Joux's Protocol: Common Values And Protocols In The Diffie-Hellman Protocol
(vα)γmod r and (vβ)γmod r. Once the protocol in Figure(2-4) is complete SKA, SKBand
SKCare computed by A, B and C respectively where SKA, SKBand SKCare all equal to SKABC=vαβγmod r. This value can serve as the secret key shared by A, B and C. The values α, β and γ should be deleted at the end of the protocol run.
2.3.3
Joux’s Protocol
Joux[45]proposed a very simple and sophisticated one-round protocol in which the secret session key for three partners could be generated in a single round using three broad- casts. This protocol simplifies the Diffie-Hellman protocol shown in Figure(2-4) and is used to generate a shared secret key with lowest communication complexity. Joux’s protocol makes use of bilinear pairings on elliptic curves and requires …show more content…
We suppose that A, B and C share the common values (G1,G2, ˆ e), which are deter- mined by the security parameter µ. In Joux’s protocol, U is the generator of the group G1of prime order r, and α,β,γ ∈ Z∗ rare chosen uniformly at random by the three partners. As in the Diffie-Hellman protocol, the ordering of protocol messages is irrelevant and any of the three partners can launch the protocol. The message flows are given in Figure(2-5).
Protocol description: Once the communication in Figure(2-5) is complete, A computes
SKA = ˆe(βU,γU)α, β computes SKB = ˆe(αU,γU)βand C computes SKC =
ˆe(αU,βU)γ.
By bilinearity of ˆ e, SKA, SKB and SKC are all equal to SKABC =
ˆe(U,U)αβγ. This can serve as the secret key shared by A, B and C.
Although not explicitly stated in[45], the success of this protocol in achieving its goal of agreeing a good key for the three partners in the face of passive attackers can be relevant to the hardness of either the BDHP or the DBHDP. As is the case with the two partners Diffie-
Hellman protocol, depending on how the key is extracted the protocol depends on either …show more content…
2.4.2
Discrete Logarithms and Diffie-Hellman Problems
Since all cryptosystems considered in this thesis based on groups where the discrete logarithm and Diffie-Hellman problems are assumed to be difficult, we start by first recalling their definition. definition 2.4.3 For a security parameter µ ∈ N, let (G,.) be a cyclic group of order r and let v be a generator of G. The discrete logarithm problem (DLP) is, given a random y, to find the unique x ∈ Zrsuch that y = vx.
Although easy in some certain cases (like (Zr,+)), finding the solution to this problem is known to take exponential time. In prime order subgroups G of multiplicative groups
Zr, the commonly used algorithms[46]require sub-exponential time in µ. On subgroups of randomly selected elliptic curves, the commonly used algorithms are exponential and elliptic curves are thus especially concerning for the applying of cryptographic protocols as they enable shorter key sizes for the same security level w.r.t. applications in finite fields Zr.
Yet, except for weaker types of curves like ’anomalous’[47,48]or ’supersingular’ curves, 160- bit elliptic curve public keys provide about the same security as a 1024-bit RSA
SKCare computed by A, B and C respectively where SKA, SKBand SKCare all equal to SKABC=vαβγmod r. This value can serve as the secret key shared by A, B and C. The values α, β and γ should be deleted at the end of the protocol run.
2.3.3
Joux’s Protocol
Joux[45]proposed a very simple and sophisticated one-round protocol in which the secret session key for three partners could be generated in a single round using three broad- casts. This protocol simplifies the Diffie-Hellman protocol shown in Figure(2-4) and is used to generate a shared secret key with lowest communication complexity. Joux’s protocol makes use of bilinear pairings on elliptic curves and requires …show more content…
We suppose that A, B and C share the common values (G1,G2, ˆ e), which are deter- mined by the security parameter µ. In Joux’s protocol, U is the generator of the group G1of prime order r, and α,β,γ ∈ Z∗ rare chosen uniformly at random by the three partners. As in the Diffie-Hellman protocol, the ordering of protocol messages is irrelevant and any of the three partners can launch the protocol. The message flows are given in Figure(2-5).
Protocol description: Once the communication in Figure(2-5) is complete, A computes
SKA = ˆe(βU,γU)α, β computes SKB = ˆe(αU,γU)βand C computes SKC =
ˆe(αU,βU)γ.
By bilinearity of ˆ e, SKA, SKB and SKC are all equal to SKABC =
ˆe(U,U)αβγ. This can serve as the secret key shared by A, B and C.
Although not explicitly stated in[45], the success of this protocol in achieving its goal of agreeing a good key for the three partners in the face of passive attackers can be relevant to the hardness of either the BDHP or the DBHDP. As is the case with the two partners Diffie-
Hellman protocol, depending on how the key is extracted the protocol depends on either …show more content…
2.4.2
Discrete Logarithms and Diffie-Hellman Problems
Since all cryptosystems considered in this thesis based on groups where the discrete logarithm and Diffie-Hellman problems are assumed to be difficult, we start by first recalling their definition. definition 2.4.3 For a security parameter µ ∈ N, let (G,.) be a cyclic group of order r and let v be a generator of G. The discrete logarithm problem (DLP) is, given a random y, to find the unique x ∈ Zrsuch that y = vx.
Although easy in some certain cases (like (Zr,+)), finding the solution to this problem is known to take exponential time. In prime order subgroups G of multiplicative groups
Zr, the commonly used algorithms[46]require sub-exponential time in µ. On subgroups of randomly selected elliptic curves, the commonly used algorithms are exponential and elliptic curves are thus especially concerning for the applying of cryptographic protocols as they enable shorter key sizes for the same security level w.r.t. applications in finite fields Zr.
Yet, except for weaker types of curves like ’anomalous’[47,48]or ’supersingular’ curves, 160- bit elliptic curve public keys provide about the same security as a 1024-bit RSA