P. C. van Oorschot and M. J. Wiener. On Diffie-Hellman Key Agreement with Short Exponents. In Eurocrypt '96, LNCS 1070, pages 332--343. Springer-Verlag, Berlin, 1996.  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... p Gamma 1 is known, then the running time of these algorithms can be improved by using the Pohlig Hellman decomposition [8] This is done by reducing the original discrete log problem, into several smaller problems (one for each distinct prime factor in p Gamma 1) Van Oorschot and Wiener in [12] present a new method of combining the Pollard lambda method with a partial Pohlig Hellman decomposition. Their end result is that for random primes, using short exponents is not secure. However their attack can be avoided by restricting the moduli to be safe primes p (i.e. such that p Gamma1 2 ....

P.C. van Oorschot and M. Wiener. On Diffie-Hellman Key Agreement with Short Exponents. EUROCRYPT'96, LNCS 1070, pp.332--343, 1996.

....of Ti. Choice of . The size of S is conditioned by the complexity of discrete logarithms algorithms such as the Pollard lambda method which enables to compute s in O(v ) operations. Furthermore, van Oorschot and Wiener have shown that this method can still be improved; we refer the reader to [29] for a precise analysis. We just notice that we should take IS[ greater than 140 bits and preferably [S[ 180. Choice of B. The choice of the size of B is related to the probability of imperson ation of an adversary. The expected security depends on the application and lB[ 32 (6 = 1) would ....

P. C. van Oorschot and M. J. Wiener. On Diffie-Hellman Key Agreement with Short Exponents. In Eurocrypt '96, LNCS 1070, pages 332 343. Springer-Verlag, 1996. 13

....M Uf 8:8 8 : 1 (where the A s are all large primes) satisfy this property. Remember that the order of any subgroup will divide M W , i.e. the order of J K L . 3. 3 Attacks Based on Composite Order Subgroups The attacker can exploit subgroups that do not have large prime order [51]. This is best illustrated by an example. Suppose Alice and Bob choose a prime M U R , where q is prime, and a generator of order M W c U . Oscar can intercept the messages h and BY and exponentiate them by . He will replace h by hV and BY by BYV . The secret ....

....for moderate security and at least 2048 bits for anything that should remain secure for a decade. Note however that these values are controversial (see section 7.1) 3. 6 Attacks on Prime Order Subgroups In [36] an attack on prime order subgroups is presented (a slight extension of the ideas of [51]) The attack can be mounted if the protocol does not satisfy the sixth robustness principle of [3] which states: Do not assume that a message you receive has a particular form unless you can check this. The idea is that if we can get a participant with a secret key e to use an arbitrary group ....

[Article contains additional citation context not shown here]

VAN OORSCHOT, P. C., AND WIENER, M. J. On Diffie-Hellman key agreement with short exponents. In Advances in Cryptology -- EUROCRYPT ' 96 (1996), U. Maurer, Ed., Lecture Notes in Computer Science, Springer-Verlag, Berlin Germany, pp. 332--343.

....g x 2 Z p , find the integer x 2 [0; p Gamma 2] The other is Diffie Hellman Problem; given a prime p, a generator g of a multiplicative group Z p , and elements g x 2 Z p and g y 2 Z p , find g xy 2 Z p . These two problems hold their properties in a prime order subgroup[30, 28]. We assume that all numerical operations of the protocol are on the cyclic group where it is hard to solve these problems. We consider the multiplicative group Z p and actually use its prime order subgroup Z q . We should use its main operation, a modular multiplication, for easy ....

....multiplication, for easy generalization. For the purpose, Bob chooses g that generates a prime order subgroup Z q where p = qr 1. Note that a prime q must be sufficiently large ( l(k) to resist Pohlig Hellman decomposition and various index calculus methods but can be much smaller than p[30, 32, 33]. It is easy to make g by ff (p Gamma1) q where ff generates Z p . Z q is preferred for efficiency and for preventing a small subgroup confinement more effectively. By confining all exponentiation to the large prime order subgroup through g of Z q , each party of the protocol is able to ....

[Article contains additional citation context not shown here]

P.van Oorschot and M.Wiener, "On Diffie-Hellman key agreement with short exponents," EUROCRYPT 96, pp. 332-343, 1996

....a discussion of Diffie Hellman parameter selection. Familiarity with the discrete logarithm problem and Kerberos is assumed. 4.1 Properties of m and q Any modulus selected must conform to all the normal requirements for a good prime for the discrete logarithm problem. The current literature[15, 26] recommends using safe primes for which both m and (m Gamma 1) 2 are prime. These primes are time consuming to find but, as described below, can be computed off line. PA ENC DH imposes the additional requirement on m that it not provide an attacker any information that can be used to validate a ....

....of the addition or because the guessed password is wrong and so gains no information. about 10 , which seems reasonable. Consequently, m should be chosen so that its first 14 bits are all 1. 3 If the modulus m is a safe prime, the generator q can be 2; the provides an additional speed advantage[26]. 4.2 Generation of exponents The most recent work on how long Diffie Hellman exponents need to be in order to provide sufficient security[26] confirms the widely held opinion that the exponents should be twice as long as the symmetric key that will be derived from the exponentially exchanged ....

[Article contains additional citation context not shown here]

P. C. van Oorschot and M. J. Wiener. On Diffie-Hellman key agreement with short exponents. In Proceedings of Eurocrypt '96 (to appear) . Springer-Verlag, 1996.

....secret keys can be used for the same security level. Menezes et al. 40] have shown that the DL problem in a supersingular elliptic curve over a finite field can be efficiently reduced to the same problem in the multiplicative group of an extension field of small degree. Van Oorschot and Wiener [45] have studied the risk of choosing short exponents in the DH protocol. They presented a combination of Pollard s lambda method and the Pohlig Hellman decomposition. Pollard s lambda method [48] allows to find a discrete logarithm that is known to lie in a fixed interval [A; B] of length w = B ....

P. C. van Oorschot and M. Wiener, On Diffie-Hellman key agreement with short exponents, Advances in Cryptology - EUROCRYPT '96, Lecture Notes in Computer Science, Vol. 1070, pp. 332--343, Springer-Verlag, 1996.

....multiplication. Different tradeoffs between memory and efficiency can be obtained. 1. 2 Editorial Note This paper is a revised version of [7] In that version, no mention was made of a new attack on the discrete log problem with short exponents which was discovered by Van Oorschot and Wiener in [22]. In order to avoid their attack it is necessary to restrict the class of prime moduli to safe primes (i.e. primes p such that p Gamma1 2 is also a prime. This was not required in [7] and we correct it in this version. See Section 2.3 for the technical details. 2 Preliminaries In this section ....

.... p Gamma 1 is known, then the running time of these algorithms can be improved by using the Pohlig Hellman decomposition [19] This is done by reducing the original discrete log problem, into several smaller problems (one for each distinct prime factor in p Gamma 1) Van Oorschot and Wiener in [22] present a new method of combining the Pollard lambda method with a partial Pohlig Hellman decomposition. Their end result is that for random primes, using short exponents is not secure. However their attack can be avoided by restricting the moduli to be safe primes p (i.e. such that p Gamma1 2 ....

[Article contains additional citation context not shown here]

P.C. van Oorschot and M. Wiener. On Diffie-Hellman Key Agreement with Short Exponents. EUROCRYPT'96, LNCS 1070, pp.332--343, 1996.

....therefore seems that the protocol proposed in secure against eavesdropping adversaries provided the discrete logarithm problem is hard and the RSA problem is hard. Note that it is required that the discrete logarithm problem is hard for logarithms within certain ranges: see van Oorschot and Wiener [21] for a discussion of this problem. Is the Protocol Secure against Malicious Adversaries The crucial point here is that the proofs and checks performed during the protocol essentially force Alice and Bob to behave honestly. There are two exceptions: there is no check that either party has ....

P.C. van Oorschot and M.J. Wiener. On Diffie-Hellman key agreement with short exponents. In U.M. Maurer, editor, Advances in Cryptology -- EUROCRYPT '96, volume 1070 of Lecture Notes in Computer Science, pages 332--343, Springer-Verlag, 1996.

...., from several hundred bits to a thousand or two. For elliptic curve groups, it seems reasonable to allow the field size to be much smaller, due to the apparently increased difficulty of computing discrete logs [P1363] There is also the issue of using short DH exponents, which has been covered in [vOW96, Jab96]. a dictionary attack is possible by a eavesdropper who could use knowledge of all possible values for K 2 to determine K 1 , and decrypt the resulting session. Thus the proof function P must combine both K 1 and K 2 to preserve the following information hiding properties: knowledge of ....

P. vanOorschot, M. Wiener, "On Diffie-Hellman Key Agreement with Short Exponents", Proceedings of Eurocrypt '96, Springer-Verlag LNCS, May 1996.

No context found.

P. C. van Oorschot and M. J. Wiener. On Diffie-Hellman Key Agreement with Short Exponents. In Eurocrypt '96, LNCS 1070, pages 332--343. Springer-Verlag, Berlin, 1996.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC