# Questions tagged as ['diffie-hellman']

STS Protocol is like this:

- $A \rightarrow B:~ g^x$
- $A \leftarrow B:~ g^y, E_K(S_B(g^y, g^x))$
- $A \rightarrow B:~ E_K(S_A(g^x, g^y))$

My question is why do we say in STS we have mutual authentication? For example:

- $A \rightarrow C: g^x$
- $C \rightarrow B: g^x$
- $C \leftarrow B: g^y, E_K(S_B(g^y, g^x))$
- $A \leftarrow C: g^y, E_K(S_B(g^y, g^x))$

so A will authenticate C instead of B!

Here is an idea for a designated verifier signature scheme. Suppose Alice and Bob know each other’s public keys and Alice wants to send a message to Bob, such that only he will be convinced of its authenticity.

Alice will do Diffie–Hellman between their keys and then MAC the message using the derived secret. To verify, Bob will derive the secret doing his side of Diffie–Hellman and verify the M ...

I have some code, which can crack a discrete logarithm problem in ~ O(0.5n) time. However, this only works if, in the following, N is less than P:

G^N (mod P). To be clear, my program can figure out the value of N based on G and P as long as N is in between 1 and P (inclusive and exclusive respectively).

This would be helpful for cracking something like Diffie-Hellman, but I have one question: In mo ...

So I guess https://github.com/google/wycheproof "*tests crypto libraries against known attacks*". It appears to mainly be intended for Java crypto providers but can it easily be adapted to be used for other languages?

For non timing attacks you could probably just loop through the *.json files in the testvectors directory but it's not clear to me what some of the data in there means.

Consider ecdh_sec ...

Given only $p,$ $g,$ $A = g^a\pmod{p}$ and $B = g^b\pmod{p},$ the possible values for the shared secret are all the unique values of $A^b\pmod{p}$, where b is some integer. The shared secret is also equal to $B^a\pmod{p}$, where a is some integer.

So, we can check each one of these possible values for the shared secret. My question is, how do we check if a number is the correct shared secret?

My guess i ...

I am trying to calculate Alice and Bob's shared key by hand without the use of a calculator as I feel this is an important trait when progressing into cryptography.

I understand you can use the square and multiply method however we are being taught a shortcut method which I don't quite understand fully.

Question Example:

*Alice and Bob use the DH protocol with p = 19,g = 2 and secrets a = 6 and b = ...*

I understand that it is feasibly impossible for A and B to select the same random number, given the large input space, but what if it does happen? Does it effect the security of the key exchange? Can an attacker determine that the same keys were chosen?

To my understanding, the DHKE algorithm is symmetric since it only produces a shared secret, rather than public and private keys, however googling "is diffie hellman asymmetric?" results in the following:

Based on public key cryptography, the D-H algorithm is a method for securely exchanging a shared key between two parties over an untrusted network. It is an asymmetric cipher used by several protocols ...

This is part of the explanation of the commitment scheme from DDH in this lecture notes by Vipul Goyal: https://www.cs.cmu.edu/~goyal/s18/15503/scribe_notes/lecture22.pdf

My question is not directly related to the content of the pdf, but in page 20-4, it says $\{g, g^a, g^b, m \cdot g^r |(a, b, r) \leftarrow \mathbb{Z}_q\}$ is computationally indistinguishable from $\{g, g^a, g^b, g^r |(a, b, r) ...

I just read through the text book definition of Diffie–Hellman key exchange. And from what i understand, the public key that is shared based on the protocol is calculated from:

`g^k mod p`

where g is a generator in the multiplicative group, and p is a large prime and k is the private key.

My question is, are all public/private key generated to have this relationship? Or this way of generating the pu ...

I've been tasked with building a Web Assembly site that implements E2EE. I was thinking of using ElGamal Encryption to encrypt the message and Diffie-Hellman to establish the key. After doing further research, I'm having trouble understanding the practical use cases of using ElGamal vs Diffie-Hellman.

If I'm understanding correctly. Diffie-Hellman and ElGamal both rely on the discrete log problem ...

Actually, I am working on a project to combine symmetric and asymmetric cryptographic algorithms.

The shared secret key for AES will be generated through the Elliptic Curve Diffie Hellman Key Exchange (ECDH) Method. I have one question that ECDH will generate a shared secret key of 256 bit or more length key. For AES-128 I need a secret key of 128 bit but ECDH is not generating the 128-bit key.

So h ...

I want to generate a public key that I can use to sign messages and receive messages (using ECDH for exemple).

I want to do so to have the smallest payload to share.

Is it possible and proved secure ?

I'm getting familiar with Signal key exchange phase and as far as I understand all 3 exchanges between Alice ephemeral key and all of Bob keys from the bundle, I have some thoughts about key exchange between **Alice identity key** and **Bob pre signed key**.

I'm aware this is to authenticate Alice and confirm she has identity private key but could this exchange be replaced with one of:

- Alice identity key &l ...

I have read digital signature with Big Brother but don't understand the sequence.

One approach to digital signatures is to have a central authority that knows everything and whom everyone trusts, say Big Brother $(BB).$Each user then chooses a secret key and carries it by hand to $BB$'s office. Thus, only Alice and $BB$ know Alice's secret key, $K_A$, and so on.

When Alice wants to send a signed plaint ...

There is some https traffic from a specific server (which I have the certificate and private key) that I need legitimately be able to read.

This traffic doesn’t come via browser so besides the ephemeral protocol being used using a pre-master secret key is not an option.

Is there any way it is possible to decrypt and analyze the traffic without downgrading the cypher suite to some deprecated RSA no ...

I need to find a prime number $p$ with the following constraints:

- $p$ is at least $1000$ bits long
- $p-1$ is a smooth number with the largest factor below $1000$
- any factor of $p-1$ can be present multiple times

Does this number exist? and if yes, does there is an algorithm to find it?

Given a group where the computational Diffie–Hellman (DH) assumption holds and generator *G*.

Say there is a set of private randomly selected keys *{a, b, c, d, e,...}* and corresponding public keys set *{A, B, C, D, E,...}* calculated as *A=aG*. Each public key is publicly linked to its corresponding user/owner.

Alice can use its private key *a* and the public key of Bob, *B*, to calculate *K=aB*. This *K* is ...

This paper says the CDH problem in a group of square matrices can be solved by a generalized Chinese remainder theorem. I wonder how this problem might be solved?

DH protocol in the cyclic group of matrices $\langle M \rangle$, and the matrix $M$ is considered as public information. It is assumed that Alice generates a random index $x$, calculates the matrix $M^x$, and sends it to Bob. In turn, Bob gener ...

We have a primary-order EC group. Need to perform a (sort-of) DH protocol, whereas the key is permanent, not a nonce (single-usage ephemeral key).

So we receive an arbitrary group element (EC point) from an untrusted party, and reveal it multiplied by the secret key.

Is it always safe to do that? I mean, can the attacker craft the EC point in some manner to extract some info about the key? We ensure ...

The $n$-strong Diffie Hellman assumption state that given the subset $\{g, g^s,\cdots,g^{s^n}\} \subseteq \mathbb{G}$ in a cyclic group $\mathbb{G}$ of prime order $p$, a PPT algorithm cannot output $g^{\frac{1}{s+\alpha}}$ for any $\alpha \in \mathbb{F}_p$ except with negligible probability.

Does it somehow imply that no PPT algorithm can output an irreducible polynomial $f(X)\in \mathbb{F}_p[X]$

I was trying to use Diffie Hellman to first agree on a key and then use that key to symmetrically share a secret. The python3 code using cryptography library look like

```
#Generate some parameters. These can be reused.
parameters = dh.generate_parameters(generator=2, key_size=2048)
# Generate a private key for use in the exchange.
server_key = parameters.generate_private_key()
n=1
client_key=[paramete ...
```

Does breaking the computational Diffie-Hellman problem in a group also always break discrete logarithms in that group?

I need to implement X3DH Key Agreement Protocol according to Signal specification, in the document they suggest using either X25519 or X448 curves. I assume those curves have been chosen for this protocol for a reason. In the codebase elliptic curve public key cryptosystem has already been implemented with secp256k1. Would it be safe to generate the keys needed for this protocol using the existin ...

While implementing the Quadratic Sieve, the textbooks give a rough formula for what Smoothness bound you should use in your Factor Base.

To factor a number N using the Quadratic Sieve, we can use the following:

$L = e^{\sqrt {\ln(N)ln(ln(N))}}$, $B = L^{\frac {1}{\sqrt 2}}$

For the Index Calculus method for solving the Discrete Log problem in $\mathbb F_p$, is there a similar formula? Many of the texts ...

This is a real world question (and as I'm not an expert in cryptography I have only some basic knowledge in terms of just using it, not a deep understanding how ist works under the hood.): A system for data collection from many embedded end-devices employs AES128 GCM/GMAC to protect messages in terms of confidentiality and authenticity: each message $M$ is encrypted $C = E(K, M)$ and protected with a ...

I received a public key by JSON.

For the example, I have 4 keys: 2 public keys and 2 private keys.

```
public A : co2D0pNxZJIeQ4RZlCRJYBDzNXSLluETdztid0M+HGzN1uGJ4JWZsenjWgRrmkLh3yqHQqzOBMl/wHVH97A6+g==
private A : TXxii5Ka8LMvuc9arHu63qTmNKxGlgti+wpR3YhBGew=
public B : nUblC+OKdl94iBiWk0941wmYBiMt7C90CjOJPI2BPr8K7xGuC1XsR5DtwFCoM3Iew2BjBG+5SqrYwAPTJF7gdA==
private B : sm6V7+hChvkFSeLNoR+5tItiX8gH5tT47 ...
```

Imagine that one needs to periodically encrypt very short messages (i.e., a boolean Yes/No, a single byte, or 3-4 bytes in the worst case). We assume that there is no session, and we just need to encrypt under a receiver's public key (i.e., posting an encrypted byte to the blockchain).

I'm aware of ElGamal, Cramer-Shoup, RSA, ECIES encryption etc. and I'm looking for the algorithm with the shorte ...

In JKSS12, a proof for the handshake in TLS-DHE 1.2 is given, assuming (among other things) the PRF-ODH hypothesis on the PRF used to derive keys.

It is also stated that, if TLS 1.2 was to be modified to follow more closely the $\Sigma_0$ protocol from Canetti-Krawczyk; this protocol could be provably secure under a (weaker) DDH assumption instead of the PRF-ODH assumption (as it is the case for I ...