Weak Keys in Diffie-Hellman Protocol

Aniket Kate Prajakta Kalekar Deepti Agrawal

Under the Guidance of

Prof. Bernard Menezes

Roadmap

Introduction to the Diffie-Hellman Protocol Basics of Abstract Algebra Concepts Mathematical attacks on Diffie-Hellman Protocol Diffie-Hellman Problem (DHP) over General

Linear Groups (GLn) Applying concept to Field Extension. Conclusion

Diffie-Hellman Protocol

Diffie-Hellman Conjecture

Discrete Logarithm Problem (DLP) To find z given gz

Diffie-Hellman problem (DHP) Problem of solving the shared key

Diffie-Hellman conjecture (DHC) To solve the DHP we need to solve the DLP

Basics

Group (G, +) satisfying the properties of closure, associativity, identity and inverse.

Cyclic GroupA group that can be generated by a single element g (the group generator).

SubgroupSubset H of group elements of a group G that satisfies the four group requirements.

Basics (Cont..) Ring

(R, +, *) satisfying the properties of additive associativity, additive commutativity, additive identity, additive inverse, multiplicative associativity and left and right distributivity.

FieldsSet of elements that satisfies the group axioms for both addition and multiplication and has no zero divisors.

General Linear GroupGeneral linear group of degree n over a field F (written as GL(n,F)) is the group of n-by-n invertible matrices with entries from F, with the group operation that of ordinary matrix multiplication.

Basics (Cont..)

Minimal PolynomialMinimal polynomial of a matrix is the polynomial in A of smallest degree n such that

Example For matrix

The minimal polynomial is

Basics (Cont..)

Irreducible PolynomialA polynomial is said to be irreducible if it cannot be factored into nontrivial polynomials over the same field.

Extension Field

A field K is said to be an extension field of field F if F is a subfield of K. For example, the complex numbers are an extension field of the real numbers

Trivial attacks on Diffie-Hellman Protocol Simple Exponent

1. k = 1 or l =12. k = p-1 or l = p-1

Simple Substitution Attacks gk = 1 or gl = 1

Mathematical attacks on Diffie-Hellman Protocol Subgroup Confinement AttackExample : p = 19, g = 2Generated group {2, 4, 8, 16, 13, 7, 14, 9, 18, 17, 15, 11, 3, 6, 12, 5, 10, 1}k = 2, A = 22 = 4Subgroup generated by A=SA = {4, 16, 7, 9, 17, 11, 6, 5,

1}l = 3, B = 23 = 8Sub-group generated by B = SB = {8, 7, 18, 11, 12, 1}Kab = 2 6 = 7Note : Kab belongs to SA intersection SB

Solution: Use Safe primes ( p= 2q + 1 )

Mathematical attacks on Diffie-Hellman Protocol (Cont..)Attacks based on composite order subgroup

Diffie-Hellman Problem over General Linear Groups A matrix G in GLn(K) and matrices A = Gk and B

= Gl are given for some unknown positive integers k, l < ord(G). Determine the matrix Gkl = Al =Bk. The matrix Gkl is called the shared key of the DH protocol.

The triple (G,A,B) shall be called the public data of the DHP.

Conditions for DHP over GLn

There exist polynomial f(x) such that A = f(G) Bk = f(B)

There exist polynomial g(x) such that B = g(G) Al = g(A)

Example

Consider the field be F53 and G in GL2 given by

Let k = 3, l = 53 then

Now the polynomial solution of the linear systemA = f(G) gives f(x) = x + 47.

Example (Cont..)

The shared key is

It is easy to see that G53×3 = f(B) = B + 47I.

The Modulus Condition

The triple (G, k, l) with G in GLn(K) is said to satisfy the modulus condition if any one of the following conditions hold

xk mod (MP of G) = xk mod LCM( MP of G, MP of

B) Orxl mod (MP of G) = xl mod LCM( MP of G, MP of

A)

Implication of Modulus ConditionThe following statements hold :

There exists a polynomial f(x) which satisfies A = f(G) and Bk = f(B) iff (G, k, l) satisfies the first modulus condition. Such a polynomial is unique.

There exists a polynomial g(x) which satisfies B = g(G) and Al = g(A) iff (G, k, l) satisfies the second modulus condition. Such a polynomial is unique.

Conjugate Class

A triple (G, k, l) is said to belong to the conjugate class ifminimal polynomial of G and A are same.

MP(G) = MP(A)or

minimal polynomial of G and B are same.MP(G) = MP(B)

Applying the same concept to Extension Fields Assume extension field of prime field 2 over

irreducible polynomial x3 + x + 1.

Let g be the generator of the extension field.Hence, g3 + g + 1 = 0

Now, generating all the elements of the field…..

Applying Concept to Field Extensions Take k = 6 and l = 2

Now, A = gk = g6 = g2 + 1 = f(g) B = gl = g2

Shared key is g12 = g7.g5 = g5 = g2 + g+ 1 Also, f(B) = f(g2) = g4 + 1 = g2 + g+ 1

Conclusion

Diffie-Hellman Conjecture does not always hold .

For certain class of keys, the shared secret key can be determined without solving the Discrete Logarithm Problem.

There is no direct method available till date to enumerate all such keys except for a limited subset of keys that satisfy the Conjugate Class Property.

References W. Diffie and M. Hellman. New Directions in

Cryptography. IEEE Trans. on Information Theory, 22:644–654, 1976.

R. Lidl and G. Pilz. Applied Abstract Algebra. Springer-Verlag, 1st edition edition, 1984.

A. J. Menezes and Yi-Hong Wu. The discrete logarithm problem in gln. ARS Combinotoria, 47:23–32, 1998.

Jean-Francois Raymond and Anton Stiglic. Security issues in the diffie-hellman key agreement protocol. IEEE Trans. on Information Theory, pages 1–17, 1998.

William Stallings. Cryptography and Network Security. Pearson Education, 3rd edition, 2003.

Notations Used

h(G,x): Minimal Polynomial for matrix G

hb(x) = LCM(h(G,x), h(B,x) )

ha(x) = LCM(h(G,x), h(A,x) )

f(x) = xk mod hb(x)

g(x) = xl mod ha(x)