Online Cryptography Course Dan Boneh Basic key exchange The Diffie-‐Hellman protocol Dan Boneh Key exchange without an online TTP? Goal: Alice and Bob want shared secret, unknown to eavesdropper • For now: security against eavesdropping only (no tampering) Alice Bob eavesdropper ?? Can this be done with an exponenJal gap? Dan Boneh The Diffie-‐Hellman protocol (informally) Fix a large prime p (e.g 600 digits) Fix an integer g in {1, …, p} Alice Bob choose random a in {1,…,p-‐1} a Ba (mod p) = (gb) = choose random b in {1,…,p-‐1} = gab (mod p) kAB b = (ga) = Ab (mod p) Dan Boneh Security (much more on this later) Eavesdropper sees: p, g, A=ga (mod p), and B=gb (mod p) Can she compute gab (mod p) ?? More generally: define DHg(ga, gb) = gab (mod p) How hard is the DH funcJon mod p? Dan Boneh How hard is the DH funcJon mod p? Suppose prime p is n bits long Best known algorithm (GNFS): run Jme exp( ) cipher key size 80 bits 128 bits 256 bits (AES) modulus size 1024 bits 3072 bits 15360 bits EllipJc Curve size bits 160 256 bits bits 512 As a result: slow transiJon away from (mod p) to ellipJc curves Dan Boneh EllipJc curve Diffie-‐Hellman Dan Boneh Insecure against man-‐in-‐the-‐middle As described, the protocol is insecure against ac3ve aaacks Alice MiTM Bob Dan Boneh Another look at DH Facebook ga gb gc gd Alice Bob Charlie a b c David d KAC =gac ⋯ KAC=gac Dan Boneh An open problem Facebook ga gb gc gd Alice Bob Charlie a b c David d KABCD KABCD KABCD KABCD ⋯ Dan Boneh End of Segment Dan Boneh