Introduction to Public-Key Cryptography:The Diffie–Hellman Protocol - Introduction to Cryptography with Maple

Cryptography Reference

In-Depth Information

> BA := NewBitGenerator(198668606742102093450006022245851260905,

numbits = 1023, output = integer):

> x := BA();

3643057828008536321618059789049351954101526396296701497885630167462426003983501005\

26344087230618848312296820273171583278986620474290982693535407941122963256991600\

14674567985097618913200285042709893102585598603050926789141813273635482363218167\

913800888478068684904318274980204118455155665997418127639788413412

> evalb(x < q-1);

true

g x

∈ QR p and sends it to Bob through the public

channel. This element is obtained below but we do not print it:

Then Alice computes u

=

> u := Power(g, x) mod p:

Similarly, Bob chooses a random (or, rather, pseudo-random in this case) y

∈ Z q ,

g y

computes v

∈ QR p and sends this element to Alice (again, we do not print v

in order to save space):

> BB := NewBitGenerator(302161507654569763504767421009617402763,

numbits = 1023, output = integer):

=

> y := BB();

2719572573092285394726145843960706748498199703735491492919328770821846888012960535\

40521405141674641253919327924090569790170783923031962779251734546447113929321574\

75914233262293694521107857970533065864670883914490241428522287292324141483346046\

068297947540353250235715294437776422169804829292077951399566979773

> evalb(y < q-1);

true

> v := Power(g, y) mod p:

Now both Alice and Bob have the information necessary to compute the key k

they are going to share. Bob computes:

> k := Power(u, y) mod p;

4490487731305085052430441099514943913122263466394205778464075743588941346343827822\

28272057961841982111040707032452446034256872738930165691435572289242566174659133\

71068787919199266418278126095941497322286370391757334334268318786873857504238324\

103742048047270263709831203146386081644955581637071123001523188989

Alice computes:

> k := Power(v, x) mod p;

4490487731305085052430441099514943913122263466394205778464075743588941346343827822\

28272057961841982111040707032452446034256872738930165691435572289242566174659133\

71068787919199266418278126095941497322286370391757334334268318786873857504238324\

103742048047270263709831203146386081644955581637071123001523188989

Alice and Bob now share the same element k

∈ QR p , whose length is 1022 bits:

> ilog2(k)+1;

1022

Even knowing u and v , k appears to be hard to distinguish from a random element

of

QR p but what Alice and Bob require is, say, a 128-bit key. To obtain it from k

they should apply a Key Derivation Function (KDF) as discussed, for example, in

[10] to which we refer for details.

Now, as mentioned before, if Eve observes the entire exchange and knows p ,

g , u , and v , the best passive attack she has to recover k seems to be to solve the

discrete logarithm in

QR p and to compute x from the relation g x mod p

u (or,

similarly, to compute y ). This is thought to be infeasible with our present knowledge

since, as mentioned in Chap. 6 , the current record for a discrete logarithm in

=

Z p

Introduction to Cryptography with Maple

Search WWH ::

Custom Search

Home