Online

Cryptography Course Dan Boneh

Basic key exchange

The Die-Hellman
protocol
Dan Boneh

Key exchange without an online TTP?

Goal: Alice and Bob want shared secret, unknown to eavesdropper
For now: security against eavesdropping only (no tampering)

Alice

Bob
eavesdropper ??

Can this be done with an exponenJal gap?

Dan Boneh

The Die-Hellman protocol (informally)

Fix a large prime p (e.g. 600 digits)
Fix an integer g in {1, , p}
Alice

Bob

choose random a in {1,,p-1}

Ba (mod p) = (gb) =

choose random b in {1,,p-1}

= gab (mod p)

kAB

= (ga) = Ab (mod p)
Dan Boneh

Security (much more on this later)

Eavesdropper sees: p, g, A=ga (mod p), and B=gb (mod p)

Can she compute gab (mod p) ??


More generally: dene DHg(ga, gb) = gab (mod p)

How hard is the DH funcJon mod p?

Dan Boneh

How hard is the DH funcJon mod p?

Suppose prime p is n bits long.
Best known algorithm (GNFS): run Jme exp( )
cipher key size
80 bits
128 bits
256 bits (AES)

modulus size
1024 bits
3072 bits
15360 bits

EllipJc Curve
size
bits
160
256
bits
bits
512

As a result: slow transiJon away from (mod p) to ellipJc curves

Dan Boneh

EllipJc curve
Die-Hellman
Dan Boneh

Insecure against man-in-the-middle

As described, the protocol is insecure against ac3ve aaacks
Alice

MiTM

Bob

Dan Boneh

Another look at DH
Facebook

ga

gb

gc

gd

Alice

Bob

Charlie

David
d

KAC

=gac

KAC=gac
Dan Boneh

An open problem
Facebook

ga

gb

gc

gd

Alice

Bob

Charlie

David
d

KABCD

KABCD

KABCD

KABCD

Dan Boneh

End of Segment

Dan Boneh