1 / 22

Diffie-Hellman 协议中的弱密钥

Diffie-Hellman 协议中的弱密钥. 提纲. Diffie-Hellman 协议 近世代数基础 关于 Diffie-Hellman 协议的攻击方法 有限域上的 Diffie-Hellman 问题 一般线性群 (GL n ) 上的 Diffie-Hellman 问题 结论. Diffie-Hellman 协议. Diffie-Hellman Conjecture. Discrete Logarithm Problem (DLP) To find z given g z Diffie-Hellman problem (DHP)

lenka
Download Presentation

Diffie-Hellman 协议中的弱密钥

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Diffie-Hellman 协议中的弱密钥

  2. 提纲 • Diffie-Hellman 协议 • 近世代数基础 • 关于Diffie-Hellman 协议的攻击方法 • 有限域上的Diffie-Hellman问题 • 一般线性群 (GLn)上的Diffie-Hellman问题 • 结论

  3. Diffie-Hellman 协议

  4. Diffie-Hellman Conjecture • Discrete Logarithm Problem (DLP) • To find z given gz • Diffie-Hellman problem (DHP) • Problem of solving the shared key • Diffie-Hellman conjecture (DHC) • To solve the DHP we need to solve the DLP

  5. 代数基础 • Group (G, +) satisfying the properties of closure, associativity, identity and inverse. • Cyclic Group A group that can be generated by a single element g (the group generator). • Subgroup Subset H of group elements of a group G that satisfies the four group requirements.

  6. 代数基础 (Cont..) • Ring (R, +, *) satisfying the properties of additiveassociativity, additive commutativity, additive identity, additive inverse, multiplicative associativity and left and right distributivity. • Fields Set of elements that satisfies the group axioms for both addition and multiplication and has no zero divisors. • General Linear Group General linear group of degree n over a field F (written as GL(n,F)) is the group of n-by-n invertible matrices with entries from F, with the group operation that of ordinary matrix multiplication.

  7. 代数基础(Cont..) Minimal Polynomial Minimal polynomial of a matrix is the polynomial in A of smallest degree n such that Example For matrix The minimal polynomial is

  8. 代数基础(Cont..) • Irreducible Polynomial A polynomial is said to be irreducible if it cannot be factored into nontrivial polynomials over the same field. • Extension Field A field K is said to be an extension field of field F if F is a subfield of K. For example, the complex numbers are an extension field of the real numbers

  9. Trivial attacks on Diffie-Hellman Protocol • Simple Exponent • k = 1 or l =1 • k = p-1 or l = p-1 • Simple Substitution Attacks gk = 1 or gl = 1

  10. Mathematical attacks on Diffie-Hellman Protocol • Subgroup Confinement Attack Example : p = 19, g = 2 Generated group {2, 4, 8, 16, 13, 7, 14, 9, 18, 17, 15, 11, 3, 6, 12, 5, 10, 1} k = 2, A = 22 = 4 Subgroup generated by A=SA = {4, 16, 7, 9, 17, 11, 6, 5, 1} l = 3, B = 23 = 8 Sub-group generated by B = SB = {8, 7, 18, 11, 12, 1} Kab =2 6 = 7 Note : Kab belongs to SA intersection SB Solution: Use Safe primes ( p= 2q + 1 )

  11. Mathematical attacks on Diffie-Hellman Protocol (Cont..) Attacks based on composite order subgroup

  12. Diffie-Hellman Problem over Field Extensions • Assume extension field of prime field 2 over irreducible polynomial x3 + x + 1. • Let g be the generator of the extension field. Hence, g3 + g + 1 = 0 • Now, generating all the elements of the field…..

  13. Diffie-Hellman Problem over Field Extensions • Take k = 6 and l = 2 g3 + g + 1 = 0 • Now, A = gk = g6 = g2 + 1 = f(g) f(x)= x2 + 1 B = gl = g2 Shared key is g12 = g7.g5 = g5 = g2 + g+ 1 Also, f(B) = f(g2) = g4 + 1 = g2 + g+ 1

  14. Conditions for DHP over Field Extensions A = gk B = gl There exist polynomial f(x) such that • A = f(g) • Bk = f(B) There exist polynomial h(x) such that • B = h(g) • Al = h(A)

  15. Conjugate Class A = gk B = gl A triple (g, k, l) is said to belong to the conjugate class if minimal polynomial of g and A are same. MP(g) = MP(A) or minimal polynomial of g and B are same. MP(g) = MP(B)

  16. The Modulus Condition A = gk B = gl The triple (g, k, l) is said to satisfy the modulus condition if any one of the following conditions hold xk mod (MP of g) = xk mod LCM( MP of g, MP of B) Or xl mod (MP of g) = xl mod LCM( MP of g, MP of A)

  17. Implication of Modulus Condition The following statements hold : • There exists a polynomial f(x) which satisfies A = f(g) and Bk = f(B) iff (G, k, l) satisfies the first modulus condition. Such a polynomial is unique. • There exists a polynomial h(x) which satisfies B = h(g) and Al = h(A) iff (G, k, l) satisfies the second modulus condition. Such a polynomial is unique.

  18. Diffie-Hellman Problem over General Linear Groups • A matrix G in GLn(K) and matrices A = Gk and B = Gl are given for some unknown positive integers k, l < ord(G). Determine the matrix Gkl = Al =Bk. The matrix Gkl is called the shared key of the DH protocol. • The triple (G,A,B) shall be called the public data of the DHP.

  19. Example • Consider the field be F53 and G in GL2 given by • Let k = 3, l = 53 then Now the polynomial solution of the linear system A = f(G) gives f(x) = x + 47.

  20. Example (Cont..) • The shared key is • It is easy to see that G53×3 = f(B) = B + 47I.

  21. Conclusion • Diffie-Hellman Conjecture does not always hold . • For certain class of keys, the shared secret key can be determined without solving the Discrete Logarithm Problem. • There is no direct method available till date to enumerate all such keys except for a limited subset of keys that satisfy the Conjugate Class Property.

  22. Thank you!

More Related