−1},
expoDH f(f x,f y)=F(f xy).
(2)For a random g∈G\{1},F(g xy)cannot be efficiently extracted
from g x and g y.
(3)For random x,y,F(f xy)has enough entropy to generate a key
for symmetric ,80bits).
Remark8.While it ems unlikely that MDH could hold,we should note that thefield is full of surpris.For example,in[4]it is shown that there are some groups where the Diffie-Hellman Problem is difficult and the Decisional Diffie-Hellman Problem(e Section2)is easy.See Remark6for another example.
If MDH holds,then DH f reveals some information on the agreed key obtained by the Diffie-Hellman protocol using f as a generator. In an extreme ca,the function F could be the hash function which
FAST DIFFIE HELLMAN AND MALICIOUS STANDARDS5 Alice and Bob u to derive from f ab a key for symmetric encryption. However,in general it is not clear how to u DH f to reveal the same i
nformation g ab for a random generator g.Of cour,there is a random r∈{1,...,p−1}such that g=f r and therefore
DH f(g a,g b)=DH f(f ra,f rb)=F(f r2ab)=F(g rab),
but rab is a random element of{1,...,p−1}and independent of ab,so this information is of no u.Similar asrtions hold for the Discrete Logarithm Problem.
Conquently,it might be the ca that fast generators are not as cure as random ones.While we are unable to prove the impossibility of Scenario7,we can show that if it is true,then we cannot trust given standards for the Diffie-Hellman key agreement protocol,unless we know how they were generated.
Assume that MDH holds.Then an authority of standards can do the following:Choo a uniformly random trapdoor t∈{1,...,p−1}, compute g=f t,and suggest(G,p,g)as the standard’s parameters for the Diffie-Hellman key agreement protocol.As t was uniformly random, g is a uniformly random generator of G,so there is no way to know that it was chon in a malicious way.Now,assume that Alice nds Bob g a and Bob nds Alice g b.For everyone el but the authority of standards,deducing information on the agreed key g ab is impossible. Claim9.For all a,b∈{1,...,p−1},the authority of stand
ards can compute F(g ab)efficiently.
Proof.Using the trapdoor t,compute t−1mod p,and(g b)t−1,which is the same as f tbt−1=f b.Now,compute F(f rab)=DH f(f ra,f b).But f rab=g ab. Conquently,the authority of standards can decrypt the messages nt between Alice and Bob.
In the appendix we indicate a possible positive conquence of the MDH.We believe that many more can be derived from it.The proof of the impossibility of MDH under mild hypothes,or the construction of a system for which MDH holds,are fascinating challenges. Remark10.Galbraith has pointed out to us that there exist bit curity results which show that for various natural functions F,computing F(g ab)from g a and g b is as hard as the Diffie-Hellman Problem.See, e.g.,[8]and references[1,2]therein.This is an evidence for the difficulty of establishing MDH.
6BOAZ TSABAN
Appendix A.
A public-key cryptosystem from the Malicious
Diffie-Hellman assumption
Assume that MDH holds for a group G with prime order p and a generator f.Then we define the following public-key cryptosystem for celebrities:In the intended application,we have some center(a “celebrity”)nding messages to many recipients.The purpo is to minimize the communication load of the center’s messages.
(1)G and p are publicly known.
(2)A celebrity,say Bob,choos a random r∈{1,...,p−1}and
publishes g=f r.
(3)Each one(say,Alice)who wishes to obtain in the future mes-
inaccuracysages from Bob should choo a random a∈{1,...,p−1}and
会计硕士就业前景publish g a.
(4)When Bob wishes to encrypt a message to Alice,he computes
F(g a2)(using r he can do that,as shown in Section3)and us
some known hash function of the result as a key for a block
cipher with which he encrypts the message to Alice.
(5)Alice can compute g a2and thus decrypt the message.
(6)Urs other than Bob who wish to nd messages to one another
or to Bob can u standard algorithms like El-Gamal.
Note that the lengths of Bob’s encrypted messages is the same as that of the plain messages.
文胸的英文Our suggested protocol is bad on the difficulty offinding g a2given g a.Menezes has pointed out to us that in Section5.3of[5]it is shown that this is as difficult as the Diffie-Hellman Problem:Indeed,given g a and g b,compute g a+b=g a·g b,and then compute g a2,g b2,and g(a+b)2. Using the,compute
g2ab=g(a+b)2·(g a2)−1·(g b2)−1.
Finally,compute g ab=(g2ab)2−1mod p.
Remark11.We can ba a protocol with the same properties on the classical assumptions:Bob publishes g and g b(for some random b of his choice),and each other ur,say Alice,publishes g a and computes a hash value of g ab to be ud as symmetric key to decipher messages from Bob.Thus,our suggested protocol should only be considered as an indication of the potential ufulness of MDH,which is not fully understood yet.
Acknowledgments.We thank Steven Galbraith and Alfred Menezes for their uful comments.