Method and system for selecting a safe prime for a finite field diffie-hellman

CN116865968BActive Publication Date: 2026-06-30MALIKIE INNOVATIONS LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
MALIKIE INNOVATIONS LTD
Filing Date
2018-03-15
Publication Date
2026-06-30

Smart Images

  • Figure CN116865968B_ABST
    Figure CN116865968B_ABST
Patent Text Reader

Abstract

This disclosure relates to methods and systems for selecting secure prime numbers for a finite field Diffie-Hellman key exchange. A method for Diffie-Hellman key exchange includes: selecting a field size p in the format p = hq + 1, where q is a prime number of 1 plus factorial b such that q = (b! + 1), and h is a cofactor of a prime number such that p = hq + 1; selecting a generator integer g whose order modulo p is a prime number q or divisible by q; selecting a private key x; and calculating the public key g by applying arithmetic modulo operations on the prime field size p using the power of the private key x raised to the power of the generator g. x mod p; Sends the public key g to the communicating party. x mod p; Receive the second public key B from the communicating party. The second public key B includes the second private key y raised to the power of g, in the form g y The second private key y is chosen by the communicating party; and the key B is created from the received second public key B by applying arithmetic modulo operation on the size p of the prime field, by raising the second public key B to the power of the private key x. x .
Need to check novelty before this filing date? Find Prior Art

Description

[0001] This divisional application is a divisional application of Chinese Patent Application No. 201880021774.9, filed on March 15, 2018, entitled "Method and System for Selecting Safe Prime Numbers for a Finite Field Diffie-Hellman". Technical Field

[0002] This disclosure relates to the selection of finite field sizes in the field of cryptography. Background Technology

[0003] Diffie-Hellman key exchange is a method for securely exchanging encryption keys over a public channel. In various systems, the protocol uses a multiplicative group of integers modulo p, where p is a prime number. A common value g is a primitive root modulo p, multiplied by itself to an exponent that is a secret for each party to the encryption transaction. Due to the properties of the multiplicative group, the exchange of two primitive roots (each multiplied by itself to a secret for one party) can be combined to form a shared secret between the two parties. Due to the discrete logarithm problem, an eavesdropper cannot easily derive the shared secret.

[0004] In 1992, Daniel M. Gordon published a paper titled "Designing and detecting trapdoors for discrete log cryptosystems," CRYPTO'92, Lecture Notes in Computer Science, vol. 740, pp. 66-75. In this paper, Gordon realized that special prime numbers are vulnerable to sieves for special number fields, meaning that prime numbers are not as secure as previously thought. Furthermore, Gordon realized that such special prime numbers can effectively hide their special structures. Therefore, an attacker could use this trapdoor to find the other party's secret negotiated key after observing any public messages exchanged during a Diffie-Hellman key negotiation session.

[0005] In addition to Gordon's attack, security risks associated with the chosen field size p can include other vulnerabilities. These vulnerabilities may include: potential vulnerabilities to sieves for specific number fields, either hidden or exposed as in Gordon's attack; potential vulnerabilities to other secret algorithms for the discrete logarithm problem, which may affect the size of the randomized Diffie-Hellman field with only a small probability; potential vulnerabilities to the weak Diffie-Hellman problem, even though the discrete logarithm problem remains difficult; the threat of small subgroup attacks; and non-optimal efficiency of arithmetic in fairly secure Diffie-Hellman modulo problems. While some methods attempt to reduce some of these potential vulnerabilities, there is currently no way to address all of them. Attached Figure Description

[0006] This disclosure will be better understood with reference to the accompanying drawings, in which:

[0007] Figure 1 This is a block diagram illustrating how participating parties exchange information using an encryption module;

[0008] Figure 2 This is a block diagram illustrating an example of selecting and using domain sizes;

[0009] Figure 3 Here is a block diagram of an example Diffie-Hellman key exchange; and

[0010] Figure 4 This is a block diagram of a simplified computing device capable of performing embodiments of the present disclosure. Detailed Implementation

[0011] This disclosure provides a method for Diffie-Hellman key exchange, comprising: selecting a field size p in the format p = hq + 1, where q is a prime number of 1 plus factor b such that q = (b! + 1), and h is a cofactor such that p = hq + 1 is a prime number; selecting a generator integer g whose order modulo p is a prime number q or divisible by q; selecting a private key x; and calculating the public key g by applying arithmetic modulo operations on the prime field size p using the power of the private key x raised to the power of the generator g. x mod p; Sends the public key g to the communicating party. x mod p; Receive the second public key B from the communicating party. The second public key B includes the second private key y raised to the power of g, in the form g y The second private key y is chosen by the communicating party; and the key B is created from the received second public key B by applying arithmetic modulo operation on the size p of the prime field, by raising the second public key B to the power of the private key x. x .

[0012] This disclosure also provides a computing device configured for Diffie-Hellman key exchange, the computing device including a processor configured to: select a field size p in the format p = hq + 1, where q is a prime number of 1 plus factor b such that q = (b! + 1), and h is a cofactor such that p = hq + 1 is a prime number; select a generator integer g whose order modulo p is a prime number q or divisible by q; select a private key x; and compute the public key g by applying arithmetic modulo operations on the prime field size p using the private key x raised to the power of the generator g. x mod p; Sends the public key g to the communicating party. x mod p; Receive the second public key B from the communicating party. The second public key B includes the second private key y raised to the power of g, in the form g yThe second private key y is chosen by the communicating party; and the key B is created from the received second public key B by applying arithmetic modulo operation on the size p of the prime field, by raising the second public key B to the power of the private key x. x .

[0013] This disclosure also provides a computer-readable medium including program code that, when executed by a processor of a computing device, is configured for Diffie-Hellman key exchange. The program code causes the computing device to: select a field size p in the format p = hq + 1, where q is a prime number of 1 plus factorial b such that q = (b! + 1), and h is a cofactor such that p = hq + 1 is a prime number; select a generator integer g whose order modulo p is a prime number q or divisible by q; select a private key x; and compute the public key g by applying arithmetic modulo operations on the prime field size p using the private key x raised to the power of the generator g. x mod p; Sends the public key g to the communicating party. x mod p; Receive the second public key B from the communicating party. The second public key B includes the second private key y raised to the power of g, in the form g y The second private key y is chosen by the communicating party; and the key B is created from the received second public key B by applying arithmetic modulo operation on the size p of the prime field, by raising the second public key B to the power of the private key x. x .

[0014] Now for reference Figure 1 This illustrates a system 10 for message communication between a pair of communicating parties. Specifically, in Figure 1 In this configuration, a pair of communicating parties, A and B, are connected by a data communication link 12. Each of parties A and B has an encryption module or unit 14 that performs public-key encryption operations according to an established protocol to allow secure communication via link 12. The encryption unit 14 operates within an encryption domain whose parameters are shared by other entities.

[0015] In one example, communicating parties A and B use Diffie-Hellman (DH) key exchange. Specifically, Diffie-Hellman key exchange uses an exchange group, which is an algebraic system with binary operations and follows certain axioms.

[0016] The group originally proposed by Diffie and Hellman is known as the multiplicative group of finite fields of size p, where p is a prime number. Using such a multiplicative group, the set of numbers {1, 2, ..., p-1} can have binary operations defined as multiplication modulo p, meaning multiplication after calculating the remainder when divided by p. This group is mathematically well-known and was applied by Diffie and Hellman to cryptography.

[0017] For illustrative purposes, consider a small prime number p = 5. For binary arithmetic of groups, multiplication modulo p can be represented in the following table:

[0018]

[0019] Table 1: Binary arithmetic, multiplication modulo 5

[0020] In this group, for example, let's say 2 × 4 = 3. Specifically, normal multiplication is 2 × 4 = 8, but in this group, since 8 = 1 × 5 + 3, we calculate the remainder modulo 5, resulting in 3.

[0021] For any element g in the group and some positive integer x, we can define g by applying binary operations among x copies of g. x This operation is called group exponentiation, where g is called the cardinality and x is called the exponent. When the group is a multiplicative group of a finite field, group exponentiation is also called modular exponentiation.

[0022] Therefore, for the purpose of illustration, as shown in Table 1 above, let p = 5. If g = 2 and x = 6, then in the modulo exponentiation operation, g x =2 6 =4. This is because under normal exponentiation, 2 = 4. 6 =64, and the remainder of 64 modulo 5 is 4.

[0023] For example, by using algorithms such as sum of squares multiplication, even when the size is close to 2... 256 Even in large groups, group exponentiation can be performed quite efficiently. This algorithm requires at most 2 log₂(x) group operations to compute g. x In a group with a size of 2 256 In some cases, group exponentiation requires 512 or fewer group operations, which is generally practical.

[0024] The discrete logarithm is the reciprocal of the group exponentiation operation. y = g x Let x be the discrete logarithm of a base g. In some groups, computing the discrete logarithm is a “hard” problem. The difficulty of this problem is crucial to the security of Diffie-Hellman key exchange and related public-key cryptographic algorithms (known as the Discrete Logarithm Problem (DLP)). “Hard to solve” is a term in cryptography, and as used here, it generally means something that is unattainable by an adversary; as long as the security of the system is considered important, it must be prevented from being compromised by an adversary. Mathematically, the term can mean that the solution to the problem cannot be found in asymptotic polynomial time.

[0025] Therefore, public-key encryption relies on the difficulty of DLP.

[0026] Refer again Figure 1In a Diffie-Hellman key exchange, contributor A generates a secret exponent x, and contributor B generates a secret exponent y. The secret exponents x and y can be referred to as the private keys of contributors A and B, respectively.

[0027] A sends A=g to B. x B sends B=g to A y Contributor A calculates z = B. x Contributor B calculates w = A y Since z = g xy =w, therefore the calculated values ​​are equal, so both contributors have calculated the same shared value w = z.

[0028] For groups where the discrete logarithm problem is difficult to solve, it is generally assumed that the adversary or eavesdropper E cannot compute z and w from g, A, and B. This problem is now known as the Diffie-Hellman problem (DHP). The DHP can be solved by solving the DLP: given A = g x x is found by solving the DLP, and then B is calculated by group exponentiation. x Because w = z = B x Therefore, DHP is not more difficult to solve than DLP. DHP may be easier than DLP, but in some cases, DLP can be solved by solving DHP, even though more steps may be required for the transformation.

[0029] The above is the basic general form of Diffie-Hellman key exchange.

[0030] After describing the Diffie-Hellman key exchange, Geimall introduces a method for using the same Diffie-Hellman group for digital signatures, which allows contributors A and B to be certain of each other's messages. Geimall also clarifies that the Diffie-Hellman key exchange can be used to construct public-key cryptographic schemes. In one example, contributor B can use a fixed Diffie-Hellman private key, while contributor A can use a temporary private key, having only one key for each message they wish to send to contributor B.

[0031] Diffie-Hermann domain size

[0032] Based on the above, the known integer g is multiplied by x and y to the power of itself for key exchange. The integer g has an order q modulo p, denoted as gq. q ≡1 mod p, where q is the smallest positive integer of this kind.

[0033] The hardness of the aforementioned DHP is affected by the chosen domain size p. Specifically, several vulnerabilities related to the value of p have been discovered.

[0034] Den Boer's reduction

[0035] A theorem states that q divided by p-1, therefore it is generally good practice to choose g such that q is a prime number and large. Specifically, researcher Bert Temple published a paper in 1988 entitled "Diffie-Hellman is as strong as discrete log for certain primes," CRYPTO'88, Lecture Notes in Computer Science vol.403, pp.530-539, 1988. In this paper, Temple identified a criterion for the order q of the generator g, which helps to prove that there is no gap between the discrete logarithm problem and the Diffie-Hellman problem. Both problems must be difficult to solve in order to ensure the security of the Diffie-Hellman key protocol.

[0036] Temple's criterion states that q-1 is the product of small numbers.

[0037] The normal Diffie-Hellman field size for q-1, which is not a product of small numbers, does not depend on the Temple criterion. Instead, the normal Diffie-Hellman field size depends on conjectures about the intractability of the Diffie-Hellman problem. In other words, normal practice relies on conjecture rather than a Temple proof. Therefore, this normality undermines provable security.

[0038] Based on the above, and according to this disclosure, since the safety of Temple primes is provable, it is believed that the Temple criterion improves the safety of Diffie-Hellman field sizes.

[0039] As described below, one problem with the Temple criterion is its incompatibility with other security methods, particularly the naive nothing-up-my-sleeve (NUMS) method and hash output methods. Both NUMS and hash methods effectively generate pseudo-random numbers q. It is a well-known fact in number theory that random numbers are almost never the product of small numbers.

[0040] Therefore, for pseudo-random methods, the Temple criterion is generally not satisfied, which explains why regular Diffie-Hellman primes usually do not satisfy the Temple criterion. In other words, regular Diffie-Hellman primes are usually chosen because of concerns about Gordon's attack, rather than concerns about the gap between the Diffie-Hellman problem and the discrete logarithm problem.

[0041] Gordon's attack

[0042] As mentioned above, another security concern is Gordon's attack. Specifically, Gordon's attack uses a special number field sieve, which, for large prime numbers p, is the fastest known logarithm for solving the discrete logarithm problem. For special prime numbers p (which can be represented as the output of a polynomial with small coefficients), the number field sieve can be significantly accelerated. In general, the size of the prime number must be close to a square, or the bit length of the prime number must be doubled, to maintain resistance comparable to the number field sieve for both special and general prime numbers. Therefore, systems using special prime numbers p in Diffie-Hellman key exchange may be vulnerable to attacks using the number field sieve.

[0043] Some deployed Diffie-Hellman systems use this particular prime number anyway because it provably provides better computational efficiency. However, the weaker resistance of logarithmic field sieves outweighs the benefits of computational efficiency.

[0044] Gordon recognized that special prime numbers, which are susceptible to special field sieves, can effectively hide their structure.

[0045] A common countermeasure against the risk of Gordon attacks is to choose a pseudo-random prime number p derived from nothing-up-my-sleeve numbers. This method typically has two forms.

[0046] In the first method, the irrational number (such as π) is then multiplied by the large number, and the result is rounded to the nearest integer. This amount can be increased as needed until a prime number is obtained.

[0047] In the second approach, a well-known pseudo-random function (such as a hash function) can be applied to small input values ​​to produce prime numbers.

[0048] The first method relies on the hope that the special number structure of irrational numbers (such as π) does not make the numbers special. In other words, the special irrational number π is somehow independent of the properties required for sieves for special number fields.

[0049] The second approach is more conservative in the sense that the pseudo-randomness of hash algorithms has been tested and depends on other parts of the encryption algorithm. Surprisingly, the number field sieve will be able to distinguish the output of the hash function from a random string.

[0050] Both methods produce a special kind of prime number, but even these prime numbers can be manipulated. One concern is that adversaries who choose prime number p have some leeway in choosing irrational numbers or hash functions in order to exploit some weakness in the field size p.

[0051] The above method is known as the nothing-up-my-sleeve (NUMS) number, a rather general concept in cryptography. It is speculated that the NUMS method results in a slightly randomized field size, which is thought to prevent Gordon's attacks, which for some reason might discover hidden vulnerabilities in sieves of specific number fields. These vulnerabilities include the fact that Gordon's attacks involve very large searches. Such large searches are expected to result in the field size containing information beyond the attacker's control. In particular, it is unlikely that the attacker would also include π in its definition.

[0052] Furthermore, although the decimal (or binary) expansion of π is predictable, it is considered as if it were random, and therefore unrelated to anything else (except π). In other words, the specific structure in the Diffie-Hellman sequence derived from π can be considered completely unrelated to the specific structure required for the sieve of special number fields to be effective.

[0053] The NUMS method also prevents other attacks. Specifically, for the same reasons that the NUMS method prevents Gordon's attacks, it can prevent secret attack algorithms that affect the size of the random Diffie-Hellman field with only a very small probability. Additionally, for similar reasons, the NUMS method can prevent the weak Diffie-Hellman problem.

[0054] As will be described in more detail below, embodiments of this disclosure provide a variation of the NUMS method. This variation does not simply use π, but rather employs another canonical but simple mathematical structure. Therefore, the general advantages of NUMS still apply to the embodiments described below, but the following disadvantages of the naive NUMS method are avoided.

[0055] The main drawbacks of naive NUMS methods (such as π-based naive NUMS methods) include the following.

[0056] The field size derived from π is actually a pseudo-random field size, and it can be expected to be computationally less efficient than the average random prime number field size. In other words, using this pseudo-random field size is not as computationally efficient as other field sizes.

[0057] Another drawback is that the field size derived from π is derived from another constant (such as e or the square root of 2), and therefore is not objectively and significantly free from all manipulation. In other words, the field size is not optimally reliable.

[0058] In addition, a drawback of NUMS is that the field size derived from π is actually a pseudo-random field size, and therefore cannot be expected to be safer than the average prime number field size.

[0059] Another drawback of the NUMS method is that the field size derived from π cannot be completely protected from number theory attacks. Specifically, π is highly relevant to problems in number theory. For example, the probability that two random positive integers have no common prime factors is 6 / π^2.

[0060] Small remainder factor Diffie-Hermann prime number

[0061] As mentioned above, if p is the prime Diffie-Hellman field size and g is the Diffie-Hellman generator module p, then g has some multiplicative order q, which means that q is the order that makes g... q The smallest positive integer that is 1 mod p. The fundamental theorem of number theory states that for a positive integer h, p = hq + 1, where h is usually called the cofactor. This is especially true when q is a prime number.

[0062] Small subgroup attacks are cryptographic methods that operate within a larger finite group, where an attacker attempts to break the method by forcing the key to be confined to an unexpectedly small subgroup of the desired group. The standard way to avoid such small subgroup attacks is to ensure that p and q are both prime numbers and that h is small. Typically, h is chosen to be 2.

[0063] The small remainder factor, Diffie-Hellman field size, is an effective method to prevent small subgroup attacks.

[0064] Unfortunately, choosing a small factor for the Diffie-Hellman field size is insufficient to prevent other attacks. Therefore, methods for choosing a small factor for the Diffie-Hellman field size are often used in conjunction with other methods.

[0065] According to the embodiments described below, a small redundancy factor is selected in this disclosure.

[0066] Field size close to a power of two

[0067] Another approach to avoid weak field sizes p is to choose a Diffie-Hellman field size close to a power of 2, such as a Mersenne prime. This choice has several advantages. First, field sizes close to powers of 2 are computationally efficient in terms of their bit length. Second, the property that field sizes are close to powers of 2 is relatively rare; therefore, similar to the NUMS method above, it is unlikely to be a result of a search-for-hidden-attack.

[0068] However, a drawback of choosing a field size close to a power of 2 is that the numbers become particularly vulnerable to special field sieves. More quantitatively, to ensure that ordinary random prime numbers are equally safe against ordinary field sieves, the bit length must be approximately doubled. This doubling of the bit length usually outweighs the advantage of computational efficiency. In other words, for the level of security provided, the field size is computationally inefficient.

[0069] If we choose a random field size that has approximately equal resistance to all known discrete logarithmic attacks (including general and special number field sieves) and a field size that is particularly close to a power of 2, the field size that is close to a power of 2 will be computationally slower because it almost doubles the bit length.

[0070] Hash output prime numbers

[0071] Stronger security can be achieved by deriving the Diffie-Hellman field size from the output of a pseudo-random function, rather than directly from a constant such as π.

[0072] The reason why the field size can be relatively large when using pseudo-random functions is based on the concept that π is not actually random, or even pseudo-random. Instead, it is a very special number, and therefore may be related to some very special secret attacks.

[0073] One security argument states that deriving the size of the Diffie-Hellman field from π makes it unlikely that number theory attacks would be related to π. However, this argument is not rigorous.

[0074] Conversely, given a secret input, the output of a hash function (used as a pseudo-random function) is considered indistinguishable from a random variable. This idea has been tested over the years in many cryptographic systems using hash functions for tasks such as pseudo-random number generation, key derivation, and secure message authentication.

[0075] In addition, most hash functions are designed using slightly arbitrary and primitive computer word operations, which are different from the specialized mathematical operations required for Diffie-Hellman key negotiation.

[0076] Conversely, the number π is a natural mathematical constant, arguably closer to the mathematics derived from number-theoretic attacks. For example, π appears in the volume of a sphere and its higher dimensions, which in turn relates to the expected number of vectors of a given short length, and so on.

[0077] However, using hash functions also has drawbacks. For example, by utilizing hash functions, the output remains pseudo-random, thus suffering from drawbacks similar to those of using π. These drawbacks can include suboptimal computational efficiency and difficult-to-prove security.

[0078] Furthermore, the use of hash functions can have the drawback that their inputs can be manipulated for secret attacks. To address this issue, the inputs of NUMS itself are typically chosen, such as π; however, this does not improve the reliability of directly using π in terms of the degrees of freedom for manipulation.

[0079] Another drawback of hash functions is that the hash algorithm itself may be manipulated to carry out secret attacks, thereby reducing its credibility.

[0080] Search parameters

[0081] The pseudo-random methods described above for determining the size of the Diffie-Hellman field, including naive NUMS and hash-derived pseudo-random methods, typically require starting with pseudo-random values ​​and searching for small counter values ​​that satisfy additional criteria. Generally, the criteria work as follows: The pseudo-random value is added to the small value to obtain a candidate value p for the Diffie-Hellman field size. If p is not a prime number, p is rejected. If p is a prime number, a test is performed for p to have small factors such that p = hq + 1 for the case q is prime, and h is small. If the test fails, p is rejected. If p is rejected, in either case, the small counter value is incremented by 1, and this process is iterated until a value for p is finally accepted.

[0082] Because prime numbers are rare, the search may take an undesirable amount of time. One could expect the search to undergo millions of iterations. At this point, the small counter values ​​could be on the order of millions. Furthermore, because the conditions concerning prime numbers are complex, the resulting small counter values ​​are also complex and cannot be significantly compressed. Any simple arithmetic operation defining p must include a simple counter value.

[0083] Therefore, the prime number p generated from the search does not have the most compact possible representation. In contrast, pseudo-Merssen primes close to p tend to have a more compact representation.

[0084] Select p

[0085] Based on all of the above, most conventional methods do not optimize computational efficiency or security. Specifically, a naive approach involves additional improvements to further expand the search for domain size. For example, the Temple criterion and perhaps some efficiency criteria could be searched. However, a major drawback of this additional search is that it may raise suspicion of malicious intent. Another disadvantage is that it requires significantly more information to specify the domain size, as the counter seed value will be much larger, and the additional conditions are rarely satisfied. Furthermore, a substantial amount of search work may be required to satisfy the additional criteria.

[0086] Therefore, according to this disclosure, the size of the classical Diffie-Hellman subgroup, written in the form (b!+1) as a prime order of 1 plus factorial, is provided. As described below, this prime order allows for Diffie-Hellman key swapping to resist special field sieves.

[0087] According to the following embodiment, the special structure of the subgroup order also helps to optimize the Templer reduction between the discrete logarithm and the Diffie-Hellman problem. Therefore, the Diffie-Hellman problem is close to the discrete logarithm problem.

[0088] Furthermore, by selecting the smallest cofactor for the prime number field size, the risk of small subgroup attacks can be further minimized. In some cases, special structures can even provide computational efficiency advantages over random prime numbers.

[0089] Furthermore, in the embodiments described below, the representation of prime numbers is small enough to fit simple equations, which helps to eliminate concerns about the malicious selection of prime numbers compared to other prime numbers.

[0090] Now for reference Figure 2 It illustrates the process for selecting and using the prime number field size p. Figure 2 The process produces a domain size p = h(b!+1)+1.

[0091] Specifically, the process begins at box 210 and proceeds to box 212, where a prime order q for the generator is used. The prime order q is generated by adding a factorial b to 1. This use of a prime order creates a rare prime order, since prime factorials in the form b! + 1 are extremely rare.

[0092] In some embodiments, at box 212, an option can be made to ensure that q is large enough to provide sufficient cryptographic security for the application without producing a number that is too large to be efficiently computed.

[0093] As those skilled in the art will understand, n! is the product of the first n positive integers. Specifically, n! = 1*2*3*…*(n-1)*n.

[0094] At box 212, various options are possible for the choice of b. For example, for a prime order q, b = 399, b = 427, and b = 872 are possible because each choice of b generates a prime number when expressed in the form of b! + 1.

[0095] Typically, applications requiring 128-bit security need a bit length between 3000 and 4000 bits for a field size p to protect 128 symmetric keys.

[0096] The prime number (399! + 1) has a bit length of 2887, which may be sufficient for some applications, but may be insufficient for applications that require 128-bit security.

[0097] The prime number (427!+1) has a bit length of 3121, so after multiplying it by the cofactor, the bit length p exceeds the regular 3072 bits currently used for the Diffie-Hellman field size.

[0098] Because factorial primes are so rare, the next value of b can be considered as b = 872. The prime number (872! + 1) has a bit length between 7000 and 8000, which may be large for some applications.

[0099] From box 212, the process continues to box 220, where the cofactor h is found. Specifically, when choosing the cofactor h, the formula p = hq + 1 can be used, and it should produce a prime number. As explained above, to avoid small subgroup attacks, the cofactor h should be relatively small.

[0100] In each case, the cofactor h is found by simply trying every even number h and calculating p = hq + 1, then testing whether p is a prime number. According to the prime number theorem, the expected number of values ​​h to try, and thus the size of the first suitable h found, is on the order of thousands.

[0101] If b is chosen as 427!, then the minimum value of h that produces the prime number p is 630. If b is specified as 872!, then the minimum cofactor is 1398, producing p = 1398(872!+1)+1.

[0102] Therefore, in one embodiment, the choice at boxes 212 and 220 can produce a prime number field size p = 630 (427! = 1) + 1.

[0103] Other prime numbers p can be considered by replacing 630 with a larger cofactor h, but this may be unnecessary in some embodiments. For example, one reason to consider other cofactors is if the original value p of h = 630 is somewhat susceptible to the sieve of special number fields. It is assumed that larger cofactor values ​​are less susceptible to influence, and thus a choice can be made. However, if the original value of p and the larger value are linearly related by a simple relationship, this indicates that the sieve of special number fields will act almost equally on both cofactors, and therefore, there is only a very small chance that such a slight increase in the value of h will prevent the sieve of special number fields from becoming vulnerable. In other words, for a given q, in one embodiment, the minimum value of h constituting the prime number can be chosen.

[0104] Choosing the prime field size p = h(b!+1)+1 solves the problem identified above. That is, the key protocol using this field size is resistant to Gordon's attack and special field sieves. The discrete logarithm problem and the Diffie-Hellman problem are closely related. The key protocol is resistant to secret algorithms targeting the discrete logarithm problem. Furthermore, the key protocol using this field size is also resistant to the threat of small subgroup attacks.

[0105] Specifically, the risk of hidden vulnerabilities to Gordon attacks on special field sieves is minimized for two reasons. As described above regarding the original countermeasures against Gordon attacks, the original countermeasures are conventional NUMS arguments, which can prevent attacks because the field size can be presented in a very compressed form. Embodiments of this disclosure improve NUM arguments by using greater compression in a smaller form, p = h(b!+1)+1.

[0106] Furthermore, the general approach of representing factorials as sums of powers leads to factorization algorithms. For example, to make n = rs a factor of a prime number s, let m be an integer close to the square of n, which is easy to find. Then m lies between r and s. If m! is written as a sum of powers, then attempting to reduce m! modulo n is possible because the power can be reduced efficiently using a sum of squares multiplication algorithm. Once the greatest common divisor (GCD) of the reduced m! and n is found, the common factor will be a smaller factor of n.

[0107] Because factorization is considered difficult, there should be no general way to rewrite factorials as simple sums of powers. Therefore, numbers such as 630(427!+1)+1 are unlikely to be written as sums of small powers, making them less susceptible to the influence of special field sieves.

[0108] The use of p = h(b! + 1) + 1 also mitigates the risk of manipulation against some other secret attacks that affect random prime numbers with low probability. This is due to the very compact form of the equation, which means that the search information that triggers the search is unlikely to be embedded in a compact equation. Furthermore, the special property that b! + 1 is a prime number makes it even rarer than its compact representation might suggest, which also makes it less susceptible to special field sieves.

[0109] If the Diffie-Hellman scheme is considered safe, then the difficulty difference between the Diffie-Hellman problem and the discrete logarithm problem should be only a small one. The field size p = h(b!+1)+1 reduces the risk of a gap between the Diffie-Hellman problem and the discrete logarithm problem because it satisfies the Temple condition. Specifically, the number q⁻¹ = b! is a product of small numbers, thus applying Temple's proof. Most random prime numbers will never have such a strong proof indicating a small gap.

[0110] With a small cofactor h, the cofactor in the above embodiments is very small compared to q. At most 10 bits might be leaked out of a 3000-bit secret, and the cofactor method to defend against small subgroup attacks is relatively inexpensive, costing less than about 1% of the runtime.

[0111] Furthermore, the above embodiments offer the advantage that, compared to random prime numbers, the binary expansion of h(b!+1)+1 has a strong pattern of repeating bits in its binary expansion. Specifically, if 630(427!+1)+1 is used, the binary expansion has a sequence of 411 consecutive zero bits. These patterns can result in slightly faster computation. Specifically, the work required to perform modulo subtraction becomes unnecessary due to the repeating bits in p, thus significantly speeding up the process. For example, in Montgomery modulo subtraction, one step is multiplying by p. If many consecutive bits in p are zero or one, the multiplication with p can be sped up compared to random p. The speedup may be slight, but still measurable. Additionally, unlike other special prime numbers that are sums of powers, the faster algorithm does not compromise security.

[0112] Appendix A illustrates code for searching prime numbers in the form described according to embodiments of this disclosure.

[0113] Refer again Figure 2 The process proceeds from box 220 to box 230, where the field size p is used for Diffie-Hellman key exchange. Then, the process proceeds to box 250 and ends.

[0114] Now for reference Figure 3 It shows communication parties A and B performing a Diffie-Hellman key exchange. Eavesdropper 330 is monitoring the communication between the two parties.

[0115] Based on the above disclosure, the software on the computing devices of communication parties A and B will use the domain size p. Each party may already know the prime modulus, or they may exchange the prime field size on link 12 between the two communication parties.

[0116] In addition, the integer g may be known at the computing device of the communicating party A or B, or may be exchanged, for example, as shown in message 340.

[0117] Once both parties know g, then communicating party A can create g. x Furthermore, the communicating party B can generate g. y , where x and y are the private keys of communicating parties A and B, respectively.

[0118] In message 350, communication party A sends A=g to communication party B. x Furthermore, in message 352, communication party B sends B=g to communication party A. y Subsequently, communicating party A can calculate z = b. x =g xy Furthermore, the communicating party B can calculate w = A. y =g xyTherefore, the two communicating parties, A and B, will have a shared key, which can be used to encrypt and decrypt the communication between them.

[0119] The above can be achieved using any computing device. For example, regarding Figure 4 It provides simplified computing devices.

[0120] exist Figure 4 In this embodiment, device 410 includes processor 420 and communication subsystem 430, wherein processor 420 and communication subsystem 430 cooperate to perform the methods described above.

[0121] Processor 420 is configured to execute programmable logic, which can be stored on device 410 along with data, and Figure 4 In the example, it is shown as memory 440. Memory 440 can be any tangible, non-transient computer-readable storage medium. Computer-readable storage media can be tangible or transient / non-transient media, such as optical (e.g., CD, DVD, etc.), magnetic (e.g., magnetic tape), flash drives, hard disk drives, or other memories known in the art.

[0122] Alternatively, or in addition to memory 440, device 410 may access data or programmable logic from external storage media, for example, via communication subsystem 430.

[0123] The communication subsystem 430 allows the device 410 to communicate with other devices or network elements.

[0124] In one embodiment, communication between the various components of device 410 can be achieved via internal bus 460. However, other forms of communication are possible.

[0125] The structures, features, accessories, and alternatives of the specific embodiments described herein and illustrated in the accompanying drawings are intended to be generally applied to all the teachings of this disclosure, including all embodiments described and illustrated herein, provided they are compatible. In other words, unless specifically indicated, the structures, features, accessories, and alternatives of the specific embodiments are not intended to be limited to that particular embodiment.

[0126] Furthermore, those skilled in the art will recognize the additional features and advantages of this disclosure.

[0127] The embodiments described herein are examples of structures, systems, or methods having elements corresponding to the elements of the technology of this application. This written description enables those skilled in the art to make and use embodiments having alternative elements that also correspond to the elements of the technology of this application. Therefore, the intended scope of the technology of this application includes other structures, systems, or methods that are not different from the technology of this application described herein, and also includes other structures, systems, or methods that are not substantially different from the technology of this application described herein.

[0128] Appendix A

[0129] Code for searching prime numbers

[0130]

[0131]

Claims

1. A method for Diffie-Hellman key exchange, the method comprising: Select field size p The size of the domain p The format is p=hq +1, where q It is 1 plus factorial. b prime numbers such that q = ( b (!+1), and h It makes p=hq +1 is a cofactor of a prime number; Select generator integer g The generator integer g Rank Modulus p It is the prime number q Or can be q Divisible; Select private key x ; By finding the generator g The private key x The power of, with respect to the size of the field p Use modular arithmetic to calculate the public key. g x mod p ; Send the public key to the communicating party g x mod p ; Receive the second public key from the communicating party. B The second public key B Including the form of g y The second private key of g y The power of 2, the second private key y It is selected by the communicating party; as well as By obtaining the second public key B The private key x The power of, with respect to the size of the field p Use modular arithmetic to extract the second public key from the received data. B Create key B x .

2. The method according to claim 1, wherein b It is chosen to make the prime number order exceed the minimum threshold size.

3. The method according to claim 2, wherein the minimum threshold size is 3000 bits.

4. The method according to claim 3, wherein b It was selected as 427.

5. The method according to claim 4, wherein h Selected as 630 to generate p= 630 (427!+1)+1.

6. The method according to claim 3, wherein b It was selected as 872.

7. The method of claim 6, wherein h 1398 was selected to generate p= 1398 (872!+1)+1.

8. A computing device configured for Diffie-Hellman key exchange, the computing device comprising a processor configured to: Select field size p The size of the domain p The format is p=hq +1, where q It is 1 plus factorial. b prime numbers such that q = ( b (!+1), and h It makes p=hq +1 is a cofactor of a prime number; Select generator integer g The generator integer g Rank Modulus p It is the prime number q Or can be q Divisible; Select private key x ; By finding the generator g The private key x The power of, with respect to the size of the field p Use modular arithmetic to calculate the public key. g x mod p ; Send the public key to the communicating party g x mod p ; Receive the second public key from the communicating party. B The second public key B Including the form of g y The second private key of g y The power of 2, the second private key y It is selected by the communicating party; as well as By obtaining the second public key B The private key x The power of, with respect to the size of the field p Use modular arithmetic to extract the second public key from the received data. B Create key B x .

9. The computing device according to claim 8, wherein b It is chosen to make the prime number order exceed the minimum threshold size.

10. The computing device of claim 9, wherein the minimum threshold size is 3000 bits.

11. The computing device of claim 10, wherein b It was selected as 427.

12. The computing device according to claim 11, wherein h Selected as 630 to generate p =630(427!+1)+1.

13. The computing device according to claim 10, wherein b It was selected as 872.

14. The computing device according to claim 13, wherein h 1398 was selected to generate p =1398(872!+1)+1.

15. A computer-readable medium comprising program code configured for Diffie-Hellman switching when executed by a processor of a computing device, the program code causing the computing device to: Select field size p The size of the domain p The format is p=hq +1, where q It is 1 plus factorial. b prime numbers such that q = ( b (!+1), and h It makes p=hq +1 is a cofactor of a prime number; Select generator integer g The generator integer g Rank Modulus p It is the prime number q Or can be q Divisible; Select private key x ; By finding the generator g The private key x The power of, with respect to the size of the field p Use modular arithmetic to calculate the public key. g x mod p ; Send the public key to the communicating party g x mod p ; Receive the second public key from the communicating party. B The second public key B Including the form of g y The second private key of g y The power of 2, the second private key y It is selected by the communicating party; as well as By obtaining the second public key B The private key x The power of, with respect to the size of the field p Use modular arithmetic to extract the second public key from the received data. B Create key B x .