DH算法证明及相应的理论知识

迪菲－赫尔曼密钥交换（Diffie–Hellmankey exchange，简称“D–H”）是一种安全协议。
它可以让双方在完全没有对方任何预先信息的条件下通过不安全信道建立起一个密钥。这个密钥可以在后续的通讯中作为对称密钥来加密通讯内容。

(1)、算法描述

离散对数的概念：

原根：如果a是素数p的一个原根，那么数值：

amod p，a^2 modp，…，a^(p-1) modp

是各不相同的整数，且以某种排列方式组成了从1到p-1 的所有整数。

离散对数：如果对于一个整数b和素数p的一个原根a，可以找到一个唯一的指数 i，使得：

b =（a的i次方） modp 其中0≦ i ≦p-1

那么指数i 称为b的以a为基数的模p的离散对数。

Diffie-Hellman 算法的有效性依赖于计算离散对数的难度，其含义是：当已知大素数p和它的一个原根a后，对给定的 b，要计算 i ，被认为是很困难的，而给定 i 计算b 却相对容易。

Diffie-Hellman算法：

假如用户A和用户B希望交换一个密钥。

取素数p和整数a，a是p的一个原根，公开a和p。

A选择随机数XA<p，并计算YA=a^XA modp。

B选择随机数XB<p，并计算YB=a^XB modp。

每一方都将X保密而将Y公开让另一方得到。

A计算密钥的方式是：K=(YB)^XA modp

B计算密钥的方式是：K=(YA)^XB modp

证明：

(YB)^ XA mod p = (a^XB modp)^XA mod p

= (a^XB)^XA mod p = (a^XA)^XB mod p (<-- 密钥即为 a^(XA*XB) mod p)

=(a^XA modp)^XB mod p = (YA) ^XBmod p

由于XA和XB是保密的，而第三方只有p、a、YB、YA可以利用，只有通过取离散对数来确定密钥，但对于大的素数p，计算离散对数是十分困难的。

例子：

假如用户Alice和用户Bob希望交换一个密钥。

取一个素数p =97和97的一个原根a=5。

Alice和Bob分别选择秘密密钥XA=36和XB=58，并计算各自的公开密钥：

YA=a^XAmod p=5^36 mod 97=50

YB=a^XBmod p=5^58 mod 97=44

Alice和Bob交换了公开密钥之后，计算共享密钥如下：

Alice：K=(YB) ^XA mod p=44^36 mod 97=75

Bob：K=(YA) ^XB mod p=50^58 mod 97=75

(2)、安全性

当然，为了使这个例子变得安全，必须使用非常大的XA, XB以及p，否则可以实验所有的可能取值。(总共有最多97个这样的值, 就算XA和XB很大也无济于事)。
如果 p 是一个至少 300 位的质数，并且XA和XB至少有100位长，那么即使使用全人类所有的计算资源和当今最好的算法也不可能从a, p和a^(XA*XB) mod p 中计算出 XA*XB。
这个问题就是著名的离散对数问题。注意g则不需要很大, 并且在一般的实践中通常是2或者5。
在最初的描述中，迪菲－赫尔曼密钥交换本身并没有提供通讯双方的身份验证服务，因此它很容易受到中间人攻击。
一个中间人在信道的中央进行两次迪菲－赫尔曼密钥交换，一次和Alice另一次和Bob，就能够成功的向Alice假装自己是Bob，反之亦然。
而攻击者可以解密（读取和存储）任何一个人的信息并重新加密信息，然后传递给另一个人。因此通常都需要一个能够验证通讯双方身份的机制来防止这类攻击。
有很多种安全身份验证解决方案使用到了迪菲－赫尔曼密钥交换。例如当Alice和Bob共有一个公钥基础设施时，他们可以将他们的返回密钥进行签名。

DH算法用到的基础知识

原根

设m是正整数，a是整数，若a模m的阶等于φ(m)，则称a为模m的一个原根。（其中φ(m)表示m的欧拉函数）

假设一个数g对于P来说是原根，那么g^i mod P的结果两两不同,且有 1<g<P, 0<i<P,那么g可以称为是P的一个原根,归根到底就是g^(P-1) = 1 (mod P)当且仅当指数为P-1的时候成立.(这里P是素数).

简单来说，g^i mod p ≠ g^j mod p （p为素数）

其中i≠j且i, j介於1至(p-1)之间

则g为p的原根。

求原根目前的做法只能是从2开始枚举，然后暴力判断g^(P-1) = 1 (mod P)是否当且当指数为P-1的时候成立

而由于原根一般都不大，所以可以暴力得到.

欧拉函数

在数论，对正整数n，欧拉函数是少于或等于n的数中与n互质的数的数目。此函数以其首名研究者欧拉命名，它又称为Euler's totient function、φ函数、欧拉商数等。例如φ(8)=4，因为1,3,5,7均和8互质。从欧拉函数引伸出来在环论方面的事实和拉格朗日定理构成了欧拉定理的证明。

φ函数的值　通式：φ(x)=x(1-1/p1)(1-1/p2)(1-1/p3)(1-1/p4)…..(1-1/pn),其中p1,p2……pn为x的所有质因数，x是不为0的整数。φ(1)=1（唯一和1互质的数(小于等于1)就是1本身）。 (注意：每种质因数只一个。比如12=2*2*3那么φ（12）=12*（1-1/2）*(1-1/3)=4

若n是质数p的k次幂，φ(n)=p^k-p^(k-1)=(p-1)p^(k-1)，因为除了p的倍数外，其他数都跟n互质。

设n为正整数，以 φ(n)表示不超过n且与n互

素的正整数的个数，称为n的欧拉函数值，这里函数

φ：N→N，n→φ(n)称为欧拉函数。

欧拉函数是积性函数——若m,n互质，φ(mn)=φ(m)φ(n)。

特殊性质：当n为奇数时，φ(2n)=φ(n),证明与上述类似。

Description( from wikipedia)

Illustration of the Diffie–Hellman Key Exchange

Diffie–Hellman establishes ashared secret that can be used for secret communications while exchanging dataover a public network. The following diagram illustrates the general idea ofthe key exchange by using colors instead of a very large number. The crucialpart of the process is that Alice andBob exchangetheir secret colors in a mix only. Finally this generates an identical key thatis computationally difficult (impossible for modernsupercomputers to do in a reasonable amount of time) toreverse for another party that might have been listening in on them. Alice andBob now use this common secret to encrypt and decrypt their sent and receiveddata. The starting color (yellow) is arbitrary, but is agreed on in advance byAlice and Bob, and does not need to be secret.

Cryptographic explanation

The simplest and the originalimplementation of the protocol uses the multiplicative group of integersmodulo p, where p is prime, and g is a primitive root modulo p. Here is an example of theprotocol, with non-secret values in blue, andsecret values in red.

1. Alice andBob agree touse a prime number p = 23 and base g = 5 (which is a primitive root modulo 23).

2. Alice chooses a secret integer a = 6, thensends Bob A = g^a mod p

· A = 5⁶ mod 23 = 8

3. Bob chooses a secret integer b = 15, thensends Alice B = g^b mod p

· B = 5¹⁵ mod 23 = 19

4. Alice computes s = B^a mod p

· s = 19⁶ mod 23 = 2

5. Bob computes s = A^b mod p

· s = 8¹⁵ mod 23 = 2

6. Alice and Bob now share a secret (the number 2).

Both Alice and Bob have arrivedat the same value, because (g^a)^b (for Bob, 8¹⁵ mod 23 = (g^a mod p)^b mod p = (g^a)^b mod p)and (g^b)^a are equal mod p. Note that only a, b, and (g^ab mod p = g^ba mod p) are kept secret. All the other values– p, g, g^a modp, and g^b mod p – are sent in the clear. Once Aliceand Bob compute the shared secret they can use it as an encryption key, knownonly to them, for sending messages across the same open communications channel.

Of course, much larger values of a, b, and p would be needed to make this examplesecure, since there are only 23 possible results of n mod 23. However, if p is a prime of at least 300 digits, and a and b are at least 100 digits long, theneven the fastest modern computers cannot find a given only g, p, g^b mod p and g^a mod p.The problem such a computer needs to solve is called the discrete logarithm problem. Thecomputation of g^a mod p is known as modular exponentiation and can be done efficiently even for largenumbers. Note that g need not be large at all, and inpractice is usually a small prime (like 2, 3, 5...) because primitive rootsusually are quite numerous.

Generalization to finite cyclic groups

Here's a more general descriptionof the protocol,

1. Alice and Bob agree on a finite cyclicgroup G and a generating element g in G.(This is usually done long before the rest of the protocol; g is assumed to be known by allattackers.) We will write the group G multiplicatively.

2. Alice picks a random naturalnumber a and sends g^a to Bob.

3. Bob picks a random natural number b and sends g^b to Alice.

4. Alice computes (g^b)^a.

5. Bob computes (g^a)^b.

Both Alice and Bob are now inpossession of the group element g^ab, whichcan serve as the shared secret key.

If m is a message, and an element of thegroup, then we can encrypt e = mg^ab. Then wecan decipher m from e as follows: We compute (g^ab)⁻¹, using|G|:

Bob knows G, b, and g^a. As g generates G it follows that g^|G| = 1 (the group identity). Bob calculates (g^a)^|G|−b = g^a^(|G|−b) = g^a^|G|−ab = g^a^|G|g^−ab = (g^|G|)^ag^−ab = 1^ag^−ab = g^−ab = (g^ab)⁻¹.

When Alice sends Bob theencrypted message, e =mg^ab, Bobcomputes e(g^ab)⁻¹ = mg^ab(g^ab)⁻¹ = m(1)= m.

When the group is too large for amultiplication table, then a multiplication algorithm is needed, and Exponentiation for finite cyclic groups should be used.

Returning to the originalquestion of Diffie–Hellman key exchange, how can a key be extracted, ingeneral, from the shared group element g^ab? Onecould extract a set of AES keys from it. This would require a mappingfrom G to the set of n-bit binary strings,and the mapping would depend on G.For example, if G consisted of the powers of a fixednonsingular matrix A defined over a finite field, and if g^ab = {g_i,j}, thenthe element g₁₁ would be an element of the field and wouldhave a binary representation that could be divided up into AES keys.

Secrecy chart

The chart below depicts who knowswhat, again with non-secret values in blue, andsecret values in red. HereEve is aneavesdropper—she watches what is sent between Alice andBob, but she does not alter the contents of their communications.

· g = public(prime) base, known to Alice, Bob, and Eve. g = 5

· p = public(prime) number, known to Alice, Bob, and Eve. p = 23

· a = Alice's private key, known only to Alice. a = 6

· b = Bob's private key known only to Bob. b = 15

· A = Alice'spublic key, known to Alice, Bob, and Eve. A = g^a mod p = 8

· B = Bob'spublic key, known to Alice, Bob, and Eve. B = g^b mod p = 19

Alice
knows	doesn't know
p = 23	b = ?
base g = 5
a = 6
A = 5^a mod 23
A = 5⁶ mod 23 = 8
B = 19
s = B^a mod 23
s = 19⁶ mod 23 = 2
s = 2

Bob
knows	doesn't know
p = 23	a = ?
base g = 5
b = 15
B = 5^b mod 23
B = 5¹⁵ mod 23 = 19
A = 8
s = A^b mod 23
s = 8¹⁵ mod 23 = 2
s = 2

Eve
knows	doesn't know
p = 23	a = ?
base g = 5	b = ?
s = ?
A = 8
B = 19
s = 19^a mod 23 = 8^b mod 23

· Now s = the shared secret key and it is known toboth Alice and Bob, but not to Eve. s = 2

Note: It should be difficult forAlice to solve for Bob's private key or for Bob to solve for Alice's privatekey. If it is not difficult for Alice to solve for Bob's private key (or viceversa), Eve may simply substitute her own private / public key pair, plug Bob'spublic key into her private key, produce a fake shared secret key, and solvefor Bob's private key (and use that to solve for the shared secret key. Eve mayattempt to choose a public / private key pair that will make it easy for her tosolve for Bob's private key). Another demonstration of Diffie-Hellman (alsousing numbers too small for practical use) is given here ^[7]