Which properties of a group are used in the steps of Diffie Hellman?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












7












$begingroup$


I’m trying to understand which properties of a group are used in DHKE at each step.



For example, Alice and Bob’s public keys appear to only use the closure property of a group and maybe identity (e.g. $k_pubA$ = $A^k_prA$ (mod p)?



When creating the shared key Alice and Bob appear to also use the associative property of a group $k_AB$ = $B^k_prA$ (mod p)?



So to perform both main steps of DHKE the multiplicative inverse property does not seem to be used at all?










share|improve this question









$endgroup$
















    7












    $begingroup$


    I’m trying to understand which properties of a group are used in DHKE at each step.



    For example, Alice and Bob’s public keys appear to only use the closure property of a group and maybe identity (e.g. $k_pubA$ = $A^k_prA$ (mod p)?



    When creating the shared key Alice and Bob appear to also use the associative property of a group $k_AB$ = $B^k_prA$ (mod p)?



    So to perform both main steps of DHKE the multiplicative inverse property does not seem to be used at all?










    share|improve this question









    $endgroup$














      7












      7








      7


      2



      $begingroup$


      I’m trying to understand which properties of a group are used in DHKE at each step.



      For example, Alice and Bob’s public keys appear to only use the closure property of a group and maybe identity (e.g. $k_pubA$ = $A^k_prA$ (mod p)?



      When creating the shared key Alice and Bob appear to also use the associative property of a group $k_AB$ = $B^k_prA$ (mod p)?



      So to perform both main steps of DHKE the multiplicative inverse property does not seem to be used at all?










      share|improve this question









      $endgroup$




      I’m trying to understand which properties of a group are used in DHKE at each step.



      For example, Alice and Bob’s public keys appear to only use the closure property of a group and maybe identity (e.g. $k_pubA$ = $A^k_prA$ (mod p)?



      When creating the shared key Alice and Bob appear to also use the associative property of a group $k_AB$ = $B^k_prA$ (mod p)?



      So to perform both main steps of DHKE the multiplicative inverse property does not seem to be used at all?







      diffie-hellman number-theory group-theory






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 22 at 20:33









      JohnGaltJohnGalt

      1755




      1755




















          1 Answer
          1






          active

          oldest

          votes


















          11












          $begingroup$


          I’m trying to understand which properties of a group are used in DHKE at each step.




          Actually, you can implement a DH-style operation in any semigroup; you need closure, and you need associativity (so $A^3 = Atimes A times A = (A times A) times A = A times (A times A)$ is well defined), but other than that, you really don't need anything. You don't need an identity, you don't need the semigroup to be abelian (although the sub-semigroup generated by a single element will always be abelian), it doesn't have to be finite (although infinite semigroups would cause practical problems during implementation) and you don't need inverses (which, if you don't have an identity, aren't well-defined anyways).



          We typically don't talk about doing DH in a semigroup mostly because (AFAIK) no one has found a semigroup (that's not also a group) that has any particular advantage over a true group.



          Now, what's a more interesting (and considerably harder) question is "what properties do you need for DHKE to be secure?" We do have assumptions such as the CDH assumption ("given $g, g^a, g^b$, it's hard to compute $g^ab$), however we don't know what semigroup properties ensure that...






          share|improve this answer











          $endgroup$












          • $begingroup$
            I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
            $endgroup$
            – JohnGalt
            Jan 22 at 21:39






          • 1




            $begingroup$
            The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod p-1$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
            $endgroup$
            – Myria
            Jan 22 at 22:58











          • $begingroup$
            @Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
            $endgroup$
            – JohnGalt
            Jan 22 at 23:31






          • 2




            $begingroup$
            @JohnGalt For $mathbbZ^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbbZ^+_p-1$ is still insecure, despite being isometric to $mathbbZ^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
            $endgroup$
            – Myria
            Jan 23 at 0:21







          • 1




            $begingroup$
            @JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
            $endgroup$
            – Myria
            Jan 23 at 1:08










          Your Answer





          StackExchange.ifUsing("editor", function ()
          return StackExchange.using("mathjaxEditing", function ()
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
          );
          );
          , "mathjax-editing");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "281"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66688%2fwhich-properties-of-a-group-are-used-in-the-steps-of-diffie-hellman%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          11












          $begingroup$


          I’m trying to understand which properties of a group are used in DHKE at each step.




          Actually, you can implement a DH-style operation in any semigroup; you need closure, and you need associativity (so $A^3 = Atimes A times A = (A times A) times A = A times (A times A)$ is well defined), but other than that, you really don't need anything. You don't need an identity, you don't need the semigroup to be abelian (although the sub-semigroup generated by a single element will always be abelian), it doesn't have to be finite (although infinite semigroups would cause practical problems during implementation) and you don't need inverses (which, if you don't have an identity, aren't well-defined anyways).



          We typically don't talk about doing DH in a semigroup mostly because (AFAIK) no one has found a semigroup (that's not also a group) that has any particular advantage over a true group.



          Now, what's a more interesting (and considerably harder) question is "what properties do you need for DHKE to be secure?" We do have assumptions such as the CDH assumption ("given $g, g^a, g^b$, it's hard to compute $g^ab$), however we don't know what semigroup properties ensure that...






          share|improve this answer











          $endgroup$












          • $begingroup$
            I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
            $endgroup$
            – JohnGalt
            Jan 22 at 21:39






          • 1




            $begingroup$
            The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod p-1$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
            $endgroup$
            – Myria
            Jan 22 at 22:58











          • $begingroup$
            @Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
            $endgroup$
            – JohnGalt
            Jan 22 at 23:31






          • 2




            $begingroup$
            @JohnGalt For $mathbbZ^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbbZ^+_p-1$ is still insecure, despite being isometric to $mathbbZ^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
            $endgroup$
            – Myria
            Jan 23 at 0:21







          • 1




            $begingroup$
            @JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
            $endgroup$
            – Myria
            Jan 23 at 1:08















          11












          $begingroup$


          I’m trying to understand which properties of a group are used in DHKE at each step.




          Actually, you can implement a DH-style operation in any semigroup; you need closure, and you need associativity (so $A^3 = Atimes A times A = (A times A) times A = A times (A times A)$ is well defined), but other than that, you really don't need anything. You don't need an identity, you don't need the semigroup to be abelian (although the sub-semigroup generated by a single element will always be abelian), it doesn't have to be finite (although infinite semigroups would cause practical problems during implementation) and you don't need inverses (which, if you don't have an identity, aren't well-defined anyways).



          We typically don't talk about doing DH in a semigroup mostly because (AFAIK) no one has found a semigroup (that's not also a group) that has any particular advantage over a true group.



          Now, what's a more interesting (and considerably harder) question is "what properties do you need for DHKE to be secure?" We do have assumptions such as the CDH assumption ("given $g, g^a, g^b$, it's hard to compute $g^ab$), however we don't know what semigroup properties ensure that...






          share|improve this answer











          $endgroup$












          • $begingroup$
            I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
            $endgroup$
            – JohnGalt
            Jan 22 at 21:39






          • 1




            $begingroup$
            The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod p-1$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
            $endgroup$
            – Myria
            Jan 22 at 22:58











          • $begingroup$
            @Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
            $endgroup$
            – JohnGalt
            Jan 22 at 23:31






          • 2




            $begingroup$
            @JohnGalt For $mathbbZ^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbbZ^+_p-1$ is still insecure, despite being isometric to $mathbbZ^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
            $endgroup$
            – Myria
            Jan 23 at 0:21







          • 1




            $begingroup$
            @JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
            $endgroup$
            – Myria
            Jan 23 at 1:08













          11












          11








          11





          $begingroup$


          I’m trying to understand which properties of a group are used in DHKE at each step.




          Actually, you can implement a DH-style operation in any semigroup; you need closure, and you need associativity (so $A^3 = Atimes A times A = (A times A) times A = A times (A times A)$ is well defined), but other than that, you really don't need anything. You don't need an identity, you don't need the semigroup to be abelian (although the sub-semigroup generated by a single element will always be abelian), it doesn't have to be finite (although infinite semigroups would cause practical problems during implementation) and you don't need inverses (which, if you don't have an identity, aren't well-defined anyways).



          We typically don't talk about doing DH in a semigroup mostly because (AFAIK) no one has found a semigroup (that's not also a group) that has any particular advantage over a true group.



          Now, what's a more interesting (and considerably harder) question is "what properties do you need for DHKE to be secure?" We do have assumptions such as the CDH assumption ("given $g, g^a, g^b$, it's hard to compute $g^ab$), however we don't know what semigroup properties ensure that...






          share|improve this answer











          $endgroup$




          I’m trying to understand which properties of a group are used in DHKE at each step.




          Actually, you can implement a DH-style operation in any semigroup; you need closure, and you need associativity (so $A^3 = Atimes A times A = (A times A) times A = A times (A times A)$ is well defined), but other than that, you really don't need anything. You don't need an identity, you don't need the semigroup to be abelian (although the sub-semigroup generated by a single element will always be abelian), it doesn't have to be finite (although infinite semigroups would cause practical problems during implementation) and you don't need inverses (which, if you don't have an identity, aren't well-defined anyways).



          We typically don't talk about doing DH in a semigroup mostly because (AFAIK) no one has found a semigroup (that's not also a group) that has any particular advantage over a true group.



          Now, what's a more interesting (and considerably harder) question is "what properties do you need for DHKE to be secure?" We do have assumptions such as the CDH assumption ("given $g, g^a, g^b$, it's hard to compute $g^ab$), however we don't know what semigroup properties ensure that...







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jan 22 at 21:28

























          answered Jan 22 at 21:15









          ponchoponcho

          91.6k2145238




          91.6k2145238











          • $begingroup$
            I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
            $endgroup$
            – JohnGalt
            Jan 22 at 21:39






          • 1




            $begingroup$
            The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod p-1$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
            $endgroup$
            – Myria
            Jan 22 at 22:58











          • $begingroup$
            @Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
            $endgroup$
            – JohnGalt
            Jan 22 at 23:31






          • 2




            $begingroup$
            @JohnGalt For $mathbbZ^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbbZ^+_p-1$ is still insecure, despite being isometric to $mathbbZ^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
            $endgroup$
            – Myria
            Jan 23 at 0:21







          • 1




            $begingroup$
            @JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
            $endgroup$
            – Myria
            Jan 23 at 1:08
















          • $begingroup$
            I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
            $endgroup$
            – JohnGalt
            Jan 22 at 21:39






          • 1




            $begingroup$
            The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod p-1$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
            $endgroup$
            – Myria
            Jan 22 at 22:58











          • $begingroup$
            @Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
            $endgroup$
            – JohnGalt
            Jan 22 at 23:31






          • 2




            $begingroup$
            @JohnGalt For $mathbbZ^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbbZ^+_p-1$ is still insecure, despite being isometric to $mathbbZ^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
            $endgroup$
            – Myria
            Jan 23 at 0:21







          • 1




            $begingroup$
            @JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
            $endgroup$
            – Myria
            Jan 23 at 1:08















          $begingroup$
          I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
          $endgroup$
          – JohnGalt
          Jan 22 at 21:39




          $begingroup$
          I appreciate the answer and am going to mark it as answered. Regarding, "what properties do you need for DHKE to be secure?" that was my intended question but that definitely wasn't clear. I'm glad, however, that they're two questions now, one with the minimum properties necessary for DHKE implementation (regardless of security) and this other question regarding the secure-ness are hardness I guess. Should I ask a separate question are could you expand on it here?
          $endgroup$
          – JohnGalt
          Jan 22 at 21:39




          1




          1




          $begingroup$
          The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod p-1$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
          $endgroup$
          – Myria
          Jan 22 at 22:58





          $begingroup$
          The selection of group is critical for security. Using DH with the group $mod p$ for many primes $p$ with group operation $times$ is secure as far as we know, yet using DH with the group $mod p-1$ with group operation $+$ is not secure (discrete log is simply modular division), even though the two groups are isomorphic.
          $endgroup$
          – Myria
          Jan 22 at 22:58













          $begingroup$
          @Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
          $endgroup$
          – JohnGalt
          Jan 22 at 23:31




          $begingroup$
          @Myria Is the selection of the group critical for security or the selection of the modulus? For DHKE over $Z_p^*$ it would appear from the answer above that the critical factor is choosing a large enough prime so that the sqrt(p) is large enough to make brute forcing the DLP computationally infeasible?
          $endgroup$
          – JohnGalt
          Jan 22 at 23:31




          2




          2




          $begingroup$
          @JohnGalt For $mathbbZ^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbbZ^+_p-1$ is still insecure, despite being isometric to $mathbbZ^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
          $endgroup$
          – Myria
          Jan 23 at 0:21





          $begingroup$
          @JohnGalt For $mathbbZ^*_p$, $p$ needs to be a prime such that $p-1$ has at least one large prime; optimally $p$ is a Sophie-Germain prime. Otherwise, the discrete logarithm is easy (Pohlig-Hellman with Baby-Step Giant-Step). But even with such a $p$, $mathbbZ^+_p-1$ is still insecure, despite being isometric to $mathbbZ^*_p$. Thus, you really need both the group representation and its modulus to be selected well.
          $endgroup$
          – Myria
          Jan 23 at 0:21





          1




          1




          $begingroup$
          @JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
          $endgroup$
          – Myria
          Jan 23 at 1:08




          $begingroup$
          @JohnGalt I was showing how the choice of group representation matters for security, not just the group order. So while choosing any group for DH will make the key exchange work, only some choices of representation and order are secure.
          $endgroup$
          – Myria
          Jan 23 at 1:08

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Cryptography Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66688%2fwhich-properties-of-a-group-are-used-in-the-steps-of-diffie-hellman%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown






          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?