What motivated the creation of RSA and ECDH?
$begingroup$
Recently I've been learning about cryptography and so far I am loving it. However, there are some things I do not comprehend.
As far as I know, RSA was published in 1979 while New Directions on Cryptography by Diffie and Hellman was published in 1976. What I wonder is, what motivated the creation of RSA? Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure? Or was it because it was designed for other purposes which couldn't be accomplished with Diffie-Hellman?
On the other hand, it was not until 1985 that Neal Koblitz proposed cryptography based on elliptic curves. I've been told that elliptic curves offer more security than classic Diffie-Hellman but I'd like to understand and know how. I don't know much about security level. I've seen expressions like "$n$-bit keys give $m$-bit security" but I do not fully understand what do they mean. I see that ECDH offers more bit security than DH, but how can that be measured if attacks for both are not the same?
Thank you! And don't worry about throwing some math, I will probably understand.
rsa elliptic-curves diffie-hellman history
edited Jan 28 at 14:42
Ella Rose♦
16.3k44281
asked Jan 27 at 1:52
AiYagamiAiYagami
664
$endgroup$
add a comment |
$begingroup$
Recently I've been learning about cryptography and so far I am loving it. However, there are some things I do not comprehend.
As far as I know, RSA was published in 1979 while New Directions on Cryptography by Diffie and Hellman was published in 1976. What I wonder is, what motivated the creation of RSA? Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure? Or was it because it was designed for other purposes which couldn't be accomplished with Diffie-Hellman?
On the other hand, it was not until 1985 that Neal Koblitz proposed cryptography based on elliptic curves. I've been told that elliptic curves offer more security than classic Diffie-Hellman but I'd like to understand and know how. I don't know much about security level. I've seen expressions like "$n$-bit keys give $m$-bit security" but I do not fully understand what do they mean. I see that ECDH offers more bit security than DH, but how can that be measured if attacks for both are not the same?
Thank you! And don't worry about throwing some math, I will probably understand.
rsa elliptic-curves diffie-hellman history
edited Jan 28 at 14:42
Ella Rose♦
16.3k44281
asked Jan 27 at 1:52
AiYagamiAiYagami
664
$endgroup$
1
$begingroup$
Please ask one question at a time. RSA and ECDH are not that much related to each other. We are now already in the situation that we have an answer that only focuses on the ECDH part - maybe it is a good idea to split off the RSA part into a different question.
$endgroup$
– Maarten Bodewes♦
Jan 27 at 17:34
$begingroup$
I removed thesecurity-definitiontag from the question as it did not appear to be relevant - if you really want some kind of formal definition of some formal term, please include the request explicitly in the question.
$endgroup$
– Ella Rose♦
Jan 27 at 18:00
$begingroup$
Note that (if I understand correctly) Diffie-Hellman key exchange by itself does not protect you against man-in-the-middle attacks.
$endgroup$
– Harry Johnston
Jan 27 at 23:11
add a comment |
$begingroup$
Recently I've been learning about cryptography and so far I am loving it. However, there are some things I do not comprehend.
As far as I know, RSA was published in 1979 while New Directions on Cryptography by Diffie and Hellman was published in 1976. What I wonder is, what motivated the creation of RSA? Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure? Or was it because it was designed for other purposes which couldn't be accomplished with Diffie-Hellman?
On the other hand, it was not until 1985 that Neal Koblitz proposed cryptography based on elliptic curves. I've been told that elliptic curves offer more security than classic Diffie-Hellman but I'd like to understand and know how. I don't know much about security level. I've seen expressions like "$n$-bit keys give $m$-bit security" but I do not fully understand what do they mean. I see that ECDH offers more bit security than DH, but how can that be measured if attacks for both are not the same?
Thank you! And don't worry about throwing some math, I will probably understand.
rsa elliptic-curves diffie-hellman history
edited Jan 28 at 14:42
Ella Rose♦
16.3k44281
asked Jan 27 at 1:52
AiYagamiAiYagami
664
$endgroup$
Recently I've been learning about cryptography and so far I am loving it. However, there are some things I do not comprehend.
As far as I know, RSA was published in 1979 while New Directions on Cryptography by Diffie and Hellman was published in 1976. What I wonder is, what motivated the creation of RSA? Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure? Or was it because it was designed for other purposes which couldn't be accomplished with Diffie-Hellman?
On the other hand, it was not until 1985 that Neal Koblitz proposed cryptography based on elliptic curves. I've been told that elliptic curves offer more security than classic Diffie-Hellman but I'd like to understand and know how. I don't know much about security level. I've seen expressions like "$n$-bit keys give $m$-bit security" but I do not fully understand what do they mean. I see that ECDH offers more bit security than DH, but how can that be measured if attacks for both are not the same?
Thank you! And don't worry about throwing some math, I will probably understand.
rsa elliptic-curves diffie-hellman history
rsa elliptic-curves diffie-hellman history
edited Jan 28 at 14:42
Ella Rose♦
16.3k44281
asked Jan 27 at 1:52
AiYagamiAiYagami
664
edited Jan 28 at 14:42
Ella Rose♦
16.3k44281
asked Jan 27 at 1:52
AiYagamiAiYagami
664
edited Jan 28 at 14:42
Ella Rose♦
16.3k44281
edited Jan 28 at 14:42
Ella Rose♦
16.3k44281
edited Jan 28 at 14:42
Ella Rose♦
16.3k44281
16.3k44281
asked Jan 27 at 1:52
AiYagamiAiYagami
664
asked Jan 27 at 1:52
AiYagamiAiYagami
664
asked Jan 27 at 1:52
AiYagamiAiYagami
664
664
1
$begingroup$
Please ask one question at a time. RSA and ECDH are not that much related to each other. We are now already in the situation that we have an answer that only focuses on the ECDH part - maybe it is a good idea to split off the RSA part into a different question.
$endgroup$
– Maarten Bodewes♦
Jan 27 at 17:34
$begingroup$
I removed thesecurity-definitiontag from the question as it did not appear to be relevant - if you really want some kind of formal definition of some formal term, please include the request explicitly in the question.
$endgroup$
– Ella Rose♦
Jan 27 at 18:00
$begingroup$
Note that (if I understand correctly) Diffie-Hellman key exchange by itself does not protect you against man-in-the-middle attacks.
$endgroup$
– Harry Johnston
Jan 27 at 23:11
add a comment |
1
$begingroup$
Please ask one question at a time. RSA and ECDH are not that much related to each other. We are now already in the situation that we have an answer that only focuses on the ECDH part - maybe it is a good idea to split off the RSA part into a different question.
$endgroup$
– Maarten Bodewes♦
Jan 27 at 17:34
$begingroup$
I removed thesecurity-definitiontag from the question as it did not appear to be relevant - if you really want some kind of formal definition of some formal term, please include the request explicitly in the question.
$endgroup$
– Ella Rose♦
Jan 27 at 18:00
$begingroup$
Note that (if I understand correctly) Diffie-Hellman key exchange by itself does not protect you against man-in-the-middle attacks.
$endgroup$
– Harry Johnston
Jan 27 at 23:11
1
1
$begingroup$
Please ask one question at a time. RSA and ECDH are not that much related to each other. We are now already in the situation that we have an answer that only focuses on the ECDH part - maybe it is a good idea to split off the RSA part into a different question.
$endgroup$
– Maarten Bodewes♦
Jan 27 at 17:34
$begingroup$
Please ask one question at a time. RSA and ECDH are not that much related to each other. We are now already in the situation that we have an answer that only focuses on the ECDH part - maybe it is a good idea to split off the RSA part into a different question.
$endgroup$
– Maarten Bodewes♦
Jan 27 at 17:34
$begingroup$
I removed the
security-definition tag from the question as it did not appear to be relevant - if you really want some kind of formal definition of some formal term, please include the request explicitly in the question.$endgroup$
– Ella Rose♦
Jan 27 at 18:00
$begingroup$
I removed the
security-definition tag from the question as it did not appear to be relevant - if you really want some kind of formal definition of some formal term, please include the request explicitly in the question.$endgroup$
– Ella Rose♦
Jan 27 at 18:00
$begingroup$
Note that (if I understand correctly) Diffie-Hellman key exchange by itself does not protect you against man-in-the-middle attacks.
$endgroup$
– Harry Johnston
Jan 27 at 23:11
$begingroup$
Note that (if I understand correctly) Diffie-Hellman key exchange by itself does not protect you against man-in-the-middle attacks.
$endgroup$
– Harry Johnston
Jan 27 at 23:11
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
What I wonder is, what motivated the creation of RSA? Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure?
The New Directions In Cryptography paper introduced the idea of public-key cryptography (though it had been proposed by Merkle before), and public-key cryptography was intended to solve two major problems: The key distribution problem, and the problem of authentication which is now referred to as "digital signatures".
Besides the general excitement of an entire new field of research being opened up, one of the motivations for RSA was to define a primitive that solved both problems of key distribution (or public-key encryption) as well as digital signatures. This is actually easy to see from just the title of the original RSA paper: "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems".
Their paper explicitly states this (emphasis mine):
... This method provides an implementation of a “public-key cryptosystem,” an elegant concept invented by Diffie and Hellman. Their article motivated our research, since they presented the concept but not any practical implementation of such a system.
Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure?
So as you can see, the answer to this question is "no" - it was simply a matter of accomplishing the feat at all, in general. The question of a given amount of security for a given amount of efficiency doesn't arise until after you at least have working examples of the concept.
Or was it because it was designed for other purposes which couldn't be accomplished with Diffie-Hellman?
As shown in the previous quotation, yes. Though, the world would later develop techniques that allow public-key encryption and digital signatures without requiring a trapdoor function/permutation.
As for the second part of your question, this other answer attempts to go into detail.
But basically, Diffie-Hellman works (as in correctness is guaranteed) for any finite cyclic group, (only a semigroup is actually required as inverses and identities are not used). There are generic attacks that apply irrespective of the actual group that you use, but for a given group there might exist attacks that are more efficient than the generic attacks. In finite field Diffie-Hellman (e.g. classic or "regular" Diffie-Hellman) there are non-generic attacks that do not apply or not known to have equivalents in the elliptic curve setting.
answered Jan 27 at 4:56
Ella Rose♦Ella Rose
16.3k44281
$endgroup$
2
$begingroup$
"Diffie-Hellman works for any finite cyclic group" unless I'm missing something a semigroup should actually suffice. You need neither an identity not inverses for DH to work.
$endgroup$
– Maeher
Jan 27 at 12:42
1
$begingroup$
"You need neither an identity not inverses for DH to work." did you mean to write "nor" instead of "not"? If yes, we both Ella and me can fix the comment for you...
$endgroup$
– Maarten Bodewes♦
Jan 27 at 21:20
$begingroup$
@MaartenBodewes did you forget to add (@)Maeher. he may not notice..
$endgroup$
– kelalaka
Jan 27 at 22:02
add a comment |
$begingroup$
Sadly I'd like to know an answer for your first question as well.
For your second question, you just need to see the difference between the description of a protocol and an actual instantiation of it (meaning, a cryptographic scheme). Diffie-Hellman is a cryptographic protocol, describing a way for two parties to exchange a common element in fixed ambient abelian finite group $G$, with cardinality $p$ (usually, a prime number). The security of DH will then be essentially defined as the smallest amount of operations in the group you can do to break the protocol. Brute forcing is the the most natural way to go: enumerate all possible solutions and you'll find the correct one. At worst, you will need to enumerate all $p$ elements. These guys are represented by binary strings of size $log p$, so the computer will take $p = 2^{log p}$ operations, an exponential number in the size of the input. If we cannot do better, then this protocol is "secure" and gives you $log p$ bits of security. Take $p approx 2^{128}$ and you have a 128-bits secure key-exhange... That is if you could not do better than brute-force.
Let's say you do not have any information about the said group $G$ apart from computing its group law and testing for equality (this is an informal way of saying that you consider your group as a generic group). Then the best way to recover the shared element if you're not one of the two parties is to solve a discrete logarithm problem in $G$: given $g$ a generator, and $h = g^x$, compute $x$. I hope not to be burnt alive by people noticing that DLP and ECDH are not exactly the same problem, but for the sake of this discussion, let's say they are.
It is known (a theorem by Shoup, or Nechaev if you can read russian) that you will need (at least) $Omega(sqrt p)$ group operations to compute $x$. In fact, there are well-known algorithms that run in $O(sqrt{p})$ to do that: Big-step-Giant-steps, or $rho$-Pollard style random walks. These algorithms are therefore optimal in the generic group "model", and you can see that they require exponential time in the size of the group elements. To achieve 128 bits of security, you would need a $256$ bits prime.
Now in real life, you will instantiate $G$ to some actual group. For example, you could chose $(mathbb Z/pmathbb Z, +)$. However, the DLP here is trivial to solve: it's essentially extended Euclid algorithm which runs in $O(log^2 p)$: this is quadratic in the size of the group elements, therefore you will definitely not do crypto with this: your prime would need to be absurdly huge to guarantee 128 bits of security (and then all inputs would be of the size of this prime).
But you could also select the group of rational points of an elliptic curve defined over a prime field: this is commonly defined as ECDH. In this latter group, in the current state-of-the-art, we do not know a better algorithm that the ones I gave you in the generic model (apart from very special cases that are irrelevant nowadays since they can be avoided easily). In other words, the best known algorithms to solve ECDH run in exponential-time. So compared to, say, DH over $mathbb Z/pmathbb Z$, it "gives more security", but notice that this is relevant to the group, not the protocol itself.
There are other possible instantiations. Invertible of finite fields, elliptic curves over extension fields, more complicated algebraic groups. Elliptic curves give a very nice combination of efficiency and security.
answered Jan 27 at 2:45
KeiOhKeiOh
912
$endgroup$
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66810%2fwhat-motivated-the-creation-of-rsa-and-ecdh%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
What I wonder is, what motivated the creation of RSA? Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure?
The New Directions In Cryptography paper introduced the idea of public-key cryptography (though it had been proposed by Merkle before), and public-key cryptography was intended to solve two major problems: The key distribution problem, and the problem of authentication which is now referred to as "digital signatures".
Besides the general excitement of an entire new field of research being opened up, one of the motivations for RSA was to define a primitive that solved both problems of key distribution (or public-key encryption) as well as digital signatures. This is actually easy to see from just the title of the original RSA paper: "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems".
Their paper explicitly states this (emphasis mine):
... This method provides an implementation of a “public-key cryptosystem,” an elegant concept invented by Diffie and Hellman. Their article motivated our research, since they presented the concept but not any practical implementation of such a system.
Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure?
So as you can see, the answer to this question is "no" - it was simply a matter of accomplishing the feat at all, in general. The question of a given amount of security for a given amount of efficiency doesn't arise until after you at least have working examples of the concept.
Or was it because it was designed for other purposes which couldn't be accomplished with Diffie-Hellman?
As shown in the previous quotation, yes. Though, the world would later develop techniques that allow public-key encryption and digital signatures without requiring a trapdoor function/permutation.
As for the second part of your question, this other answer attempts to go into detail.
But basically, Diffie-Hellman works (as in correctness is guaranteed) for any finite cyclic group, (only a semigroup is actually required as inverses and identities are not used). There are generic attacks that apply irrespective of the actual group that you use, but for a given group there might exist attacks that are more efficient than the generic attacks. In finite field Diffie-Hellman (e.g. classic or "regular" Diffie-Hellman) there are non-generic attacks that do not apply or not known to have equivalents in the elliptic curve setting.
answered Jan 27 at 4:56
Ella Rose♦Ella Rose
16.3k44281
$endgroup$
2
$begingroup$
"Diffie-Hellman works for any finite cyclic group" unless I'm missing something a semigroup should actually suffice. You need neither an identity not inverses for DH to work.
$endgroup$
– Maeher
Jan 27 at 12:42
1
$begingroup$
"You need neither an identity not inverses for DH to work." did you mean to write "nor" instead of "not"? If yes, we both Ella and me can fix the comment for you...
$endgroup$
– Maarten Bodewes♦
Jan 27 at 21:20
$begingroup$
@MaartenBodewes did you forget to add (@)Maeher. he may not notice..
$endgroup$
– kelalaka
Jan 27 at 22:02
add a comment |
$begingroup$
What I wonder is, what motivated the creation of RSA? Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure?
The New Directions In Cryptography paper introduced the idea of public-key cryptography (though it had been proposed by Merkle before), and public-key cryptography was intended to solve two major problems: The key distribution problem, and the problem of authentication which is now referred to as "digital signatures".
Besides the general excitement of an entire new field of research being opened up, one of the motivations for RSA was to define a primitive that solved both problems of key distribution (or public-key encryption) as well as digital signatures. This is actually easy to see from just the title of the original RSA paper: "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems".
Their paper explicitly states this (emphasis mine):
... This method provides an implementation of a “public-key cryptosystem,” an elegant concept invented by Diffie and Hellman. Their article motivated our research, since they presented the concept but not any practical implementation of such a system.
Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure?
So as you can see, the answer to this question is "no" - it was simply a matter of accomplishing the feat at all, in general. The question of a given amount of security for a given amount of efficiency doesn't arise until after you at least have working examples of the concept.
Or was it because it was designed for other purposes which couldn't be accomplished with Diffie-Hellman?
As shown in the previous quotation, yes. Though, the world would later develop techniques that allow public-key encryption and digital signatures without requiring a trapdoor function/permutation.
As for the second part of your question, this other answer attempts to go into detail.
But basically, Diffie-Hellman works (as in correctness is guaranteed) for any finite cyclic group, (only a semigroup is actually required as inverses and identities are not used). There are generic attacks that apply irrespective of the actual group that you use, but for a given group there might exist attacks that are more efficient than the generic attacks. In finite field Diffie-Hellman (e.g. classic or "regular" Diffie-Hellman) there are non-generic attacks that do not apply or not known to have equivalents in the elliptic curve setting.
answered Jan 27 at 4:56
Ella Rose♦Ella Rose
16.3k44281
$endgroup$
2
$begingroup$
"Diffie-Hellman works for any finite cyclic group" unless I'm missing something a semigroup should actually suffice. You need neither an identity not inverses for DH to work.
$endgroup$
– Maeher
Jan 27 at 12:42
1
$begingroup$
"You need neither an identity not inverses for DH to work." did you mean to write "nor" instead of "not"? If yes, we both Ella and me can fix the comment for you...
$endgroup$
– Maarten Bodewes♦
Jan 27 at 21:20
$begingroup$
@MaartenBodewes did you forget to add (@)Maeher. he may not notice..
$endgroup$
– kelalaka
Jan 27 at 22:02
add a comment |
$begingroup$
What I wonder is, what motivated the creation of RSA? Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure?
The New Directions In Cryptography paper introduced the idea of public-key cryptography (though it had been proposed by Merkle before), and public-key cryptography was intended to solve two major problems: The key distribution problem, and the problem of authentication which is now referred to as "digital signatures".
Besides the general excitement of an entire new field of research being opened up, one of the motivations for RSA was to define a primitive that solved both problems of key distribution (or public-key encryption) as well as digital signatures. This is actually easy to see from just the title of the original RSA paper: "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems".
Their paper explicitly states this (emphasis mine):
... This method provides an implementation of a “public-key cryptosystem,” an elegant concept invented by Diffie and Hellman. Their article motivated our research, since they presented the concept but not any practical implementation of such a system.
Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure?
So as you can see, the answer to this question is "no" - it was simply a matter of accomplishing the feat at all, in general. The question of a given amount of security for a given amount of efficiency doesn't arise until after you at least have working examples of the concept.
Or was it because it was designed for other purposes which couldn't be accomplished with Diffie-Hellman?
As shown in the previous quotation, yes. Though, the world would later develop techniques that allow public-key encryption and digital signatures without requiring a trapdoor function/permutation.
As for the second part of your question, this other answer attempts to go into detail.
But basically, Diffie-Hellman works (as in correctness is guaranteed) for any finite cyclic group, (only a semigroup is actually required as inverses and identities are not used). There are generic attacks that apply irrespective of the actual group that you use, but for a given group there might exist attacks that are more efficient than the generic attacks. In finite field Diffie-Hellman (e.g. classic or "regular" Diffie-Hellman) there are non-generic attacks that do not apply or not known to have equivalents in the elliptic curve setting.
answered Jan 27 at 4:56
Ella Rose♦Ella Rose
16.3k44281
$endgroup$
What I wonder is, what motivated the creation of RSA? Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure?
The New Directions In Cryptography paper introduced the idea of public-key cryptography (though it had been proposed by Merkle before), and public-key cryptography was intended to solve two major problems: The key distribution problem, and the problem of authentication which is now referred to as "digital signatures".
Besides the general excitement of an entire new field of research being opened up, one of the motivations for RSA was to define a primitive that solved both problems of key distribution (or public-key encryption) as well as digital signatures. This is actually easy to see from just the title of the original RSA paper: "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems".
Their paper explicitly states this (emphasis mine):
... This method provides an implementation of a “public-key cryptosystem,” an elegant concept invented by Diffie and Hellman. Their article motivated our research, since they presented the concept but not any practical implementation of such a system.
Was it because they wanted to create something more secure than Diffie-Hellman? And if so, why is it more secure?
So as you can see, the answer to this question is "no" - it was simply a matter of accomplishing the feat at all, in general. The question of a given amount of security for a given amount of efficiency doesn't arise until after you at least have working examples of the concept.
Or was it because it was designed for other purposes which couldn't be accomplished with Diffie-Hellman?
As shown in the previous quotation, yes. Though, the world would later develop techniques that allow public-key encryption and digital signatures without requiring a trapdoor function/permutation.
As for the second part of your question, this other answer attempts to go into detail.
But basically, Diffie-Hellman works (as in correctness is guaranteed) for any finite cyclic group, (only a semigroup is actually required as inverses and identities are not used). There are generic attacks that apply irrespective of the actual group that you use, but for a given group there might exist attacks that are more efficient than the generic attacks. In finite field Diffie-Hellman (e.g. classic or "regular" Diffie-Hellman) there are non-generic attacks that do not apply or not known to have equivalents in the elliptic curve setting.
answered Jan 27 at 4:56
Ella Rose♦Ella Rose
16.3k44281
edited Jan 27 at 18:02
answered Jan 27 at 4:56
Ella Rose♦Ella Rose
16.3k44281
answered Jan 27 at 4:56
Ella Rose♦Ella Rose
16.3k44281
answered Jan 27 at 4:56
Ella Rose♦Ella Rose
16.3k44281
16.3k44281
2
$begingroup$
"Diffie-Hellman works for any finite cyclic group" unless I'm missing something a semigroup should actually suffice. You need neither an identity not inverses for DH to work.
$endgroup$
– Maeher
Jan 27 at 12:42
1
$begingroup$
"You need neither an identity not inverses for DH to work." did you mean to write "nor" instead of "not"? If yes, we both Ella and me can fix the comment for you...
$endgroup$
– Maarten Bodewes♦
Jan 27 at 21:20
$begingroup$
@MaartenBodewes did you forget to add (@)Maeher. he may not notice..
$endgroup$
– kelalaka
Jan 27 at 22:02
add a comment |
2
$begingroup$
"Diffie-Hellman works for any finite cyclic group" unless I'm missing something a semigroup should actually suffice. You need neither an identity not inverses for DH to work.
$endgroup$
– Maeher
Jan 27 at 12:42
1
$begingroup$
"You need neither an identity not inverses for DH to work." did you mean to write "nor" instead of "not"? If yes, we both Ella and me can fix the comment for you...
$endgroup$
– Maarten Bodewes♦
Jan 27 at 21:20
$begingroup$
@MaartenBodewes did you forget to add (@)Maeher. he may not notice..
$endgroup$
– kelalaka
Jan 27 at 22:02
2
2
$begingroup$
"Diffie-Hellman works for any finite cyclic group" unless I'm missing something a semigroup should actually suffice. You need neither an identity not inverses for DH to work.
$endgroup$
– Maeher
Jan 27 at 12:42
$begingroup$
"Diffie-Hellman works for any finite cyclic group" unless I'm missing something a semigroup should actually suffice. You need neither an identity not inverses for DH to work.
$endgroup$
– Maeher
Jan 27 at 12:42
1
1
$begingroup$
"You need neither an identity not inverses for DH to work." did you mean to write "nor" instead of "not"? If yes, we both Ella and me can fix the comment for you...
$endgroup$
– Maarten Bodewes♦
Jan 27 at 21:20
$begingroup$
"You need neither an identity not inverses for DH to work." did you mean to write "nor" instead of "not"? If yes, we both Ella and me can fix the comment for you...
$endgroup$
– Maarten Bodewes♦
Jan 27 at 21:20
$begingroup$
@MaartenBodewes did you forget to add (@)Maeher. he may not notice..
$endgroup$
– kelalaka
Jan 27 at 22:02
$begingroup$
@MaartenBodewes did you forget to add (@)Maeher. he may not notice..
$endgroup$
– kelalaka
Jan 27 at 22:02
add a comment |
$begingroup$
Sadly I'd like to know an answer for your first question as well.
For your second question, you just need to see the difference between the description of a protocol and an actual instantiation of it (meaning, a cryptographic scheme). Diffie-Hellman is a cryptographic protocol, describing a way for two parties to exchange a common element in fixed ambient abelian finite group $G$, with cardinality $p$ (usually, a prime number). The security of DH will then be essentially defined as the smallest amount of operations in the group you can do to break the protocol. Brute forcing is the the most natural way to go: enumerate all possible solutions and you'll find the correct one. At worst, you will need to enumerate all $p$ elements. These guys are represented by binary strings of size $log p$, so the computer will take $p = 2^{log p}$ operations, an exponential number in the size of the input. If we cannot do better, then this protocol is "secure" and gives you $log p$ bits of security. Take $p approx 2^{128}$ and you have a 128-bits secure key-exhange... That is if you could not do better than brute-force.
Let's say you do not have any information about the said group $G$ apart from computing its group law and testing for equality (this is an informal way of saying that you consider your group as a generic group). Then the best way to recover the shared element if you're not one of the two parties is to solve a discrete logarithm problem in $G$: given $g$ a generator, and $h = g^x$, compute $x$. I hope not to be burnt alive by people noticing that DLP and ECDH are not exactly the same problem, but for the sake of this discussion, let's say they are.
It is known (a theorem by Shoup, or Nechaev if you can read russian) that you will need (at least) $Omega(sqrt p)$ group operations to compute $x$. In fact, there are well-known algorithms that run in $O(sqrt{p})$ to do that: Big-step-Giant-steps, or $rho$-Pollard style random walks. These algorithms are therefore optimal in the generic group "model", and you can see that they require exponential time in the size of the group elements. To achieve 128 bits of security, you would need a $256$ bits prime.
Now in real life, you will instantiate $G$ to some actual group. For example, you could chose $(mathbb Z/pmathbb Z, +)$. However, the DLP here is trivial to solve: it's essentially extended Euclid algorithm which runs in $O(log^2 p)$: this is quadratic in the size of the group elements, therefore you will definitely not do crypto with this: your prime would need to be absurdly huge to guarantee 128 bits of security (and then all inputs would be of the size of this prime).
But you could also select the group of rational points of an elliptic curve defined over a prime field: this is commonly defined as ECDH. In this latter group, in the current state-of-the-art, we do not know a better algorithm that the ones I gave you in the generic model (apart from very special cases that are irrelevant nowadays since they can be avoided easily). In other words, the best known algorithms to solve ECDH run in exponential-time. So compared to, say, DH over $mathbb Z/pmathbb Z$, it "gives more security", but notice that this is relevant to the group, not the protocol itself.
There are other possible instantiations. Invertible of finite fields, elliptic curves over extension fields, more complicated algebraic groups. Elliptic curves give a very nice combination of efficiency and security.
answered Jan 27 at 2:45
KeiOhKeiOh
912
$endgroup$
add a comment |
$begingroup$
Sadly I'd like to know an answer for your first question as well.
For your second question, you just need to see the difference between the description of a protocol and an actual instantiation of it (meaning, a cryptographic scheme). Diffie-Hellman is a cryptographic protocol, describing a way for two parties to exchange a common element in fixed ambient abelian finite group $G$, with cardinality $p$ (usually, a prime number). The security of DH will then be essentially defined as the smallest amount of operations in the group you can do to break the protocol. Brute forcing is the the most natural way to go: enumerate all possible solutions and you'll find the correct one. At worst, you will need to enumerate all $p$ elements. These guys are represented by binary strings of size $log p$, so the computer will take $p = 2^{log p}$ operations, an exponential number in the size of the input. If we cannot do better, then this protocol is "secure" and gives you $log p$ bits of security. Take $p approx 2^{128}$ and you have a 128-bits secure key-exhange... That is if you could not do better than brute-force.
Let's say you do not have any information about the said group $G$ apart from computing its group law and testing for equality (this is an informal way of saying that you consider your group as a generic group). Then the best way to recover the shared element if you're not one of the two parties is to solve a discrete logarithm problem in $G$: given $g$ a generator, and $h = g^x$, compute $x$. I hope not to be burnt alive by people noticing that DLP and ECDH are not exactly the same problem, but for the sake of this discussion, let's say they are.
It is known (a theorem by Shoup, or Nechaev if you can read russian) that you will need (at least) $Omega(sqrt p)$ group operations to compute $x$. In fact, there are well-known algorithms that run in $O(sqrt{p})$ to do that: Big-step-Giant-steps, or $rho$-Pollard style random walks. These algorithms are therefore optimal in the generic group "model", and you can see that they require exponential time in the size of the group elements. To achieve 128 bits of security, you would need a $256$ bits prime.
Now in real life, you will instantiate $G$ to some actual group. For example, you could chose $(mathbb Z/pmathbb Z, +)$. However, the DLP here is trivial to solve: it's essentially extended Euclid algorithm which runs in $O(log^2 p)$: this is quadratic in the size of the group elements, therefore you will definitely not do crypto with this: your prime would need to be absurdly huge to guarantee 128 bits of security (and then all inputs would be of the size of this prime).
But you could also select the group of rational points of an elliptic curve defined over a prime field: this is commonly defined as ECDH. In this latter group, in the current state-of-the-art, we do not know a better algorithm that the ones I gave you in the generic model (apart from very special cases that are irrelevant nowadays since they can be avoided easily). In other words, the best known algorithms to solve ECDH run in exponential-time. So compared to, say, DH over $mathbb Z/pmathbb Z$, it "gives more security", but notice that this is relevant to the group, not the protocol itself.
There are other possible instantiations. Invertible of finite fields, elliptic curves over extension fields, more complicated algebraic groups. Elliptic curves give a very nice combination of efficiency and security.
answered Jan 27 at 2:45
KeiOhKeiOh
912
$endgroup$
add a comment |
$begingroup$
Sadly I'd like to know an answer for your first question as well.
For your second question, you just need to see the difference between the description of a protocol and an actual instantiation of it (meaning, a cryptographic scheme). Diffie-Hellman is a cryptographic protocol, describing a way for two parties to exchange a common element in fixed ambient abelian finite group $G$, with cardinality $p$ (usually, a prime number). The security of DH will then be essentially defined as the smallest amount of operations in the group you can do to break the protocol. Brute forcing is the the most natural way to go: enumerate all possible solutions and you'll find the correct one. At worst, you will need to enumerate all $p$ elements. These guys are represented by binary strings of size $log p$, so the computer will take $p = 2^{log p}$ operations, an exponential number in the size of the input. If we cannot do better, then this protocol is "secure" and gives you $log p$ bits of security. Take $p approx 2^{128}$ and you have a 128-bits secure key-exhange... That is if you could not do better than brute-force.
Let's say you do not have any information about the said group $G$ apart from computing its group law and testing for equality (this is an informal way of saying that you consider your group as a generic group). Then the best way to recover the shared element if you're not one of the two parties is to solve a discrete logarithm problem in $G$: given $g$ a generator, and $h = g^x$, compute $x$. I hope not to be burnt alive by people noticing that DLP and ECDH are not exactly the same problem, but for the sake of this discussion, let's say they are.
It is known (a theorem by Shoup, or Nechaev if you can read russian) that you will need (at least) $Omega(sqrt p)$ group operations to compute $x$. In fact, there are well-known algorithms that run in $O(sqrt{p})$ to do that: Big-step-Giant-steps, or $rho$-Pollard style random walks. These algorithms are therefore optimal in the generic group "model", and you can see that they require exponential time in the size of the group elements. To achieve 128 bits of security, you would need a $256$ bits prime.
Now in real life, you will instantiate $G$ to some actual group. For example, you could chose $(mathbb Z/pmathbb Z, +)$. However, the DLP here is trivial to solve: it's essentially extended Euclid algorithm which runs in $O(log^2 p)$: this is quadratic in the size of the group elements, therefore you will definitely not do crypto with this: your prime would need to be absurdly huge to guarantee 128 bits of security (and then all inputs would be of the size of this prime).
But you could also select the group of rational points of an elliptic curve defined over a prime field: this is commonly defined as ECDH. In this latter group, in the current state-of-the-art, we do not know a better algorithm that the ones I gave you in the generic model (apart from very special cases that are irrelevant nowadays since they can be avoided easily). In other words, the best known algorithms to solve ECDH run in exponential-time. So compared to, say, DH over $mathbb Z/pmathbb Z$, it "gives more security", but notice that this is relevant to the group, not the protocol itself.
There are other possible instantiations. Invertible of finite fields, elliptic curves over extension fields, more complicated algebraic groups. Elliptic curves give a very nice combination of efficiency and security.
answered Jan 27 at 2:45
KeiOhKeiOh
912
$endgroup$
Sadly I'd like to know an answer for your first question as well.
For your second question, you just need to see the difference between the description of a protocol and an actual instantiation of it (meaning, a cryptographic scheme). Diffie-Hellman is a cryptographic protocol, describing a way for two parties to exchange a common element in fixed ambient abelian finite group $G$, with cardinality $p$ (usually, a prime number). The security of DH will then be essentially defined as the smallest amount of operations in the group you can do to break the protocol. Brute forcing is the the most natural way to go: enumerate all possible solutions and you'll find the correct one. At worst, you will need to enumerate all $p$ elements. These guys are represented by binary strings of size $log p$, so the computer will take $p = 2^{log p}$ operations, an exponential number in the size of the input. If we cannot do better, then this protocol is "secure" and gives you $log p$ bits of security. Take $p approx 2^{128}$ and you have a 128-bits secure key-exhange... That is if you could not do better than brute-force.
Let's say you do not have any information about the said group $G$ apart from computing its group law and testing for equality (this is an informal way of saying that you consider your group as a generic group). Then the best way to recover the shared element if you're not one of the two parties is to solve a discrete logarithm problem in $G$: given $g$ a generator, and $h = g^x$, compute $x$. I hope not to be burnt alive by people noticing that DLP and ECDH are not exactly the same problem, but for the sake of this discussion, let's say they are.
It is known (a theorem by Shoup, or Nechaev if you can read russian) that you will need (at least) $Omega(sqrt p)$ group operations to compute $x$. In fact, there are well-known algorithms that run in $O(sqrt{p})$ to do that: Big-step-Giant-steps, or $rho$-Pollard style random walks. These algorithms are therefore optimal in the generic group "model", and you can see that they require exponential time in the size of the group elements. To achieve 128 bits of security, you would need a $256$ bits prime.
Now in real life, you will instantiate $G$ to some actual group. For example, you could chose $(mathbb Z/pmathbb Z, +)$. However, the DLP here is trivial to solve: it's essentially extended Euclid algorithm which runs in $O(log^2 p)$: this is quadratic in the size of the group elements, therefore you will definitely not do crypto with this: your prime would need to be absurdly huge to guarantee 128 bits of security (and then all inputs would be of the size of this prime).
But you could also select the group of rational points of an elliptic curve defined over a prime field: this is commonly defined as ECDH. In this latter group, in the current state-of-the-art, we do not know a better algorithm that the ones I gave you in the generic model (apart from very special cases that are irrelevant nowadays since they can be avoided easily). In other words, the best known algorithms to solve ECDH run in exponential-time. So compared to, say, DH over $mathbb Z/pmathbb Z$, it "gives more security", but notice that this is relevant to the group, not the protocol itself.
There are other possible instantiations. Invertible of finite fields, elliptic curves over extension fields, more complicated algebraic groups. Elliptic curves give a very nice combination of efficiency and security.
answered Jan 27 at 2:45
KeiOhKeiOh
912
answered Jan 27 at 2:45
KeiOhKeiOh
912
answered Jan 27 at 2:45
KeiOhKeiOh
912
answered Jan 27 at 2:45
KeiOhKeiOh
912
912
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66810%2fwhat-motivated-the-creation-of-rsa-and-ecdh%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
$begingroup$
Please ask one question at a time. RSA and ECDH are not that much related to each other. We are now already in the situation that we have an answer that only focuses on the ECDH part - maybe it is a good idea to split off the RSA part into a different question.
$endgroup$
– Maarten Bodewes♦
Jan 27 at 17:34
$begingroup$
I removed the
security-definitiontag from the question as it did not appear to be relevant - if you really want some kind of formal definition of some formal term, please include the request explicitly in the question.$endgroup$
– Ella Rose♦
Jan 27 at 18:00
$begingroup$
Note that (if I understand correctly) Diffie-Hellman key exchange by itself does not protect you against man-in-the-middle attacks.
$endgroup$
– Harry Johnston
Jan 27 at 23:11