CSC110/07-cryptography/03-key-exchange.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="" xml:lang="">
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="pandoc" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
  <title>7.3 Computing Shared Secret Keys</title>
  <style>
    code{white-space: pre-wrap;}
    span.smallcaps{font-variant: small-caps;}
    span.underline{text-decoration: underline;}
    div.column{display: inline-block; vertical-align: top; width: 50%;}
    div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
    ul.task-list{list-style: none;}
  </style>
  <link rel="stylesheet" href="../tufte.css" />
  <script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js" type="text/javascript"></script>
  <!--[if lt IE 9]>
    <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
  <![endif]-->
</head>
<body>
<div style="display:none">
\(
\newcommand{\NOT}{\neg}
\newcommand{\AND}{\wedge}
\newcommand{\OR}{\vee}
\newcommand{\XOR}{\oplus}
\newcommand{\IMP}{\Rightarrow}
\newcommand{\IFF}{\Leftrightarrow}
\newcommand{\TRUE}{\text{True}\xspace}
\newcommand{\FALSE}{\text{False}\xspace}
\newcommand{\IN}{\,{\in}\,}
\newcommand{\NOTIN}{\,{\notin}\,}
\newcommand{\TO}{\rightarrow}
\newcommand{\DIV}{\mid}
\newcommand{\NDIV}{\nmid}
\newcommand{\MOD}[1]{\pmod{#1}}
\newcommand{\MODS}[1]{\ (\text{mod}\ #1)}
\newcommand{\N}{\mathbb N}
\newcommand{\Z}{\mathbb Z}
\newcommand{\Q}{\mathbb Q}
\newcommand{\R}{\mathbb R}
\newcommand{\C}{\mathbb C}
\newcommand{\cA}{\mathcal A}
\newcommand{\cB}{\mathcal B}
\newcommand{\cC}{\mathcal C}
\newcommand{\cD}{\mathcal D}
\newcommand{\cE}{\mathcal E}
\newcommand{\cF}{\mathcal F}
\newcommand{\cG}{\mathcal G}
\newcommand{\cH}{\mathcal H}
\newcommand{\cI}{\mathcal I}
\newcommand{\cJ}{\mathcal J}
\newcommand{\cL}{\mathcal L}
\newcommand{\cK}{\mathcal K}
\newcommand{\cN}{\mathcal N}
\newcommand{\cO}{\mathcal O}
\newcommand{\cP}{\mathcal P}
\newcommand{\cQ}{\mathcal Q}
\newcommand{\cS}{\mathcal S}
\newcommand{\cT}{\mathcal T}
\newcommand{\cV}{\mathcal V}
\newcommand{\cW}{\mathcal W}
\newcommand{\cZ}{\mathcal Z}
\newcommand{\emp}{\emptyset}
\newcommand{\bs}{\backslash}
\newcommand{\floor}[1]{\left \lfloor #1 \right \rfloor}
\newcommand{\ceil}[1]{\left \lceil #1 \right \rceil}
\newcommand{\abs}[1]{\left | #1 \right |}
\newcommand{\xspace}{}
\newcommand{\proofheader}[1]{\underline{\textbf{#1}}}
\)
</div>
<header id="title-block-header">
<h1 class="title">7.3 Computing Shared Secret Keys</h1>
</header>
<section>
<p>A historical limitation of symmetric-key cryptosystems was how to establish a shared, but secret, key. If the two communicating parties were able to meet in person, they could agree upon a shared secret key while physically together (assuming no one else was spying on them). But what if I want to communicate with someone securely in a different city or different country? Or, to use a more modern example, to communicate with a server across the Internet, which I cannot hope to meet in person?</p>
<p>One solution to this problem is the <em>Diffie-Hellman key exchange</em>, which is an algorithm that is executed by two people (or computers) to compute a shared secret, while communicating in public (open to eavesdroppers). We will introduce the intuitions of the Diffie-Hellman key exchange with an analogy that uses our familiar Alice and Bob communicating with colours. After, we will replace colours with numbers to understand how the process works in today’s digital world.</p>
<h2 id="alice-and-bob-are-mixing-paint">Alice and Bob are mixing paint</h2>
<p>Suppose that Alice and Bob would like to establish a secret <em>paint colour</em> that only the two of them know. They use the following procedure.</p>
<table class="fullwidth">
<tbody>
<tr>
<td style="width: 55%; vertical-align: top; padding-right: 2em;">
<p><em>First</em>, they both agree on a random, not-secret colour of paint to start with: yellow. They decide on this shared colour publicly, so eavesdroppers also know this colour!</p>
<p><em>Second</em>, they each choose their own secret colour, which they will never share with each other or anyone else. In our example, Alice decides on red and Bob chooses teal (a green-blue colour).</p>
<p><em>Third</em>, they each mix their secret colours with their shared colour yellow, producing a light orange for Alice and a blue for Bob. This is also done in secret.</p>
<p><em>Fourth</em>, they exchange these colours with each other, which is done publicly. At this point, there are three not-secret colours: yellow and the two mixtures. And there are two secret colours: Alice’s red and Bob’s teal.</p>
<p><em>Fifth</em>, Alice mixes Bob’s blue colour with her original secret red to produce a brown. Bob mixes Alice’s light orange with his original secret teal to produce the same brown. Why are these the same brown? Because they both consist of the same mixture of three colours: yellow (shared), red (Alice’s secret), and teal (Bob’s secret)!</p>
<p>Finally, why is this brown a secret? Any eavesdropper has access to three colours: the original shared yellow (from the first step), and the two mixtures orange and blue (from the fourth step). If we assume that the colour mixtures are not easily separated (i.e., it is very difficult to extract the yellow from each mixture), then the eavesdropper cannot determine what Alice and Bob’s secret colours were, and therefor can’t mix them together with the yellow to produce the right shade of brown!</p>
</td>
<td>
<img src="./images/diffie-hellman-paint.png" alt="Alice and Bob paint mixing" /><br />

</td>
</tr>
</tbody>
</table>
<h2 id="the-diffie-hellman-key-exchange">The Diffie-Hellman key exchange</h2>
<p>Unfortunately, transmitting paint across digital channels is intractable, but transmitting numbers isn’t. The Diffie-Hellman key exchange uses some neat (yet simple) operations from modular arithmetic to play out the same scenario as our paint analogy.</p>
<div class="framed">
<p><strong>Diffie-Hellman Key Exhange Algorithm</strong></p>
<p>Setting: Two parties, Alice and Bob</p>
<p>Result: Alice and Bob share a secret key <span class="math inline">\(k\)</span>.</p>
<ol type="1">
<li><p>Alice chooses a prime number <span class="math inline">\(p\)</span> greater than two and an integer <span class="math inline">\(g\)</span> which satisfies <span class="math inline">\(2 \leq g \leq p - 1\)</span>, and sends both to Bob.</p></li>
<li><p>Alice chooses a secret number <span class="math inline">\(a \in \{1, 2, \dots, p-1\}\)</span> and sends Bob <span class="math inline">\(A = g^a ~\%~ p\)</span> to Bob.</p></li>
<li><p>Bob chooses a secret number <span class="math inline">\(b \in \{1, 2, \dots, p-1\}\)</span> and sends <span class="math inline">\(B = g^b ~\%~ p\)</span> to Alice.</p></li>
<li><p>Alice computes <span class="math inline">\(k_A = B^a ~\%~ p\)</span>. Bob computes <span class="math inline">\(k_B = A^b ~\%~ p\)</span>.</p>
<p>It turns out that <span class="math inline">\(k_A = k_B\)</span>, and so this value is chosen as the secret key <span class="math inline">\(k\)</span> that Alice and Bob share.</p></li>
</ol>
</div>
<h3 id="an-example">An example</h3>
<p>Here is an example of the Diffie-Hellman key exchange in action.</p>
<ol type="1">
<li>Alice starts by choosing <span class="math inline">\(p = 23\)</span> and <span class="math inline">\(g = 2\)</span>. She sends both <span class="math inline">\(p\)</span> and <span class="math inline">\(g\)</span> to Bob.</li>
<li>Alice chooses a secret number <span class="math inline">\(a = 5\)</span>. She sends <span class="math inline">\(A = g^a ~\%~ p = 2^5 ~\%~ 23 = 9\)</span> to Bob.</li>
<li>Bob chooses a secret number <span class="math inline">\(b = 14\)</span>. He sends <span class="math inline">\(B = g^b ~\%~ p = 2^{14} ~\%~ 23 = 8\)</span> to Alice.</li>
<li>Alice computes <span class="math inline">\(k_A = B^a ~\%~ p = 8^5 ~\%~ 23 = 16\)</span>. Bob computes <span class="math inline">\(k_B = A^b ~\%~ p = 9^{14} ~\%~ 23 = 16\)</span>. As expected, <span class="math inline">\(k_A = k_B\)</span>, and these form the secret key <span class="math inline">\(k\)</span>!</li>
</ol>
<h2 id="correctness-are-k_a-and-k_b-always-equal">Correctness: Are <span class="math inline">\(k_A\)</span> and <span class="math inline">\(k_B\)</span> always equal?</h2>
<p>That last sentence in the Diffie-Hellman key exchange algorithm description is doing a lot of work. How do we “know” that <span class="math inline">\(k_A = k_B\)</span>? With a proof, of course!</p>
<div class="theorem">
<p>(<em>Correctness of Diffie-Hellman key exchange</em>)</p>
<p>For all <span class="math inline">\(p, g, a, b \in \Z^+\)</span>, <span class="math inline">\((g^b ~\%~ p)^a ~\%~ p = (g^a ~\%~ p)^b ~\%~ p\)</span>.</p>
<div class="discussion">
<p>Even though the Diffie-Hellman algorithm frames the communication in terms of remainders, we can analyze the numbers using modular arithmetic modulo <span class="math inline">\(p\)</span>. In this case the calculation involves just switching around exponents in <span class="math inline">\(g^{ab}\)</span>.</p>
</div>
<div class="proof">
<p>Let <span class="math inline">\(p, g, a, b \in Z^+\)</span>. Let <span class="math inline">\(A = g^a ~\%~ p\)</span> and <span class="math inline">\(B = g^b ~\%~ p\)</span>. We’ll prove that <span class="math inline">\(B^a ~\%~ p = A^b ~\%~ p\)</span>.</p>
<p>First, we have that <span class="math inline">\(A \equiv g^a \pmod p\)</span> and <span class="math inline">\(B \equiv g^b \pmod p\)</span>. So then <span class="math inline">\(A^b \equiv (g^a)^b \equiv g^{ab} \pmod p\)</span>, and <span class="math inline">\(B^a \equiv (g^b)^a \equiv g^{ba} \pmod p\)</span>. Since <span class="math inline">\(g^{ab} = g^{ba}\)</span>, we can conclude that <span class="math inline">\(A^b \equiv B^a \pmod p\)</span>.</p>
<p>So then <span class="math inline">\(A^b\)</span> and <span class="math inline">\(B^a\)</span> must have the same remainder when divided by <span class="math inline">\(p\)</span>, and so <span class="math inline">\(B^a ~\%~ p = A^b ~\%~ p\)</span>.</p>
</div>
</div>
<h2 id="security-how-secret-is-the-key">Security: How secret is the key?</h2>
<p>We’ve just proved that the Diffie-Hellman key exchange is <em>correct</em>, meaning the result at the end of the algorithm is that Alice and Bob have a shared key. But that’s not the only purpose of this algorithm: it must also ensure that this shared key is also <em>secret</em>, unknown to anyone other than Alice and Bob.</p>
<p>So let’s look at the Diffie-Hellman key exchange from the perspective of an eavesdropper that has access to everything Alice and Bob communicate to each other.<label for="sn-0" class="margin-toggle sidenote-number"></label><input type="checkbox" id="sn-0" class="margin-toggle"/><span class="sidenote"> We say that Alice and Bob’s communications are <em>public</em>, while their own computing devices are <em>private</em>.</span> So over the course of the algorithm, the eavesdropper has access to <span class="math inline">\(p\)</span>, <span class="math inline">\(g\)</span>, <span class="math inline">\(g^a ~\%~ p\)</span>, and <span class="math inline">\(g^b ~\%~ p\)</span>. The question is: from this information, can the eavesdropper determine the secret key <span class="math inline">\(k\)</span>?</p>
<p>One approach an eavesdropper could take is to try to compute <span class="math inline">\(a\)</span> and <span class="math inline">\(b\)</span> directly. This is an instance of the <strong>discrete logarithm problem</strong>: given <span class="math inline">\(p, g, y \in \Z^+\)</span>, find an <span class="math inline">\(x \in \Z^+\)</span> such that <span class="math inline">\(g^x \equiv y \pmod p\)</span>. While we could implement a <em>brute-force</em> algorithm for solving this problem that simply tries all possible exponents <span class="math inline">\(x \in \{0, 1, \dots, p-1\}\)</span>, this is computationally inefficient in practice when <span class="math inline">\(p\)</span> is chosen to be extremely large.<label for="sn-1" class="margin-toggle sidenote-number"></label><input type="checkbox" id="sn-1" class="margin-toggle"/><span class="sidenote"> We’ll explore exactly what we mean by terms like “efficient” and “inefficient” more precisely in the next chapter.</span></p>
<p>Perhaps surprisingly, there is no known <em>efficient</em> algorithm for solving the discrete logarithm problem! So we say that the Diffie-Hellman key exchange is <strong>computationally secure</strong>: while there are known algorithms that eavesdroppers could use for determining the shared secret key, all known algorithms are computationally infeasible for standard primes chosen. In practice, Diffie-Hellman key exchanges tend to use primes on the order of <span class="math inline">\(2^{2048} \approx 10^{617}\)</span>!</p>
<!-- ## Diffie-Hellman in Practice

We have shown that Diffie-Hellman provides a way for two users to share a secret key.
However, the protocol we have presented is rarely used on its own.
The main reason for this is a lack of *authentication*;
there is no way for Bob to know that he is communicating with Alice, or vice versa.
One could imagine an evil and malicious man-in-the-middle, pretending to be Alice or Bob depending on who is sending messages.
Still, the Diffie-Hellman key exchange is typically combined with other algorithms and protocols in cryptography to allow for secure communication.

## Scalability of Symmetric Encryption

Our examples have looked at how two people, Alice and Bob, can communicate with a single key.
However, when we want more than two people to communicate, the number of keys needed will grow.
With symmetric encryption, each pair of users needs its own key to communicate securely.
So how many keys do we need for $n$ users to ensure encrypted, pairwise communication?
The answer is a summation:

$1 + 2 + 3 + ... + (n - 1) = N_k$

Which reduces to:

$N_k = n(n - 1) / 2$

Therefore, as the number of users $n$ grows, the number of keys needed $N_k$ grows quadratically (i.e., $n^2$).^[
    We will introduce and define several new terms for scalability in the next chapter.
]
To understand why this is a big deal, consider this: how do we exchange all these keys if we don't have a secured form of communication?
Note that we don't have a secured form of communication until both users have the secret key.
Thus, there are two major drawbacks to symmetric encryption:

1. The number of keys needed grows quadratically with the number of users
2. Keys need to be shared securely before symmetric encryption can be used

Despite these drawbacks, symmetric encryption is still widely used today (e.g., AES).
In the next section, we will see how we can securely exchange a key over a public (i.e., unsecure) channel. -->
</section>
<footer>
<a href="https://www.teach.cs.toronto.edu/~csc110y/fall/notes/">CSC110 Course Notes Home</a>
</footer>
</body>
</html>