1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007

Rocky, K. C. Chang2 Outline  Multiplicative group modulo prime  The basic Diffie-Hellman (DH) protocol The discrete logarithm problem Man in the middle attack  Other security problems about the subgroups Using a safe prime Using a smaller subgroup  An enhanced DH protocol.

Rocky, K. C. Chang3 Motivation for the DH protocol  Using a secret-key cryptosystem, how many secret keys are needed for a group of n people to communicate? C(n, 2) = n(n–1)/2 = O(n 2 ) Managing a large number of keys is another problem.  Whitfield Diffie and Martin Hellman asked Whether this can be done more efficiently by having the encryption and decryption keys different. Came up the Diffie-Hellman (DH) protocol, which is a partial solution. Agree on a secret key over an insecure channel.

Rocky, K. C. Chang4 Multiplicative group modulo prime  Assume that p is a large prime ( bits long).  The DH protocol uses Z * p, the multiplicative group modulo p.  Recall that there exists at least a primitive element in Z * p. More precisely, there are (p–1) of them. Each one of them can generate the entire Z * p.

Rocky, K. C. Chang5 The basic DH protocol  Agree on a large prime p and a primitive element g in Z * p. Both p and g are not secrets.  Alice (Bob) chooses a random x (y) in Z * p (1, 2, …, p–1) and computes g x mod p (g y mod p). Send the result to Bob (Alice), and the result is not a secret.  Alice computes the secret key k as (g y mod p) x mod p = g xy mod p.  Bob computes the secret key k as (g x mod p) y mod p = g xy mod p.

Rocky, K. C. Chang6 The basic DH protocol

Rocky, K. C. Chang7 The discrete logarithm problem  Given the knowledge of p, g, g x mod p, and g y mod p, how does an attacker find g xy mod p?  The best method known is to solve the discrete logarithm problem. Given X = g x mod p, g, and p, find x (x = log g X). Analogous to computing logarithm in real numbers. With x and g y mod p, one can compute g xy mod p.

Rocky, K. C. Chang8 For example,  p = 13 and g = 2 is a primitive element Given g x mod p = 1, x = 0 Given g x mod p = 2, x = 1 Given g x mod p = 3, x = 4 Given g x mod p = 4, x = 2 …  Solving the discrete logarithm problem Exhaustive search by computing g 1, g 2, g 3, …, until g x is found. Precompute all possible values of g i, and then sort the list of ordered pairs (i, g i ) with respect to the second component. Perform a binary search for g x. Many other smart algorithms

Rocky, K. C. Chang9 Man-in-the-middle attack  The basic DH protocol does not protect against the man-in-the-middle attack.  Alice cannot authenticate whether the other side is Bob, and vice versa.  Instead, Eve establishes secret keys with Alice and Bob. Eve can relay the message so that both sides are not aware of the attack. Need authentication mechanisms.

Rocky, K. C. Chang10 Man-in-the-middle attack

Rocky, K. C. Chang11 Additional security problems  Problem 1: Eve can intercept g x mod p and g y mod p, and replace them with 1. Therefore, k = 1.  Problem 2: g may not be a primitive element of Z * p. The order of g (denoted by t) may not be large enough. Note that the key is in the set {1, g, g 2, …, g t-1 }. Eve can possibly search through all possible keys.

Rocky, K. C. Chang12 Additional security problems  For any divisor of p–1, say d, there is a single subgroup of size d. E.g., for p – 1 = 6, divisors = {1, 2, 3, 6}. There are a subgroup of size 1 ({1}), a subgroup of size 2 ({1,6}), a subgroup of size 3 ({1, 2, 4}), and a subgroup of size 6.  Problem 3: Eve intercepts g x mod p and replaces it with h, where h has a small order. Since k = h y mod p, the number of possible keys may not be large enough.  If p is a large prime, then p–1 is always even. Therefore, there is a subgroup of size 2: {1, p–1}. Use a safe prime to avoid small subgroups other than the one with size 2, which always present.

Rocky, K. C. Chang13 A safe prime approach  A safe prime is a large enough prime p = 2q + 1, where q is also a prime.  Now, Z * p for such a safe prime has the following subgroups. {1} {1, p–1} A subgroup of size q A subgroup of size 2q (the full group)  The first 2 subgroups are easy to avoid.  The full group has one more problem.

Rocky, K. C. Chang14 A safe prime approach  Consider the set of numbers in Z * p that can be written as a square of another number in Z * p.  For example, p = mod 7 = mod 7 = mod 7 = mod 7 = mod 7 = mod 7 = 1  {1, 2, 4} is a set of squares for p = 7.  Exactly half the numbers in 1, …, p–1 are squares.  Any generator of the entire group is a nonsquare (why?).

Rocky, K. C. Chang15 A safe prime approach group  The Legendre symbol can determine whether a number modulo p is a square or not.  Assume g is a nonsquare and Alice sends out g x to Bob.  Given that Eve can determine whether g and g x are squares, what can Eve know? If g x is a square, then x is even. If g x is a nonsquare, then x is odd. That is, Eve knows about the last bit of x.

Rocky, K. C. Chang16 A safe-prime approach  The solution is to use the subgroup of size q, which contains the set of squares. A square will only generate a square. For p = 7, we use the subgroup {1, 2, 4}.  To sum up: Choose (p, q) such that p = 2q + 1, and both p and q are prime. Choose a random number  in the range [2, p–2] and set g =  2 mod p. Make sure g  1 and g  p–1.

Rocky, K. C. Chang17 Enhancing the DH protocol  Decide on (p, q, g) according to the algorithm described on the last slide.  When Bob receives g x mod p from Alice, he can check whether the value is indeed from the subgroup consisting of squares. Use the Legendre symbol function, or Use: A number r is a square if and only if r q  1 (mod p) and r  1. Also avoid r = 1. E.g., p = 2  (q = 3)  2 is a square because 2 3 = 1 mod 7.  4 is a square because 4 3 = 1 mod 7.

Rocky, K. C. Chang18 A smaller-subgroup approach  The main disadvantage with the safe-prime approach is the computational workload. If p is n-bit long, then q is (n–1)-bit long. All exponents are n–1 bits long.  Another approach is to use a smaller subgroup. Choose q as a 256-bit prime (2 255 < q < ). Find a much larger prime p = N  q + 1, where N is randomly chosen in some range.  N must be even: increase from 2 to a much larger even number Check whether p is prime.

Rocky, K. C. Chang19 Enhancing the DH protocol  Find an element of order q: Choose a random number  in the range [2, p–2] and set g =  N mod p. Make sure that g  1 and g q  1 (mod p).  Same as the last approach, Bob and Alice must check whether the received value comes from the subgroup generated by g. r q  1 (mod p) and 1 < r < p (including r  1).

Rocky, K. C. Chang20 The final DH protocol  Based on the second approach, both Alice and Bob check on (p, q, g): Both p and q are prime. q is 256 bits and p is sufficiently large (at least 2048 bits). q is divisor of p – 1 (p = N  q + 1). Choose a random number  in the range [2, p–2] and set g =  N mod p. g  1 and g q  1 (mod p).  Verify that the number received from the other side indeed comes from the subgroup: r q  1 (mod p) and 1 < r < p.

Rocky, K. C. Chang21 The final DH protocol

Rocky, K. C. Chang22 Summary  The DH protocol is based on the difficulty of solving the discrete logarithm problem.  However, with a trapdoor (x or y), the computation of the key becomes very easy.  There are other public-key cryptosystems based on the discrete logarithm problem, such as the ElGamal algorithm and Elliptic Curves.  We will revisit the DH protocol in the Internet Key Exchange protocol. Cookies for denial-of-service attacks Authentication schemes for the man-in-the-middle attack.

Rocky, K. C. Chang23 Acknowledgments  The notes are prepared mostly based on N. Ferguson and B. Schneier, Practical Cryptography, Wiley, D. Stinson, Cryptography: Theory and Practice, Chapman & Hall/CRC, Second Edition, 2002.