3

Why is Diffie-Hellman defined on a cyclic group? Doesn't it work for any commutative operation which the inverse is hard to find?

Say Alice and Bob agree in a public prime $c$ and both choose a secret prime $a$ respectively $b$

Alice sends $ac$ to Bob and Bob $bc$ to Alice.

Alice then multiplies $a$ with bobs message $bc$ yielding $abc$ Bob then multiplies $b$ with Aice's message $ac$ yield $bac$

which are the same due to commutativity and associativity. Hence they now share a common secret $abc$.

It is hard for Eve to factorize $ac$ and $bc$ into its original primes $a,b,c$ and Eve hasn't got enough information to construct $abc$ so why isn't this a valid Diffie-Hellman key-exchange?

CodesInChaos
  • 24,841
  • 2
  • 89
  • 128
arian
  • 41
  • 2
  • 1
    Eve divides $ac$ by $c$. – yyyyyyy May 07 '15 at 08:48
  • Or multiplies like this: $(ac)\cdot(bc)/(c)$ to get the shared "secret" – tylo May 07 '15 at 08:49
  • 1
    @yyyyyyy: "the inverse is hard to find"; that implies that the "division problem", that is, given $b$ and $a$, find $c$ such that $a \times c = b$, is hard. – poncho May 07 '15 at 11:28
  • Related questions: Diffie-Hellman on infinite groups and How does the wider cryptographic community view non-abelian group based cryptography? – CodesInChaos May 07 '15 at 12:23
  • @poncho From the notation up there and the lack of definition of the group, you could assume that to be $\mathbb{Z}$ or a subgroup of that and consider the factorization problem as hard - which is only true if you don't publish one of factors previously. And in that case division is easy. Regarding the question: If you go with the standard DH notation ($g^a,g^b,g^{ab}$) and base the chosen elements on a single generating element $g$, you operate on a cyclic group if it is finite. If there are multiple generating elements, you either have a problem with soundness or end up with standard DH. – tylo May 07 '15 at 12:46
  • @tylo: yeah, we read the problem differently; I interpreted the operation $ab$ as "some unspecified operator that meets the requirements of commutative and uninvertability"; you interpreted it (as he talked about secret primes) as the standard multiplication operator over the integers (which, as you pointed out, doesn't meet his uninvertibility requirements). – poncho May 07 '15 at 13:15

2 Answers2

3

Diffie-Hellman operates in a cyclic group by definition: the elements $g, g^a, g^b, g^{ab}$ are in the cyclic group generated by $g$. Technically, a monoid is sufficient, but since cryptography mostly operates in finite structures, you get a group anyway.

In your example, you operate in the cyclic group $c\mathbf{Z}$, and as you were told in the comments, Diffie-Hellman is not secure in this group because an attacker knows $c$ and $ac$, and can thus obtain $a$, and from $a$ and $bc$ can obtain the secret $abc$.

fkraiem
  • 8,112
  • 2
  • 27
  • 38
2

Why is diffie-hellman defined on a cyclic group[0]? Doesn't it work for any commutative operation which the inverse is hard to find?

No, you need associativity as well; once you have that, your idea would work fine, once we find a semigroup (that's what we call sets with an operator that is associative) with the appropriate properties.

That's the sticky point - what is an appropriate semigroup? Do you have any suggestions?

poncho
  • 147,019
  • 11
  • 229
  • 360