Which properties of a group are used in the steps of Diffie Hellman?
$begingroup$
I’m trying to understand which properties of a group are used in DHKE at each step.
For example, Alice and Bob’s public keys appear to only use the closure property of a group and maybe identity (e.g. $k_{pubA}$ = $A^{k_{prA}}$ (mod p)?
When creating the shared key Alice and Bob appear to also use the associative property of a group $k_{AB}$ = $B^{k_{prA}}$ (mod p)?
So to perform both main steps of DHKE the multiplicative inverse property does not seem to be used at all?
diffie-hellman number-theory group-theory
$endgroup$
add a comment |
$begingroup$
I’m trying to understand which properties of a group are used in DHKE at each step.
For example, Alice and Bob’s public keys appear to only use the closure property of a group and maybe identity (e.g. $k_{pubA}$ = $A^{k_{prA}}$ (mod p)?
When creating the shared key Alice and Bob appear to also use the associative property of a group $k_{AB}$ = $B^{k_{prA}}$ (mod p)?
So to perform both main steps of DHKE the multiplicative inverse property does not seem to be used at all?
diffie-hellman number-theory group-theory
$endgroup$
add a comment |
$begingroup$
I’m trying to understand which properties of a group are used in DHKE at each step.
For example, Alice and Bob’s public keys appear to only use the closure property of a group and maybe identity (e.g. $k_{pubA}$ = $A^{k_{prA}}$ (mod p)?
When creating the shared key Alice and Bob appear to also use the associative property of a group $k_{AB}$ = $B^{k_{prA}}$ (mod p)?
So to perform both main steps of DHKE the multiplicative inverse property does not seem to be used at all?
diffie-hellman number-theory group-theory
$endgroup$
I’m trying to understand which properties of a group are used in DHKE at each step.
For example, Alice and Bob’s public keys appear to only use the closure property of a group and maybe identity (e.g. $k_{pubA}$ = $A^{k_{prA}}$ (mod p)?
When creating the shared key Alice and Bob appear to also use the associative property of a group $k_{AB}$ = $B^{k_{prA}}$ (mod p)?
So to perform both main steps of DHKE the multiplicative inverse property does not seem to be used at all?
diffie-hellman number-theory group-theory
diffie-hellman number-theory group-theory
asked Jan 22 at 20:33
JohnGaltJohnGalt
1735
1735
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
I’m trying to understand which properties of a group are used in DHKE at each step.
Actually, you can implement a DH-style operation in any semigroup; you need closure, and you need associativity (so $A^3 = Atimes A times A = (A times A) times A = A times (A times A)$ is well defined), but other than that, you really don't need anything. You don't need an identity, you don't need the semigroup to be abelian (although the sub-semigroup generated by a single element will always be abelian), it doesn't have to be finite (although infinite semigroups would cause practical problems during implementation) and you don't need inverses (which, if you don't have an identity, aren't well-defined anyways).
We typically don't talk about doing DH in a semigroup mostly because (AFAIK) no one has found a semigroup (that's not also a group) that has any particular advantage over a true group.
Now, what's a more interesting (and considerably harder) question is "what properties do you need for DHKE to be secure?" We do have assumptions such as the CDH assumption ("given $g, g^a, g^b$, it's hard to compute $g^{ab}$), however we don't know what semigroup properties ensure that...
$endgroup$
$begingroup$
I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
$endgroup$
– JohnGalt
Jan 22 at 21:39
1
$begingroup$
The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod {p-1}$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
$endgroup$
– Myria
Jan 22 at 22:58
$begingroup$
@Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
$endgroup$
– JohnGalt
Jan 22 at 23:31
2
$begingroup$
@JohnGalt For $mathbb{Z}^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbb{Z}^+_{p-1}$ is still insecure, despite being isometric to $mathbb{Z}^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
$endgroup$
– Myria
Jan 23 at 0:21
1
$begingroup$
@JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
$endgroup$
– Myria
Jan 23 at 1:08
|
show 1 more comment
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66688%2fwhich-properties-of-a-group-are-used-in-the-steps-of-diffie-hellman%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
I’m trying to understand which properties of a group are used in DHKE at each step.
Actually, you can implement a DH-style operation in any semigroup; you need closure, and you need associativity (so $A^3 = Atimes A times A = (A times A) times A = A times (A times A)$ is well defined), but other than that, you really don't need anything. You don't need an identity, you don't need the semigroup to be abelian (although the sub-semigroup generated by a single element will always be abelian), it doesn't have to be finite (although infinite semigroups would cause practical problems during implementation) and you don't need inverses (which, if you don't have an identity, aren't well-defined anyways).
We typically don't talk about doing DH in a semigroup mostly because (AFAIK) no one has found a semigroup (that's not also a group) that has any particular advantage over a true group.
Now, what's a more interesting (and considerably harder) question is "what properties do you need for DHKE to be secure?" We do have assumptions such as the CDH assumption ("given $g, g^a, g^b$, it's hard to compute $g^{ab}$), however we don't know what semigroup properties ensure that...
$endgroup$
$begingroup$
I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
$endgroup$
– JohnGalt
Jan 22 at 21:39
1
$begingroup$
The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod {p-1}$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
$endgroup$
– Myria
Jan 22 at 22:58
$begingroup$
@Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
$endgroup$
– JohnGalt
Jan 22 at 23:31
2
$begingroup$
@JohnGalt For $mathbb{Z}^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbb{Z}^+_{p-1}$ is still insecure, despite being isometric to $mathbb{Z}^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
$endgroup$
– Myria
Jan 23 at 0:21
1
$begingroup$
@JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
$endgroup$
– Myria
Jan 23 at 1:08
|
show 1 more comment
$begingroup$
I’m trying to understand which properties of a group are used in DHKE at each step.
Actually, you can implement a DH-style operation in any semigroup; you need closure, and you need associativity (so $A^3 = Atimes A times A = (A times A) times A = A times (A times A)$ is well defined), but other than that, you really don't need anything. You don't need an identity, you don't need the semigroup to be abelian (although the sub-semigroup generated by a single element will always be abelian), it doesn't have to be finite (although infinite semigroups would cause practical problems during implementation) and you don't need inverses (which, if you don't have an identity, aren't well-defined anyways).
We typically don't talk about doing DH in a semigroup mostly because (AFAIK) no one has found a semigroup (that's not also a group) that has any particular advantage over a true group.
Now, what's a more interesting (and considerably harder) question is "what properties do you need for DHKE to be secure?" We do have assumptions such as the CDH assumption ("given $g, g^a, g^b$, it's hard to compute $g^{ab}$), however we don't know what semigroup properties ensure that...
$endgroup$
$begingroup$
I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
$endgroup$
– JohnGalt
Jan 22 at 21:39
1
$begingroup$
The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod {p-1}$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
$endgroup$
– Myria
Jan 22 at 22:58
$begingroup$
@Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
$endgroup$
– JohnGalt
Jan 22 at 23:31
2
$begingroup$
@JohnGalt For $mathbb{Z}^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbb{Z}^+_{p-1}$ is still insecure, despite being isometric to $mathbb{Z}^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
$endgroup$
– Myria
Jan 23 at 0:21
1
$begingroup$
@JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
$endgroup$
– Myria
Jan 23 at 1:08
|
show 1 more comment
$begingroup$
I’m trying to understand which properties of a group are used in DHKE at each step.
Actually, you can implement a DH-style operation in any semigroup; you need closure, and you need associativity (so $A^3 = Atimes A times A = (A times A) times A = A times (A times A)$ is well defined), but other than that, you really don't need anything. You don't need an identity, you don't need the semigroup to be abelian (although the sub-semigroup generated by a single element will always be abelian), it doesn't have to be finite (although infinite semigroups would cause practical problems during implementation) and you don't need inverses (which, if you don't have an identity, aren't well-defined anyways).
We typically don't talk about doing DH in a semigroup mostly because (AFAIK) no one has found a semigroup (that's not also a group) that has any particular advantage over a true group.
Now, what's a more interesting (and considerably harder) question is "what properties do you need for DHKE to be secure?" We do have assumptions such as the CDH assumption ("given $g, g^a, g^b$, it's hard to compute $g^{ab}$), however we don't know what semigroup properties ensure that...
$endgroup$
I’m trying to understand which properties of a group are used in DHKE at each step.
Actually, you can implement a DH-style operation in any semigroup; you need closure, and you need associativity (so $A^3 = Atimes A times A = (A times A) times A = A times (A times A)$ is well defined), but other than that, you really don't need anything. You don't need an identity, you don't need the semigroup to be abelian (although the sub-semigroup generated by a single element will always be abelian), it doesn't have to be finite (although infinite semigroups would cause practical problems during implementation) and you don't need inverses (which, if you don't have an identity, aren't well-defined anyways).
We typically don't talk about doing DH in a semigroup mostly because (AFAIK) no one has found a semigroup (that's not also a group) that has any particular advantage over a true group.
Now, what's a more interesting (and considerably harder) question is "what properties do you need for DHKE to be secure?" We do have assumptions such as the CDH assumption ("given $g, g^a, g^b$, it's hard to compute $g^{ab}$), however we don't know what semigroup properties ensure that...
edited Jan 22 at 21:28
answered Jan 22 at 21:15
ponchoponcho
91.4k2144238
91.4k2144238
$begingroup$
I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
$endgroup$
– JohnGalt
Jan 22 at 21:39
1
$begingroup$
The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod {p-1}$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
$endgroup$
– Myria
Jan 22 at 22:58
$begingroup$
@Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
$endgroup$
– JohnGalt
Jan 22 at 23:31
2
$begingroup$
@JohnGalt For $mathbb{Z}^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbb{Z}^+_{p-1}$ is still insecure, despite being isometric to $mathbb{Z}^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
$endgroup$
– Myria
Jan 23 at 0:21
1
$begingroup$
@JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
$endgroup$
– Myria
Jan 23 at 1:08
|
show 1 more comment
$begingroup$
I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
$endgroup$
– JohnGalt
Jan 22 at 21:39
1
$begingroup$
The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod {p-1}$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
$endgroup$
– Myria
Jan 22 at 22:58
$begingroup$
@Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
$endgroup$
– JohnGalt
Jan 22 at 23:31
2
$begingroup$
@JohnGalt For $mathbb{Z}^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbb{Z}^+_{p-1}$ is still insecure, despite being isometric to $mathbb{Z}^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
$endgroup$
– Myria
Jan 23 at 0:21
1
$begingroup$
@JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
$endgroup$
– Myria
Jan 23 at 1:08
$begingroup$
I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
$endgroup$
– JohnGalt
Jan 22 at 21:39
$begingroup$
I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
$endgroup$
– JohnGalt
Jan 22 at 21:39
1
1
$begingroup$
The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod {p-1}$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
$endgroup$
– Myria
Jan 22 at 22:58
$begingroup$
The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod {p-1}$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
$endgroup$
– Myria
Jan 22 at 22:58
$begingroup$
@Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
$endgroup$
– JohnGalt
Jan 22 at 23:31
$begingroup$
@Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
$endgroup$
– JohnGalt
Jan 22 at 23:31
2
2
$begingroup$
@JohnGalt For $mathbb{Z}^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbb{Z}^+_{p-1}$ is still insecure, despite being isometric to $mathbb{Z}^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
$endgroup$
– Myria
Jan 23 at 0:21
$begingroup$
@JohnGalt For $mathbb{Z}^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbb{Z}^+_{p-1}$ is still insecure, despite being isometric to $mathbb{Z}^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
$endgroup$
– Myria
Jan 23 at 0:21
1
1
$begingroup$
@JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
$endgroup$
– Myria
Jan 23 at 1:08
$begingroup$
@JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
$endgroup$
– Myria
Jan 23 at 1:08
|
show 1 more comment
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66688%2fwhich-properties-of-a-group-are-used-in-the-steps-of-diffie-hellman%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown