Cryptography Reference
In-Depth Information
from this information the attacker is unable to calculate either
a
or
b
because
of the difficulty of the discrete logarithm problem.
2. The main purpose of the Diffie-Hellman protocol is to establish a common
cryptographic key
K
AB
. There are two reasons why the shared value
Z
AB
=
g
ab
is unlikely to itself form the key in a real application:
•
Z
AB
is not likely to be the correct length for a cryptographic key. If we conduct the
Diffie-Hellman protocol with
p
having 1024 bits, then the shared value will also
be a value of 1024 bits, which is much longer than a typical symmetric key.
• Having gone through the effort of conducting a run of the Diffie-Hellman protocol
to compute
Z
AB
, Alice and Bob may want to use it to establish several different
keys. Hence they may not want to use
Z
AB
as a key, but rather as a seed from
which to derive several different keys (see Section 10.3.2). The rationale behind
this is that
Z
AB
is relatively expensive to generate, both in terms of computation
and communication, whereas derived keys
K
AB
are relatively cheap to generate
from
Z
AB
.
3. The protocol we have described is just one instantiation of the Diffie-Hellman
protocol. In theory, any public-key cryptosystem that has the right special
property and for which a suitable combination function
F
can be found, could
be used to produce a version of the Diffie-Hellman protocol. In this case:
• very informally, the special property of ElGamal is that public keys of different
users can be numbers over the same modulus
p
, which means that they can be
combined in different ways;
• the combination function
F
, which is
F
(
x
,
g
y
)
=
(
g
y
)
x
, has the special property
that it does not matter in which order the two exponentiations are conducted,
since:
F
(
x
,
g
y
)
=
(
g
y
)
x
=
(
g
x
)
y
=
F
(
y
,
g
x
)
.
It is not possible to use keys pairs from
any
public-key cryptosystem to
instantiate the Diffie-Hellman protocol. In particular, RSA key pairs cannot be
used because in RSA each user has their own modulus
n
, making RSA key pairs
difficult to combine in the above manner. Hence, in contrast to Section 7.3.4,
this time ElGamal is 'special'. Note that an important alternativemanifestation of
the Diffie-Hellman protocol is when an elliptic-curve-based variant of ElGamal
is used (see Section 5.3.5), resulting in a protocol with shorter keys and reduced
communication bandwidth.
ANALYSIS OF THE DIFFIE-HELLMAN PROTOCOL
We will now test the Diffie-Hellman protocol against the typical AKE protocol
security goals that we identified in Section 9.4.1:
Mutual entity authentication
. There is nothing in the Diffie-Hellman protocol
that gives either party any assurance of who they are communicating with.
The values
a
and
b
(and hence
g
a
and
g
b
) have been generated for this