6.857/lecture13.tex

\documentclass[psamsfonts]{amsart}

%-------Packages---------
\usepackage{amssymb,amsfonts}
\usepackage{enumerate}
\usepackage[margin=1in]{geometry}
\usepackage{amsthm}
\usepackage{theorem}
\usepackage{verbatim}

\bibliographystyle{plain}

\voffset = -10pt
\headheight = 0pt
\topmargin = -20pt
\textheight = 690pt

%--------Meta Data: Fill in your info------
\title{6.857 \\
Network and Computer Security \\
Lecture 13: Diffie-Hellman}

\author{Lecturer: Ronald Rivest\\
Scribe: John Wang}

\begin{document}

\maketitle

\section{Group Theory Review}

$(G,*)$ is finite abelian group of size $t$:
\begin{itemize}
  \item Exists an identity 1 such that $\forall a \in G$ we have $a \cdot 1 = 1 \cdot a = a$.
  \item Inverses. For all $a \in G$ there exists a $b \in G$ such that $ab = 1$.
  \item Association. For all $a,b,c \in G$ we have $a (bc) = (ab) c$.
  \item Abelian. For all $a,b \in G$ we have $ab = ba$.
\end{itemize}

The order is defined $order(a)$ as the least $u > 0$ such that $a^u = 1$.

Theorem: In a finite group of size $t$, for all $a \in G$ we have $order(a) | t$.

Theorem: For all $a \in G$ we have $a^t = 1$. For example in $Z_p^*$ we have $a^{p-1} \equiv 1 \pmod{p}$ since $|Z_{p}^*| = p-1$.

Definition: $\langle a \rangle = \{a^i : i \geq 0\}$ is the subgroup generated by $a$.

Definition: If $\langle a \rangle = G$ then $G$ is yclic and $a$ is a generator of $G$. Note that $| \langle a \rangle | = order(a)$. As an exercise, if $t$ is prime and $G$ is finite abelian of order $t$, then for all $a \in G$ we have $[a \neq 1] = a$ is a generator of $G$. Fact: $Z_{p}^*$ is always cyclic.

Fact: If $G$ is a cyclic group of order $t$ and $g$ is a generator of $G$, then the mapping $x \to g^x$ is one-to-one between $[0,1, \ldots, t-1]$ and $G$.

\subsection{Programming with Groups}

API for a group:
\begin{itemize}
  \item G $\leftarrow$ create\_group
  \item g $\leftarrow$ G.generator() (could fail if the does not exist a generator)
  \item identity, G.identity()
  \item G.order\_elt(a) (could be really hard)
  \item G.inverse(a)
  \item G.cyclic $\rightarrow$ true/false
  \item G.product(x,y)
  \item G.random\_element
  \item G.order()
  \item G.exponentiation(a,k)
  \item G.elements()
  \item G.rep(M) (some element in the group representing message M).
\end{itemize}

\section{Diffie-Hellman Key Exchange}

Alice and Bob want to be able to talk openly about their new secret keys. They don't start off with any shared information at all. Suppose Alice generates secret key $x$ and Bob generates secret key $y$ from the group. Now Alice sends $a = g^x$ to Bob and Bob sends Alice $b = g^y$.

Alice can compute $b^x = (g^y)^x = g^{xy}$ and Bob can compute $a^y = (g^x)^y = g^{xy}$. The new secret key that is shared between Alice and Bob is $K = g^{xy}$.

Given  $a = g^x$, Eve can't compute $x$ because we're assuming the discrete log problem is hard. Same thing for $b = g^y$. Given $a,b$, can Eve compute $K = g^{xy}$. This is a new problem.

Computational Diffie-Hellman (CDH): Given $a,b$ can you compute $g^{xy}$ where $a = g^{x}$ and $b = g^{y}$. This is assumed to be hard.

Theorem: If CDH is hard, then Diffie-Hellman key exchange is secure.

\section{Different Types of Groups}

We've already learned about a number of groups:
\begin{itemize}
  \item $Z_{p}^* = \{a : 1 \leq a \leq p \}$ where $p$ is prime. We know that $Z_{p}^*$ is always cyclic and if $p=2q+1$ then have of $Z_p^*$ are generators.
  \item $Q_p$ is the set of quadratic residues (squares) modulo $p$. So $Q_p = \{a^2 : 1 \leq a \leq p \}$. Notice that $Q_p \subset Z_p^*$. We also know that $|Q_p| = \frac{1}{2} |Z_p^*|$ because exactly two elements of $Z_p^*$ make into a single element in $Q_p$. Also, $Q_p$ is cyclic, so if $\langle g \rangle = Z_p^*$ then $\langle g^2 \rangle = Q_p$. If $p = 2q + 1$ then $Q_p$ is cyclic and any element not the identity in $Q_p$ is a generator.
  \item $Z_n^* = \{a : gcd(a,n) = 1, 1 \leq a < n \}$. We see that $|Z_{n}^*| = \phi(n)$ by definition. If $n = pq$ where $p,q$ are distinct odd primes, then $Z_n^*$ is not cyclic and $Z_n^* = Z_p^* \times Z_q^*$. 
  \item $Q_n = \{a^2 : 1 \leq a \leq n, gcd(a,n) = 1 \}$. If $n = pq$ and $p = 2r+1, q = 2s+1$ are safe primes, then $|Q_n| = rs$. $|Q_n|$ is cyclic.
\end{itemize}

\subsection{Elliptic Curves}

Working in $Z_p$ and let $a,b$ be elements such that $4a^3 + 27b^2 \not \equiv 0 \pmod{p}$. Consider $y^2 = x^3 +ax + b \pmod{p}$. Then $E_{ab}$ is the elliptic curve and is the set of $(x,y)$ satisfying the equation modulo $p$. 

\end{document}