Weak Keys in Diffie- Hellman Protocol Aniket Kate Prajakta Kalekar Deepti Agrawal Under the Guidance of Prof. Bernard Menezes

Roadmap Introduction to the Diffie-Hellman Protocol Basics of Abstract Algebra Concepts Mathematical attacks on Diffie-Hellman Protocol Diffie-Hellman Problem (DHP) over General Linear Groups (GL n ) Applying concept to Field Extension. Conclusion

Diffie-Hellman Protocol

Diffie-Hellman Conjecture Discrete Logarithm Problem (DLP) To find z given g z Diffie-Hellman problem (DHP) Problem of solving the shared key Diffie-Hellman conjecture (DHC) To solve the DHP we need to solve the DLP

Basics Group (G, +) satisfying the properties of closure, associativity, identity and inverse. Cyclic Group A group that can be generated by a single element g (the group generator). Subgroup Subset H of group elements of a group G that satisfies the four group requirements.

Basics (Cont..) Ring (R, +, *) satisfying the properties of additive associativity, additive commutativity, additive identity, additive inverse, multiplicative associativity and left and right distributivity. Fields Set of elements that satisfies the group axioms for both addition and multiplication and has no zero divisors. General Linear Group General linear group of degree n over a field F (written as GL(n,F)) is the group of n-by-n invertible matrices with entries from F, with the group operation that of ordinary matrix multiplication.

Basics (Cont..) Minimal Polynomial Minimal polynomial of a matrix is the polynomial in A of smallest degree n such that Example For matrix The minimal polynomial is

Basics (Cont..) Irreducible Polynomial A polynomial is said to be irreducible if it cannot be factored into nontrivial polynomials over the same field. Extension Field A field K is said to be an extension field of field F if F is a subfield of K. For example, the complex numbers are an extension field of the real numbers

Trivial attacks on Diffie-Hellman Protocol Simple Exponent 1. k = 1 or l =1 2. k = p-1 or l = p-1 Simple Substitution Attacks g k = 1 or g l = 1

Mathematical attacks on Diffie-Hellman Protocol Subgroup Confinement Attack Example : p = 19, g = 2 Generated group {2, 4, 8, 16, 13, 7, 14, 9, 18, 17, 15, 11, 3, 6, 12, 5, 10, 1} k = 2, A = 2 2 = 4 Subgroup generated by A=S A = {4, 16, 7, 9, 17, 11, 6, 5, 1} l = 3, B = 2 3 = 8 Sub-group generated by B = S B = {8, 7, 18, 11, 12, 1} K ab = 2 6 = 7 Note : K ab belongs to S A intersection S B Solution: Use Safe primes ( p= 2q + 1 )

Mathematical attacks on Diffie- Hellman Protocol (Cont..) Attacks based on composite order subgroup

Diffie-Hellman Problem over General Linear Groups A matrix G in GL n (K) and matrices A = G k and B = G l are given for some unknown positive integers k, l < ord(G). Determine the matrix G kl = A l =B k. The matrix G kl is called the shared key of the DH protocol. The triple (G,A,B) shall be called the public data of the DHP.

Conditions for DHP over GL n There exist polynomial f(x) such that A = f(G) B k = f(B) There exist polynomial g(x) such that B = g(G) A l = g(A)

Example Consider the field be F 53 and G in GL 2 given by Let k = 3, l = 53 then Now the polynomial solution of the linear system A = f(G) gives f(x) = x + 47.

Example (Cont..) The shared key is It is easy to see that G 53×3 = f(B) = B + 47I.

The Modulus Condition The triple (G, k, l) with G in GL n (K) is said to satisfy the modulus condition if any one of the following conditions hold x k mod (MP of G) = x k mod LCM( MP of G, MP of B) Or x l mod (MP of G) = x l mod LCM( MP of G, MP of A)

Implication of Modulus Condition The following statements hold : There exists a polynomial f(x) which satisfies A = f(G) and B k = f(B) iff (G, k, l) satisfies the first modulus condition. Such a polynomial is unique. There exists a polynomial g(x) which satisfies B = g(G) and A l = g(A) iff (G, k, l) satisfies the second modulus condition. Such a polynomial is unique.

Conjugate Class A triple (G, k, l) is said to belong to the conjugate class if minimal polynomial of G and A are same. MP(G) = MP(A) or minimal polynomial of G and B are same. MP(G) = MP(B)

Applying the same concept to Extension Fields Assume extension field of prime field 2 over irreducible polynomial x 3 + x + 1. Let g be the generator of the extension field. Hence,g 3 + g + 1 = 0 Now, generating all the elements of the field…..

Applying Concept to Field Extensions Take k = 6 and l = 2 Now, A = g k = g 6 = g = f(g) B = g l = g 2 Shared key is g 12 = g 7.g 5 = g 5 = g 2 + g+ 1 Also, f(B) = f(g 2 ) = g = g 2 + g+ 1

Conclusion Diffie-Hellman Conjecture does not always hold. For certain class of keys, the shared secret key can be determined without solving the Discrete Logarithm Problem. There is no direct method available till date to enumerate all such keys except for a limited subset of keys that satisfy the Conjugate Class Property.

References W. Diffie and M. Hellman. New Directions in Cryptography. IEEE Trans. on Information Theory, 22:644–654, R. Lidl and G. Pilz. Applied Abstract Algebra. Springer-Verlag, 1st edition edition, A. J. Menezes and Yi-Hong Wu. The discrete logarithm problem in gln. ARS Combinotoria, 47:23– 32, Jean-Francois Raymond and Anton Stiglic. Security issues in the diffie-hellman key agreement protocol. IEEE Trans. on Information Theory, pages 1–17, William Stallings. Cryptography and Network Security. Pearson Education, 3rd edition, 2003.

Notations Used h(G,x): Minimal Polynomial for matrix G h b (x) = LCM(h(G,x), h(B,x) ) h a (x) = LCM(h(G,x), h(A,x) ) f(x) = x k mod h b (x) g(x) = x l mod h a (x)