1 / 24

Weak Keys in Diffie-Hellman Protocol

Weak Keys in Diffie-Hellman Protocol. Aniket Kate Prajakta Kalekar Deepti Agrawal Under the Guidance of Prof. Bernard Menezes. Roadmap. Introduction to the Diffie-Hellman Protocol Basics of Abstract Algebra Concepts Mathematical attacks on Diffie-Hellman Protocol

Download Presentation

Weak Keys in Diffie-Hellman Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Weak Keys in Diffie-Hellman Protocol Aniket Kate Prajakta Kalekar Deepti Agrawal Under the Guidance of Prof. Bernard Menezes

  2. Roadmap • Introduction to the Diffie-Hellman Protocol • Basics of Abstract Algebra Concepts • Mathematical attacks on Diffie-Hellman Protocol • Diffie-Hellman Problem (DHP) over General Linear Groups (GLn) • Applying concept to Field Extension. • Conclusion

  3. Diffie-Hellman Protocol

  4. Diffie-Hellman Conjecture • Discrete Logarithm Problem (DLP) • To find z given gz • Diffie-Hellman problem (DHP) • Problem of solving the shared key • Diffie-Hellman conjecture (DHC) • To solve the DHP we need to solve the DLP

  5. Basics • Group (G, +) satisfying the properties of closure, associativity, identity and inverse. • Cyclic Group A group that can be generated by a single element g (the group generator). • Subgroup Subset H of group elements of a group G that satisfies the four group requirements.

  6. Basics (Cont..) • Ring (R, +, *) satisfying the properties of additive associativity, additive commutativity, additive identity, additive inverse, multiplicative associativity and left and right distributivity. • Fields Set of elements that satisfies the group axioms for both addition and multiplication and has no zero divisors. • General Linear Group General linear group of degree n over a field F (written as GL(n,F)) is the group of n-by-n invertible matrices with entries from F, with the group operation that of ordinary matrix multiplication.

  7. Basics (Cont..) Minimal Polynomial Minimal polynomial of a matrix is the polynomial in A of smallest degree n such that Example For matrix The minimal polynomial is

  8. Basics (Cont..) • Irreducible Polynomial A polynomial is said to be irreducible if it cannot be factored into nontrivial polynomials over the same field. • Extension Field A field K is said to be an extension field of field F if F is a subfield of K. For example, the complex numbers are an extension field of the real numbers

  9. Trivial attacks on Diffie-Hellman Protocol • Simple Exponent • k = 1 or l =1 • k = p-1 or l = p-1 • Simple Substitution Attacks gk = 1 or gl = 1

  10. Mathematical attacks on Diffie-Hellman Protocol • Subgroup Confinement Attack Example : p = 19, g = 2 Generated group {2, 4, 8, 16, 13, 7, 14, 9, 18, 17, 15, 11, 3, 6, 12, 5, 10, 1} k = 2, A = 22 = 4 Subgroup generated by A=SA = {4, 16, 7, 9, 17, 11, 6, 5, 1} l = 3, B = 23 = 8 Sub-group generated by B = SB = {8, 7, 18, 11, 12, 1} Kab =2 6 = 7 Note : Kab belongs to SA intersection SB Solution: Use Safe primes ( p= 2q + 1 )

  11. Mathematical attacks on Diffie-Hellman Protocol (Cont..) Attacks based on composite order subgroup

  12. Diffie-Hellman Problem over General Linear Groups • A matrix G in GLn(K) and matrices A = Gk and B = Gl are given for some unknown positive integers k, l < ord(G). Determine the matrix Gkl = Al =Bk. The matrix Gkl is called the shared key of the DH protocol. • The triple (G,A,B) shall be called the public data of the DHP.

  13. Conditions for DHP over GLn There exist polynomial f(x) such that • A = f(G) • Bk = f(B) There exist polynomial g(x) such that • B = g(G) • Al = g(A)

  14. Example • Consider the field be F53 and G in GL2 given by • Let k = 3, l = 53 then Now the polynomial solution of the linear system A = f(G) gives f(x) = x + 47.

  15. Example (Cont..) • The shared key is • It is easy to see that G53×3 = f(B) = B + 47I.

  16. The Modulus Condition The triple (G, k, l) with G in GLn(K) is said to satisfy the modulus condition if any one of the following conditions hold xk mod (MP of G) = xk mod LCM( MP of G, MP of B) Or xl mod (MP of G) = xl mod LCM( MP of G, MP of A)

  17. Implication of Modulus Condition The following statements hold : • There exists a polynomial f(x) which satisfies A = f(G) and Bk = f(B) iff (G, k, l) satisfies the first modulus condition. Such a polynomial is unique. • There exists a polynomial g(x) which satisfies B = g(G) and Al = g(A) iff (G, k, l) satisfies the second modulus condition. Such a polynomial is unique.

  18. Conjugate Class A triple (G, k, l) is said to belong to the conjugate class if minimal polynomial of G and A are same. MP(G) = MP(A) or minimal polynomial of G and B are same. MP(G) = MP(B)

  19. Applying the same concept to Extension Fields • Assume extension field of prime field 2 over irreducible polynomial x3 + x + 1. • Let g be the generator of the extension field. Hence, g3 + g + 1 = 0 • Now, generating all the elements of the field…..

  20. Applying Concept to Field Extensions • Take k = 6 and l = 2 • Now, A = gk = g6 = g2 + 1 = f(g) B = gl = g2 Shared key is g12 = g7.g5 = g5 = g2 + g+ 1 Also, f(B) = f(g2) = g4 + 1 = g2 + g+ 1

  21. Conclusion • Diffie-Hellman Conjecture does not always hold . • For certain class of keys, the shared secret key can be determined without solving the Discrete Logarithm Problem. • There is no direct method available till date to enumerate all such keys except for a limited subset of keys that satisfy the Conjugate Class Property.

  22. References • W. Diffie and M. Hellman. New Directions in Cryptography. IEEE Trans. on Information Theory, 22:644–654, 1976. • R. Lidl and G. Pilz. Applied Abstract Algebra. Springer-Verlag, 1st edition edition, 1984. • A. J. Menezes and Yi-Hong Wu. The discrete logarithm problem in gln. ARS Combinotoria, 47:23–32, 1998. • Jean-Francois Raymond and Anton Stiglic. Security issues in the diffie-hellman key agreement protocol. IEEE Trans. on Information Theory, pages 1–17, 1998. • William Stallings. Cryptography and Network Security. Pearson Education, 3rd edition, 2003.

  23. Thank you!

  24. Notations Used • h(G,x): Minimal Polynomial for matrix G • hb(x) = LCM(h(G,x), h(B,x) ) • ha(x) = LCM(h(G,x), h(A,x) ) • f(x) = xk mod hb(x) • g(x) = xl mod ha(x)

More Related