P. v Oorschot, M. J. Wiener, "On Diffie-Hellman Key Agreement With Short Exponents", Proc. Eurocrypt '96, LNCS 1070, Springer-Verlag, 1996.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....work of both the second and the third results, provided an additional precomputation stage. It can optionally improve the time memory trade off. The third and fourth results assume that p Gamma 1 contains a smooth factor: such a property was used in other attacks against discrete log schemes (see [2, 14] for instance) 1.2 Splitting probabilities for integers Our attacks can be viewed as a meet in the middle method based on the fact that a relatively small integer (e.g. a session key) can often be expressed as a product of much smaller integers. Note that recent attacks on padding RSA ....

P. v Oorschot, M. J. Wiener, "On Diffie-Hellman Key Agreement With Short Exponents", Proc. Eurocrypt '96, LNCS 1070, Springer-Verlag, 1996.

....to the previous proof. The commitment can be replaced by its hash value as described in [14] and it can be precomputed in order to reduce the on line computation to a very simple non modular arithmetic operation. We can also reduce the size of the secret key x to about 160 bits as explained in [26]. Finally, this proof can be made non interactive in order to obtain a very short certificate of fair encryption. Comparison with previous proposals. At first sight, the key recovery procedure based on lattice reduction might seem overly intricate. We explain why a simple decryption of Gamma (as ....

P. C. van Oorschot and M. J. Wiener. On Diffie-Hellman Key Agreement with Short Exponents. In Eurocrypt '96, LNCS 1070, pages 332--343. Springer-Verlag, 1996.

....of width w in time O( p w) Thus, both methods have similar square root running time for a given size of an unknown exponent. In particular, the lambda method is very useful for computing a logarithm in a prime order subgroup when part of the logarithm is known. See van Oorschot and Wiener [40] for detailed explanations on the combined use of these methods, together with a Pohlig Hellman decomposition, to speed up computing a complete logarithm. The Attacking Scenario : In this paper we pay our attention to DL based schemes using a prime order subgroup. Thus, as is usual, we assume ....

....of ElGamal signatures and undeniable signatures. Our attack was possible in all these schemes, since the involved parties do not check relevant protocol variables. Though there are several papers pointing out the importance of checking public parameters and protocol variables (e.g. see [4, 41, 1, 40, 2]) in DH key exchange and digital signature schemes, no literature addresses such an explicit attack revealing the involved secret. Our attack may find the whole secret key in many cases. Related Work : Previous work most relevant to our attack is the middleperson attack on the original ....

[Article contains additional citation context not shown here]

P.C.van Oorschot and M.J.Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332343.

....computation of the v list public but result in a standard RSA with a particular message format. Although we see no immediate objection to restrict s to 160 bits, we recommend to avoid doing so before a reasonable scrutiny period (in particular, using a short s with a composite p seems related to [24, 23]) and enforce, in general, the following recommendations : ffl As for any block cipher, too short messages ( 64 bits) should not be encrypted, unless concatenated to an appropriate randomiser [6] ffl As for RSA and DSA [9] correct implementation must hide the correlation between processing ....

P. van Oorschot & M. Wiener, On Diffie-Hellman key agreement with short exponents, LNCS, Advances in Cryptology, Proceedings of Eurocrypt'96, Springer-Verlag, pp. 332--343, 1996.

....applications where customers does not always protect their key sufficiently. As we shall see, this definition has been misinterpreted in the past. Our protocols rely on the apparant difficulty of solving the well known Diffie Hellman (DH) problem [10] for appropriately chosen parameters [24]. The traditional DH problem is stated as follows. Given a generator ff for a group ZZ m and inputs y = ff x and y 0 = ff x 0 , compute (we omit reference to m for simplicity) DH(ff; y; y 0 ) ff xx 0 Likewise, for long term public parameters pA = ff s A and pB = ff s B , we ....

P. van Oorschot, M. Wiener, "On Diffie-Hellman Key Agreement with Short Exponents ", to appear in Advances in Cryptology: Proceedings of Eurocrypt '96, SpringerVerlag.

....is required. One way of decreasing the computational requirement of the ElGamal system is to use short exponents (say of 160 bits) in the exponentiation. Van Oorschot and Wiener have discussed the issue of using such short exponents in the related Diffie Hellman key exchange protocol [10]. They recommend that if small exponents are used the protocol should be set in a group of prime order and in this event they see no way to attack the protocol. A group of prime order can be constructed to lie inside the integers modulo p in a standard way by suitable selection of p. Let us ....

....of the three algorithms using the well known square and multiply algorithm. Two versions are given for ElGamal; one is the original algorithm and the other is a variation where small exponents of length 160 bits are used. When short exponents are used the modulus must be chosen carefully [10]. The figures neglect the public exponent in RSA and the generator in ElGamal, both of which may be chosen to be small. It can be seen that the new algorithm lies between the other two and is better than RSA for decryption and better RSA ElGamal ElGamal with Proposed Short Exponents Encryption ....

P. van Oorschot and M. Wiener, "On Diffie-Hellman Key Agreement with Short Exponents ", Advances in Cryptology - Eurocrypt '96, Springer-Verlag, 1996, pp.332343.

....will be more substantial. Modular reduction can be done in roughly two thirds of the time needed for normal multiplication. 4 Generating More Robust Primes It is often recommanded to use a safe prime, i.e. a prime of the form p = 2q 1 with q prime, for several security reasons (e.g. see [20]) when using discrete logarithms over the full multiplicative group Z p as in the original ElGamal scheme. We argue that even in the system working over a prime order subgroup, using primes of the form p = 2p 1 q 1 (p 1 ; q both prime) is more robust against potential failure in discrete log ....

....it is easy to compute x i = x mod p i since p i is small. Thus jp i j bits of x can be extracted from each attack with different p i . These partial secrets can be combined using the Chinese remainder theorem and then the remaining part of the secret key can be found from the public key (see also [20] for related topics) Of course, well designed protocols would not allow such attacks. However, these kinds of oracle attacks can be a real threat in some cases, for example in the case of careless use or poor implementation. Therefore, it would be better to take a proper precaution against such ....

P.C.van Oorschot and M.J.Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology-Eurocrypt'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343.

....the ElGamal signature scheme [16] There are two main differences between them. Firstly, the change from p Gamma 1 itself to a prime factor q of p Gamma 1 which was originally due to Schnorr [35, 36] This fixes some weaknesses later on discovered by Bleichenbacher [8] van Oorschot and Wiener [26] and also discussed by Anderson and Vaudenay [4] Secondly, the use of the hash function mod q (also used by Schnorr in another way) in order to reduce the length of the signature. We have just seen that replacing mod q by a random oracle enables to prove the security. In another variant, we ....

P. C. van Oorschot, M. J. Wiener. On Diffie-Hellman key agreement with short exponents. In Advances in Cryptology EUROCRYPT'96, Zaragoza, Spain, Lectures Notes in Computer Science 1070, pp. 332--343, SpringerVerlag, 1996.

....can be assured that KCDSA will be secure provided that the hash function used has no weakness. 4. 2 Security against Parameter Manipulation There have been published a lot of weaknesses in the design of discrete logbased schemes due to the use of unsafe parameters (later shown insecure) e.g. see [12,2,1,18,8]) Note that generating public parameters at random so that they do not have any specific structure is very important for security, even with a provably secure scheme (compare the results from [2] and [13] see also [17] KCDSA is designed to be secure against all these potential weaknesses. The ....

P.C.van Oorschot and M.J.Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, SpringerVerlag, 1996, pp.332-343.

....discussed by Diffie, van Oorschot and Wiener [15] Burmester [11] Just and Vaudenay [20] and Lim and Lee [22] An Efficient Protocol for Authenticated Key Agreement 7 4. 1 Small subgroup attack The small subgroup attack was first pointed out by Vanstone [26] see also van Oorschot and Wiener [36], Anderson and Vaudenay [1] and Lim and Lee [22] The attack illustrates that authenticating and validating the static and ephemeral keys is a prudent, and sometimes essential, measure to take in Diffie Hellman AK protocols. We illustrate the small subgroup attack on the MTI C0 protocol. The ....

P. van Oorschot and M. Wiener, "On Diffie-Hellman key agreement with short exponents ", Advances in Cryptology -- Eurocrypt '96, Lecture Notes in Computer Science, 1070, Springer-Verlag, 1996, 332-343.

....it is easy. The effect is that keys can be recovered modulo w. An attacker can solve the equation (g q ) z j y q (mod p) in the group of order w, giving x modulo w, and then derive every message key k modulo w from equation (2) This was originally pointed out by van Oorschot and Wiener [32]; and also by Anderson, Vaudenay, Preneel and Nyberg in the context of subliminal channels, where the effect is to create one or more broadband covert channels [6] However, there are serious practical security implications as well. In order to generate the message keys k for successive ....

....g aq and g b with g bq . In this way, the exchange is forced into the smooth subgroup of Z p ; he can then compute the discrete logarithm of g aq mod p to the base g q and apply it to g bq mod p, getting the shared key g abq . This attack was discovered by van Oorschot and Wiener [32]; for more discussion on key agreement protocols, see Just and Vaudenay [18] 3.2 Attacks on elliptic curve systems Other variants on Diffie Hellman use elliptic curves. A typical system uses curves of order 4p, where p is prime [30] in this case, an attacker can use the above techniques to force ....

P. van Oorschot, M. J. Wiener, "On Diffie-Hellman key agreement with short exponents", in Advances in Cryptology --- Eurocrypt 96, Springer LNCS v 1070 pp 332--343

.... 3(p Gamma 1) 2p p q kr: So the order of u (greatly) exceeds kr and this means in the transformation from (9) 11) to (14) the quantity k will not be reduced in modulo ordn (u) A straightforward way to solve the equation (14) is to use Shanks baby step giant step method (e.g. see [18, 5]) It requires O(2 jkj=2 ) O(2 (jp qj Gammajrj) 2 ) 15) steps of group computation (multiplication modulo n) and the same order of memory. This is a much lowered time complexity than that in (12) as it is the positive square root of (12) 1 However, since space is usually more expensive ....

....of (12) 1 However, since space is usually more expensive than time, the large space needed makes this method likely to be infeasible for k with critical sizes. Fortunately there are two memoryless variants of Shanks method due to Pollard: the rho method and the lambda method [14] see also [18]) Both methods have the same square root running time, but the space requirement is negligible. Pollard s rho method requires explicit knowledge of the order of the underlying group (i.e. the order of w in (14) so it can t be used for our purpose. However, the lambda method works even if the ....

Van Oorschot, P.C. and M.J. Wiener, On Diffie-Hellman key agreement with short exponents, Advances in Cryptology-EUROCRYPT'96 (LNCS 1070), pages 332--

....well as our own, and examines attacks against each. 1. 1 Definitions and Notations Let m be a prime and ff 2 ZZ m an element with order q, where q is a prime such that qjm Gamma 1 and computing discrete logarithms in the group generated by ff is difficult (see recommended parameters given in [19]) All operations in this paper will take place in ZZ m , unless otherwise noted. We will be working in a network of n users, t of which participate in the key agreement protocol. Each user U has a long term public key pU = ff sU for a random secret key s U 2R 4 ZZ q . We use I U to refer ....

P. van Oorschot, M. Wiener, "On Diffie-Hellman Key Agreement with Short Exponents ", Advances in Cryptology: Proceedings of Eurocrypt '96, Springer-Verlag, 1996, pp.332-343.

....These methods must prove to each of two parties that the other knows the password. At the same time, we generate a session key for securing a subsequent authenticated session between the parties using the password. The desirability for integrated key exchange in authentication is discussed in [vOW96]. The basic idea is that separating the steps of authentication and key exchange creates opportunities for an attacker in the middle. Strong key exchange requires the participation of both parties, and should be an integral part of the process. The characteristic of no persistent recorded data ....

....as is discussed in 4.4. 4 Analysis of SPEKE and DH EKE In the original paper on EKE [BM92] there is some analysis of DH EKE. Further work and refinement of EKE is presented in [STW95] Jas96] provides further details on a required constraint in the proper selection of the modulus p. [vOW96] describes a refinement in computing discrete logs, and discusses the selection of the parameters for general DH based authentication, especially with regard to using short exponents. Results from these papers that are relevant to SPEKE are summarized here, along with new observations about ....

[Article contains additional citation context not shown here]

P. C. van Oorschot, M. J. Wiener, "On Diffie-Hellman Key Agreement with Short Exponents", Proceedings of Eurocrypt '96, Springer-Verlag, May 1996. * * * * *

....w in time O( p w) Thus, both methods have similar square root running time for a given size of an unknown exponent. In particular, the lambda method is very useful for computing a logarithm in a prime order subgroup when part of the logarithm is known. For details, see van Oorschot and Wiener [41]. The Attacking Scenario : In this paper we pay our attention to DL based schemes using a prime order subgroup. Thus, as is usual, we assume that a prime p is chosen at random such that p Gamma 1 has a large prime factor q. Let g be an element of order q and ord(fi) denote the order of fi mod p. ....

....of ElGamal signatures and undeniable signatures. Our attack was possible in all these schemes, since the involved parties do not check relevant protocol variables. Though there are several papers pointing out the importance of checking public parameters and protocol variables (e.g. see [4,42,1,41,2]) in DH key exchange and digital signature schemes, no literature addresses such an explicit attack revealing the involved secret. Our attack may find the whole secret key in many cases. Related Work : Previous work most relevant to our attack is the middleperson attack on the original ....

[Article contains additional citation context not shown here]

P.C.van Oorschot and M.J.Wiener, On Diffie-Hellman key agreement with short exponents, In Advances in Cryptology - EUROCRYPT'96, LNCS 1070, SpringerVerlag, 1996, pp.332-343.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC