Weak Keys in Diffie-Hellman Protocol

1
Weak Keys in Diffie-Hellman Protocol

• Aniket Kate Prajakta Kalekar Deepti Agrawal
• Under the Guidance of
• Prof. Bernard Menezes

2
Roadmap

• Introduction to the Diffie-Hellman Protocol
• Basics of Abstract Algebra Concepts
• Mathematical attacks on Diffie-Hellman Protocol
• Diffie-Hellman Problem (DHP) over General Linear
  Groups (GLn)
• Applying concept to Field Extension.
• Conclusion

3
Diffie-Hellman Protocol
4
Diffie-Hellman Conjecture

• Discrete Logarithm Problem (DLP)
• To find z given gz
• Diffie-Hellman problem (DHP)
• Problem of solving the shared key
• Diffie-Hellman conjecture (DHC)
• To solve the DHP we need to solve the DLP

5
Basics

• Group
• (G, ) satisfying the properties of closure,
  associativity, identity and inverse.
• Cyclic Group
• A group that can be generated by a single
  element g (the group generator).
• Subgroup
• Subset H of group elements of a group G that
  satisfies the four group requirements.

6
Basics (Cont..)

• Ring
• (R, , ) satisfying the properties of additive
  associativity, additive commutativity, additive
  identity, additive inverse, multiplicative
  associativity and left and right distributivity.
• Fields
• Set of elements that satisfies the group axioms
  for both addition and multiplication and has no
  zero divisors.
• General Linear Group
• General linear group of degree n over a field F
  (written as GL(n,F)) is the group of n-by-n
  invertible matrices with entries from F, with the
  group operation that of ordinary matrix
  multiplication.

7
Basics (Cont..)

• Minimal Polynomial
• Minimal polynomial of a matrix is the polynomial
  in A of smallest degree n such that
• Example
• For matrix
• The minimal polynomial is

8
Basics (Cont..)

• Irreducible Polynomial
• A polynomial is said to be irreducible if it
  cannot be factored into nontrivial polynomials
  over the same field.
• Extension Field
• A field K is said to be an extension field of
  field F if F is a subfield of K. For example, the
  complex numbers are an extension field of the
  real numbers

9
Trivial attacks on Diffie-Hellman Protocol

• Simple Exponent
• k 1 or l 1
• k p-1 or l p-1
• Simple Substitution Attacks
• gk 1 or gl 1

10
Mathematical attacks on Diffie-Hellman Protocol

• Subgroup Confinement Attack
• Example
• p 19, g 2
• Generated group
• 2, 4, 8, 16, 13, 7, 14, 9, 18, 17, 15, 11, 3, 6,
  12, 5, 10, 1
• k 2, A 22 4
• Subgroup generated by ASA 4, 16, 7, 9, 17,
  11, 6, 5, 1
• l 3, B 23 8
• Sub-group generated by B SB 8, 7, 18, 11,
  12, 1
• Kab 2 6 7
• Note Kab belongs to SA intersection SB
• Solution Use Safe primes ( p 2q 1 )

11
Mathematical attacks on Diffie-Hellman Protocol
(Cont..)

• Attacks based on composite order subgroup

12
Diffie-Hellman Problem over General Linear Groups

• A matrix G in GLn(K) and matrices A Gk and B
  Gl are given for some unknown positive integers
  k, l lt ord(G). Determine the matrix Gkl Al Bk.
  The matrix Gkl is called the shared key of the DH
  protocol.
• The triple (G,A,B) shall be called the public
  data of the DHP.

13
Conditions for DHP over GLn

• There exist polynomial f(x) such that
• A f(G)
• Bk f(B)
• There exist polynomial g(x) such that
• B g(G)
• Al g(A)

14
Example

• Consider the field be F53 and G in GL2 given by
• Let k 3, l 53 then
• Now the polynomial solution of the linear system
• A f(G) gives f(x) x 47.

15
Example (Cont..)

• The shared key is
• It is easy to see that G533 f(B) B 47I.

16
The Modulus Condition

• The triple (G, k, l) with G in GLn(K) is said
  to satisfy the modulus condition if any one of
  the following conditions hold
• xk mod (MP of G) xk mod LCM( MP of G, MP of B)
• Or
• xl mod (MP of G) xl mod LCM( MP of G, MP of A)

17
Implication of Modulus Condition

• The following statements hold
• There exists a polynomial f(x) which satisfies A
  f(G) and Bk f(B) iff (G, k, l) satisfies the
  first modulus condition. Such a polynomial is
  unique.
• There exists a polynomial g(x) which satisfies B
  g(G) and Al g(A) iff (G, k, l) satisfies the
  second modulus condition. Such a polynomial is
  unique.

18
Conjugate Class

• A triple (G, k, l) is said to belong to the
  conjugate class if
• minimal polynomial of G and A are same.
• MP(G) MP(A)
• or
• minimal polynomial of G and B are same.
• MP(G) MP(B)

19
Applying the same concept to Extension Fields

• Assume extension field of prime field 2 over
  irreducible polynomial x3 x 1.
• Let g be the generator of the extension field.
• Hence, g3 g 1 0
• Now, generating all the elements of the field..

20
Applying Concept to Field Extensions

• Take k 6 and l 2
• Now,
• A gk g6 g2 1 f(g)
• B gl g2
• Shared key is g12 g7.g5 g5 g2 g 1
• Also, f(B) f(g2) g4 1 g2 g 1

21
Conclusion

• Diffie-Hellman Conjecture does not always hold .
• For certain class of keys, the shared secret key
  can be determined without solving the Discrete
  Logarithm Problem.
• There is no direct method available till date to
  enumerate all such keys except for a limited
  subset of keys that satisfy the Conjugate Class
  Property.

22
References

• W. Diffie and M. Hellman. New Directions in
  Cryptography. IEEE Trans. on Information Theory,
  22644654, 1976.
• R. Lidl and G. Pilz. Applied Abstract Algebra.
  Springer-Verlag, 1st edition edition, 1984.
• A. J. Menezes and Yi-Hong Wu. The discrete
  logarithm problem in gln. ARS Combinotoria,
  472332, 1998.
• Jean-Francois Raymond and Anton Stiglic. Security
  issues in the diffie-hellman key agreement
  protocol. IEEE Trans. on Information Theory,
  pages 117, 1998.
• William Stallings. Cryptography and Network
  Security. Pearson Education, 3rd edition, 2003.

23
Thank you!
24
Notations Used

• h(G,x) Minimal Polynomial for matrix G
• hb(x) LCM(h(G,x), h(B,x) )
• ha(x) LCM(h(G,x), h(A,x) )
• f(x) xk mod hb(x)
• g(x) xl mod ha(x)