Is elliptic curve the future of the Diffie-Hellman key-exchange?

Mathematics Internal Investigation

1
It is 2006, Professor Langdon is holding a cryptex, trying to open it in order to save Sophie,
everyone is holding their breath. Even if I have watched ten years later, I still felt that anxiety, the
pressure he must had felt. The cryptex stayed with me beyond the movie and made me want to
research about it, discover new secret and mystery. I have read about secrete message, secrete
codes, secrete languages, passing from something easy like the “Ubbi dubbi” language game
popularized by the KidiZoom Stopwatch show, to the use of Navajo language during World War II,
to the creation of a mathematical, mechanical machine known as The Enigma machine, to decipher
Nazi messages. In modern times, the use of computers made encryption possible for everyone, just
look at the “Whatsapp app”, in which users can choose to use end-to-end encryption to make their
message unreadable to most. This new world of encryption is made possible by the use of
mathematical formulas, the most fascinating for me is the use of Diffie-Hellman key exchange to
share secure information.

I decided I would try to analyze if elliptic curve is the future of the Diffie-Hellman key-exchange.

The Diffie-Hellman agreement scheme appeared first in 1976 as part of a collaboration between
Whitfield Diffie and Martin Hellman, in the paper “New Directions in Cryptography.“ The two
scientist from Stanford University, proposed the concept of public and private key cryptography, a
method which allows to two ends to comunicate through a non secure channel, not having
information one of the other. This is due to the use of an encrypted key called ‘symmetric key ci-
pher’.

What is the meaning of Public Key?

Transferring data from one system to an other one, using a public network, requires protection
through encryption, a method which use a “key” to be deciphered.
Since only the users who can have the same “key” can read the information transferred, this
procedure of sharing information is defined as private or symmetric key cryptography. The
algorithms behind the standard symmetric key protection method are proven to be extremely safe
against unwanted reader but, the communication of the actual key, due to the vast amount of
intermediate points between the parties, cannot be securely exchanges on the world wide web, and
offline communication can appear even less realistic.
The invention of public key cryptography solved the issue, a secure way to change data on a unsafe
public online network.

2
Let’s consider Alice and Bob, two users taking part in the exchange of secret love data, through the
use of asymmetric key algorithms. The algorithms are defined as asymmetric because, while the
private key is, infact, private, the public key may be broadly distributed. Let’s look at image 1.

Image 1: Alice &Bob

http://richardgoyette.com/Infosec/Alice/BobandAlice.html

Alice will write a love note to Bob, which is not her husband, and will use Bob’s public key to
cipher the love note. She will proceed to email the message to Bob, who is the only person able to
read it thanks to his corresponding private key. Although both private and public key are connected
mathematically, the private key cannot be easily derived from the public key. All of this means that
Alice and Bob will be the only one reading their love note.
The Diffie-Hellman method is define as “exchange” because it is the protocol to use to share or
exchange the actual keys that will be used to encrypt data. The method created a shared code (Key
Encryption Key or KEK) between two devices, able to encrypt the symmetric key used to transmit
data. It is based on the discrete logarithm.

The discrete logarithm is in abstract algebra the correspondent of the logarithm log x (elog x = x), or,
in more accurate words let G be a cyclic group with N elements. Let g ∈ G be such that every ele-
ment b ∈ G can be written in the form b = gh for a certain integer h.
We call h the discrete logarithm of b, or log g b. Given a finite group, even non-Abelian, each ele-
ment g generates a finite cyclic group G.

3
Given G, calculating the discrete logarithm of one of its elements with respect to g is not a simple
thing. This is why it is used in Cryptography.
A method to calculate it would be the exhaustive search, which, however, requires a linear calcula-
tion time with respect to N and therefore exponential with respect to n = log 2 N (the number of dig-
its of N).
The D-H exchange works with two public parameters, p and g, meaning they can be used by all
users. The parameter p is Prime number, while g (Generator), is an integer 1, the two parameter are
linked by a simple relationship, for every number n between 1 and p-1 included, there is a power k
of g such that n = gk mod p.
To show in an easy way how to use the Diffie-Hellman method, I will use the example created by
the Cornell University2, using P=17 as a fix modulus and N=7 as base.

Example: 729 (mod 17) = 716 * 78 * 74 * 71 (mod 17) = 1 * 16 * 4 * 7 (mod 17) = 448 (mod 17) = 6.

Let’s go back to Alice and Bob love note, what will happen if they decided to use the Diffie-
Hellman method? Alice and Bob will have to first to agree on a generating parameter g in a finite
cycling group G, then both of them will have to generate their own private value, namely a and b,
drawn from a set go integers. From this point the two lovers will be able to derive they own public
values using parameter p and g plus a and b.
As last step Alice will have to computes gab = (gb)a mod p, while Bob computes gba=(ga)b mod p.
They will be able to communicate to each other because g ab = gba = k, where k is the secret code
they both share.

Image 2: Diffie-
Hellman for Alice
and Bob
https://

www.thesecuritybuddy.com/encryption/how-does-diffie-hellman-key-exchange-protocol-work/

1 https://www.math.brown.edu/~jhs/MathCrypto/SampleSections.pdf
2 http://pi.math.cornell.edu/~mec/2003-2004/cryptography/diffiehellman/worksheet.html
4
Although widely used, since its invention in 1976, as a public-key encryption to comunicate
securely, the Diffie-Hellmans cryptanalysis has its faults.
In case of Man In the Middle attack or MIM, let’s say John, Alice husband, intercepts Bob’s public
value and send Alice his own. In this way, Bob and John will have agree on their own shared key,
while John and Alice will have a different one. In this way, John, will be able not only to read all
the messages but, if willing, to send its own encrypted message to Alice, making sure that the two
cheaters will not be able to use that communication line as intended ever again.

The Diffie-Hellman Key Exchange method was first published in 1976. It enables two parties inde-
pendently to compute a shared secret that cannot be obtained by an eavesdropper.3
The process to create this elaborate exchange of information starts with the creation of a public
large prime p (the modulus) and a generator g that generates the group ℤ∗p.
Party A and B Alice and Bob both choose a private key, in the range of 1<a<p−1 which will be then
written on the form of

A=gamodp and sent to the

other party.

We will then see this=

An eavesdropper only sees p, g, ga and gb. Given these values, the Diffie-Hellman Problem (DHP)

is to find gabmodp. This is considered to be an intractable problem for a large enough prime p, say,
over 1000 bits long. Obviously if we could solve the Discrete Logarithm Problem (DLP) we could
also solve the DHP. It is conjectured that the DHP is at least as hard as the DLP.4

3 https://www.di-mgt.com.au/public-key-crypto-discrete-logs-0.html
4 https://www.di-mgt.com.au/public-key-crypto-discrete-logs-0.html
5
Multiplicative group modulo p for a prime p, ℤ∗p’, which is used in discrete logarithms
found in cryptography. This group model is in the set of p -1 elements {1,2,…,p−1}
under the multiplicative group modulo p. In this case p is prime.
Multiplicative group modulo is the elaboration and
product of the multiplication of the elements with
modulo p. This values have the properties of the
following groups=

In G4 and G5 inherit the properties of one of the integers. We should not look at the
order of the terms since associative and commutative rules apply in the same way, for
the same reasons we don't need to use brackets.

G1 demonstrate how, since there is no ‘0’ in the group model, the

product of two values of two elements can never be zero.

For example in=

For the elements x and y. In the set this implies one of the two is
dividable by p, which is not true therefor a contradiction.

In G3 we see how no element in the set is divisible or has

common factors with p. for any element ‘X’ in the
set, gcd(x,p)=1.
This means that with integers r and s=

Therefor also written=

Because of this we see how r mod p, is

multiplicative inverse to x.

6
The group ℤ∗p is cyclic eve though its order p-1 is not prime. This is valid for p>3.
This means that for some g ∈ ℤ∗p we have

To create a generator we
must take in consideration Fermat's Little Theo- rem,
which tells us that for any element in a ∈ ℤ∗p we have ap−1. This theorem applies to
any prime p and any
integer a that are
not multiple of p,
a p−1≡.

Reducing
exponents is
important
when it comes to order cyclic groups. This is done following the modulo

And in the case of p-1

For example:

Or more simply:

Taking as
example p=11 we can
construct a generator.

We have the group=

7
We now need to consider g = 2 and all the elements that are generated by it.

But because g = 3 is generating only an order 5 group

And g = 10 can only generate a group of order 2

Thanks tho these calculations we can construct a table

a ⟨a⟩ ord(a)

8
 1
{1}

9
1

10
 2
{ 2,4,8,5,10,9,7,3,6,1 }

11
10

12
 3
{ 3,9,5,4,1 }

13
5

14
 4
{ 4,5,9,3,1 }

15
5

16
 5
{ 5,3,4,9,1 }

17
5

18
 6
{ 6,3,7,9,10,5,8,4,2,1 }

19
10

20
 7
{ 7,5,2,3,10,4,6,9,8,1 }

21
10

22
 8
{ 8,9,6,4,10,3,2,5,7,1 }

23
10

24
 9
{ 9,4,3,5,1 }

25
5

26
 10
{ 10,1 }

27
 2

For the graph we see the following rules are beings

kept.

The order of 1 is always 1.

The order of p-1 is always two. Since =

There are exactly ϕ(p−1) generators in the group. ϕ(n) is Euler's totient function, the
number of positive integers less than n that are coprime to n.5 In this case =

5 https://www.di-mgt.com.au/multiplicative-group-mod-p.html
28
In fact we find ourselves with 4 generators, (2,6,7,8).

There are two methods to find a generator, but both nullify themselves once we reach 1000bit
primes in cryptography.

The first method is to choose a candidate integer a∈ℤ∗p, ai≠1 for i=1 until p-2. This method is
very slow especially when it comes to large prime numbers.

The second method is to factorize p−1 and use the property that a is a generator if and only if
a(p−1)/q≢1(mod p) for all primes q that divide p−1.
So we only have to evaluate our data against all the prime factors of p−1. This method, which
requires factorizing p−1 for a large p is also a difficult problem.6

In conclusion we can say the basic Diffie-Hellman method provides security against any passive
eavesdropper, but lacks in security when there is a “man-in-the-middle".
It is also vulnerable if an attacker can trick users into using parameters (p,g) where g only generates
a small subgroup. The attacker can then do a brute force search of this much smaller set. 7
To make the interception more complex, in 1985, Neal Koblitz and Victor S. Miller proposed the
use of public key cryptography based on elliptic curves defined on finite fields. An elliptic curve is
an algebraic curve: it has an operation of sum between points belonging to the curve, with respect to
which it is an abelian group whose neutral element consists of the point at infinity O.

Alice and Bob wanting to messages to each other without the attacker discovering them, under-
standing that the first algorithm was too vulnerable, they agree on a new session key K. Considering
a field Fq, an elliptic curve E defined in that field and a point P Î E (which are assumed to be pub-
licly known). Alice and Bob will generate two integers, respectively a and b, which will keep se-
crets, and will communicate points aP and bP publicly.
Alice, having become aware of bP and her integer a, calculates K = a(bP) while Bob, who now
knows aP and his integer b, will calculate K = b(aP).
At this point John will have the points P, aP and bP, but il will not able to compute abP unless it is
possible to solve the problem of the inverse logarithm on elliptic curves.

6 https://www.di-mgt.com.au/multiplicative-group-mod-p.html
7 https://www.di-mgt.com.au/public-key-crypto-discrete-logs-0.html
29
Bibliography
Webstite used:
• http://pi.math.cornell.edu/~mec/2003-2004/cryptography/diffiehellman/diffiehellman.html
• https://www.math.brown.edu/~jhs/MathCrypto/SampleSections.pdf
• http://richardgoyette.com/Infosec/Alice/BobandAlice.html
• https://www.thesecuritybuddy.com/encryption/how-does-diffie-hellman-key-exchange-protocol-
work/
• https://home.cyber.ee › SandraNetsajevaSlides
• http://www.science.unitn.it/~sala/events2011/LEZ1_DH-RSA.pdf
• https://retis.sssup.it/sites/default/files/Overview%20of%20Elliptic%20Curves%20Cryptography
%20by%20R.%20Brigo..pdf

Paper’s used:
• Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, written by David Adrian,
Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex
Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin
VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, Paul Zimmermann.
• Educational implementation of SSL/TLS, from Eivind Vinje of the Norwegian University of
Science and Technology.

30