0

What is the correct way, if any, to do Multi-Prime DH?

From security point of view, is there any benefit to do it?

Multi-Prime is not about multi participants.

Multi prime is when we use two or more prime numbers and multiply them to get the modulus part in DH.

It is faster to find four 4096 bit safe primes and multiply them than to find single 16384 bit safe prime.

The question is if a multi-prime will yield valid and secure key exchange procedure. And if so, what will be the procedure to get good g and p.

Mendi Barel
  • 103
  • 3
  • https://crypto.stackexchange.com/q/72207/18298 2 https://crypto.stackexchange.com/q/1025/18298 – kelalaka Jan 30 '21 at 22:30
  • 1
    What's multi-prime DH? – Myath Jan 30 '21 at 22:32
  • 3
    Does this answer your question? Can one generalize the Diffie-Hellman key exchange to three or more parties? – mentallurg Jan 30 '21 at 22:32
  • One possible reading is doing authenticated Diffie-Hellman in a traditional group (like $\mathbb Z_p^*$ for some public prime in RFC 3526, or an Elliptic Curve in SEC2) using RSA signature as the authentication mean, with multiprime RSA in that signature step only. Would that count, or do you want a (multiprime) composite involved in the DH step itself, which would be an oddity? – fgrieu Jan 30 '21 at 22:59
  • Multi prime is when we use p1p2p3.... instead of p (or q), like in Multi Prime RSA. The idea is that it is easy to find four 4096 safe primes and multiply them, instead of hard to find single 16384bit safe prime. – Mendi Barel Jan 31 '21 at 00:54
  • 1
    It is not overly costly to find 16384-bit safe primes $p$. We expect to find them at a rate of one per 11 million integers with $p\bmod12=11$. We can sieve any arithmetic progression of such integers against small primes starting with $5$ as in Eratosthenes, then screen candidates by e.g. Fermat test $2^p\bmod p=2$, then $(p-1)/2$ prime, then $p$ prime. See this question. – fgrieu Jan 31 '21 at 07:13

1 Answers1

3

By Multi-Prime DH, I assume you mean something analogous to Multi-Prime RSA.

In Multi-Prime RSA, we pick a modulus with three (or more) prime factors; because the holder of the private key knows the factorization, he can compute (using the CRT optimization) using smaller prime modulii (and smaller exponents), yielding a moderate speed-up.

Given that is what Multi-Prime RSA, what would Multi-Prime DH be? I assume that it is one where we pick a modulus with two (or more) prime factors. If we know the prime factors, then we can use the CRT optimization (similar to how it works in RSA) to get a two time speed up in the DH operations (assuming two prime factors).

So, if that's the benefit, what's the downside? Will if the attacker learns the factorization, he can use it to attack each prime factor of the modulus individually; this would yield a significant improvement in this expected effort.

So, what do we conclude? Well, this would be a moderate optimization (factor of 2) for one side (we can't assume both sides know the factorization), at the risk that the adversary learns it (in which case it drastically reduces the security level).

Hence, I cannot recommend it.

Update: on reconsideration, I do see one scenario where it might make some sense; if you are generating ephemeral Diffie Hellman groups (which is quite unusual, however I have run into knowledgable people who have advocated for it); in that case, searching for (say) two 2048 bit primes is much simpler than searching for a single 4096 bit primes. In addition, in that case, we wouldn't have to worry about whether $p-1$ has small factors (because the corresponding value for $\phi(n)$, which the adversary wouldn't know). The security of the system would rely on the difficulty of factoring $n$ (as that factorization process would dominate the time taken by the discrete log problem modulo the smaller primes). Hence, in this corner case, it would make some sense.

poncho
  • 147,019
  • 11
  • 229
  • 360
  • I can imagine hand-waving arguments that "the security of the system would rely on the difficulty of factoring $n$"; but a proof eludes me. – fgrieu Jan 30 '21 at 23:29
  • @fgrieu: well, the best attack is "factor $n$, and then solve the DH problem modulo the smaller primes"; the second part of the attack is strictly easier, hence the difficulty of the attack is with the first part – poncho Jan 31 '21 at 04:02
  • What about "p=q1q2...qn +1" ? (instead of p=q*r +1) – Mendi Barel Jan 31 '21 at 10:31
  • I mean p=2q1q2q3,,,qn +1 or p=q1q2q3..*qn +2 – Mendi Barel Jan 31 '21 at 11:30
  • 1
    @MendiBarel: if $p = 2q_1q_2... q_n + 1$, what is the order of the generator you use? If it's $q_1 * q_2 * ... * q_n$, then if one of the $q_i$ is small, the attacker can compute from $g^x$ the value $x \bmod q_i$. In any case, there wouldn't appear to be any performance advantage; without that, and without a practical advantage, I don't see the reason.... – poncho Jan 31 '21 at 22:54