## A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroup (1997)

Citations: | 66 - 2 self |

### BibTeX

@INPROCEEDINGS{Lim97akey,

author = {Chae Hoon Lim and Pil Joong Lee},

title = {A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroup},

booktitle = {},

year = {1997},

pages = {249--263},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Consider the well-known oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many protocols based on the discrete logarithm problem that turn out to leak many of the secret key bits from this oracle attack, unless suitable checkings are carried out. In this paper we present a key recovery attack on various discrete log-based schemes working in a prime order subgroup. Our attack can disclose part of, or the whole secret key in most Diffie-Hellman-type key exchange protocols and some applications of ElGamal encryption and signature schemes. Key Words : Key recovery attack, Discrete logarithms, Key exchange, Digital signatures. 1 Introduction Many cryptographic protocols have been developed based on the discrete logarithm problem. The main objective of developers is to design...

### Citations

2966 | Hellman: New Directions in Cryptography
- Diffie, Martin
- 1976
(Show Context)
Citation Context ...ecret. Our attack may find the whole secret key in many cases. Related Work : Previous work most relevant to our attack is the middleperson attack on the original Diffie-Hellman key exchange protocol =-=[16]-=- (see [40, 2]). Two parties A and B agree on a prime p and a generator ff of Z p , exchange random exponentials, r A = ff kA mod p and r B = ff kB mod p, and then compute a shared secret K = r kA B = ... |

1947 | How to share a secret
- Shamir
- 1979
(Show Context)
Citation Context ...s we may need to encrypt the message in such a way that only an authorized subset of receivers can decrypt the ciphertext. This can be done using ElGamal encryption and Shamir's secret sharing scheme =-=[36]-=-. As an example, we consider a prime field implementation of the threshold cryptosystem proposed by Desmedt and Frankel [15]. Let G be a group of n members and y G = g xG mod p be a public key of the ... |

1233 | A public-key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...ble signatures [12, 8, 28]. 3.1 Shared Decryption of ElGamal Encryption ElGamal encryption of message m for user A consists of fc 1 ; c 2 g, where c 1 = g k mod p with k 2R Z q and c 2 = my k A mod p =-=[18]-=-. The receiver A can decrypt the ciphertext fc 1 ; c 2 g by computing m = c 2 c \Gammax A 1 mod p. In some group-oriented applications we may need to encrypt the message in such a way that only an aut... |

528 |
Heyst. Group signatures
- Chaum, van
(Show Context)
Citation Context ...es that we have found in the literature. They include threshold cryptosystems based on ElGamal encryption [15], anonymous channels used in electronic voting schemes [29, 35] and undeniable signatures =-=[12, 8, 28]-=-. 3.1 Shared Decryption of ElGamal Encryption ElGamal encryption of message m for user A consists of fc 1 ; c 2 g, where c 1 = g k mod p with k 2R Z q and c 2 = my k A mod p [18]. The receiver A can d... |

329 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ...ion and Pollard's Methods : The discrete logarithm problem over Z p can be broken down into a number of small such sub-problems defined over small order subgroups of Z p (Pohlig-Hellman decomposition =-=[32]-=-). Then these sub-problems can be solved using Pollard's rho and lambda methods [34] and the resulting partial logarithms can be combined using the Chinese Remainder Theorem to give the pursued discre... |

324 |
Efficient Identification and Signatures for Smart Cards
- Schnorr
- 1990
(Show Context)
Citation Context ...ficiency in computation and parameter generation (see [40, 2] for further discussions). Thus most DL-based schemes have been designed using a prime order subgroup since its first invention by Schnorr =-=[37]-=-. However, this paper will show potential weaknesses in such a setting. Our attack on key exchange protocols is quite similar to the above attack, except that our target protocols use a prime order su... |

315 |
Wallet databases with observers
- Chaum, Pedersen
- 1993
(Show Context)
Citation Context ...m q = 1 mod p, where x is the signer's secret key. We could find several examples in the literature. As a first example, we consider the validator issuing protocol by Chaum and Pedersen (see Sec.4 in =-=[13]-=-). The purpose of this protocol is that a center Z issues a validator to a `wallet with observer' (consisting of a computer C and a tamper-proof module T embedded inside C). The validator is an unlink... |

271 |
Threshold cryptosystems
- Desmedt, Frankel
- 1990
(Show Context)
Citation Context ...otocols which may be susceptible to our attack. In this section we present several such examples that we have found in the literature. They include threshold cryptosystems based on ElGamal encryption =-=[15]-=-, anonymous channels used in electronic voting schemes [29, 35] and undeniable signatures [12, 8, 28]. 3.1 Shared Decryption of ElGamal Encryption ElGamal encryption of message m for user A consists o... |

250 |
Monte Carlo methods for index computation mod p
- Pollard
- 1978
(Show Context)
Citation Context ...wn into a number of small such sub-problems defined over small order subgroups of Z p (Pohlig-Hellman decomposition [32]). Then these sub-problems can be solved using Pollard's rho and lambda methods =-=[34]-=- and the resulting partial logarithms can be combined using the Chinese Remainder Theorem to give the pursued discrete logarithm. For simplicity, suppose that p \Gamma 1 = Q n i=1 q i (q i prime). Let... |

233 | Untraceable Off-line Cash in Wallets with Observers
- Brands
- 1993
(Show Context)
Citation Context ... in the thought that C can only obtain an undeniable signature for a random message, but this omission causes a fatal attack as above. In Brands's electronic cash scheme using a wallet with observers =-=[6]-=- (see [7] for more details), each user computes I = g u 1 mod p with u 2R Z q and sends it to the bank, which generates a signature z = (Ig 2 ) x mod p (g 1 ; g 2 generators of a subgroup of order q).... |

225 | Security proofs for signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ...of is based). The most fundamental is to use secure parameters and check the properties or requirements assumed to be satisfied. To see this, for example, we refer the reader to Pointcheval and Stern =-=[33]-=- for security proof and Bleichenbacher [4] for signature forgery in ElGamal-type signature schemes, together with Stern [38] for further discussions on their apparent contradiction. The purpose of thi... |

143 | An Efficient Off-Line Electronic Cash System Based on the Representation Problem
- Brands
- 1993
(Show Context)
Citation Context ...hought that C can only obtain an undeniable signature for a random message, but this omission causes a fatal attack as above. In Brands's electronic cash scheme using a wallet with observers [6] (see =-=[7]-=- for more details), each user computes I = g u 1 mod p with u 2R Z q and sends it to the bank, which generates a signature z = (Ig 2 ) x mod p (g 1 ; g 2 generators of a subgroup of order q). In this ... |

123 | SKEME: A Versatile Secure Key Exchange Mechanism for Internet
- Krawczyk
(Show Context)
Citation Context ... kA kB mod p, which can also be computed by the attacker since he can find k i mod w from r i . This attack can be easily prevented by authenticating the random exchange, as in the STS [17] and SKEME =-=[21]-=- protocols. 2 The above attack motivates the use of a prime order subgroup, which also substantially increases the efficiency in computation and parameter generation (see [40, 2] for further discussio... |

121 | Robustness Principles for Public Key Protocols
- Anderson, Needham
- 1995
(Show Context)
Citation Context ...hemes, since the involved parties do not check relevant protocol variables. Though there are several papers pointing out the importance of checking public parameters and protocol variables (e.g., see =-=[4, 41, 1, 40, 2]-=-) in DH key exchange and digital signature schemes, no literature addresses such an explicit attack revealing the involved secret. Our attack may find the whole secret key in many cases. Related Work ... |

93 |
Efficient Anonymous Channel and All/Nothing Election Scheme
- Park, Itoh, et al.
- 1994
(Show Context)
Citation Context ...tion we present several such examples that we have found in the literature. They include threshold cryptosystems based on ElGamal encryption [15], anonymous channels used in electronic voting schemes =-=[29, 35]-=- and undeniable signatures [12, 8, 28]. 3.1 Shared Decryption of ElGamal Encryption ElGamal encryption of message m for user A consists of fc 1 ; c 2 g, where c 1 = g k mod p with k 2R Z q and c 2 = m... |

73 | Authenticated multi-party key agreement
- Just, Vaudenay
- 1996
(Show Context)
Citation Context ...lowing key exchange protocol, which is an authenticated version of the MTI (Matsumoto-Takashima-Imai) protocol [26]. This protocol, with slight changes, is widely studied in the literature (e.g., see =-=[27, 20]-=-) and is also being standardized in ISO/IEC JTC1/SC27 [43]. 1. A randomly picks kA 2 Z q , computes r A = g kA mod p and sends r A to B. 2. B randomly picks kB 2 Z q , computes r B = g kB mod p, KB = ... |

71 |
Distributed provers with applications to undeniable signatures
- Pedersen
- 1991
(Show Context)
Citation Context ... z mod ord(fl). This shows that the confirmation protocol cannot be zero-knowledge against a dishonest verifier. It is essential for S to check that ch q = 1 mod p in step 3. In a variant by Pedersen =-=[30]-=-, S computes h 1 ; h 2 as h 1 = (ch) c mod p with c 2R Z q and h 2 = h z 1 mod p. This variant is also vulnerable to our attack, since one can still obtain the equation h q 2 = (h q 1 ) z mod p by sen... |

48 |
Reciept-free Mix-Type Voting Scheme
- Sako, Killian
- 1995
(Show Context)
Citation Context ...tion we present several such examples that we have found in the literature. They include threshold cryptosystems based on ElGamal encryption [15], anonymous channels used in electronic voting schemes =-=[29, 35]-=- and undeniable signatures [12, 8, 28]. 3.1 Shared Decryption of ElGamal Encryption ElGamal encryption of message m for user A consists of fc 1 ; c 2 g, where c 1 = g k mod p with k 2R Z q and c 2 = m... |

44 | Breaking an Efficient Anonymous Channel
- Pfitzmann
- 1995
(Show Context)
Citation Context ...cial case of the threshold cryptosystem described above, i.e., the case of t = n. The anonymous channel is primarily used to protect the secrecy of votes in electronic voting schemes. Later Pfitzmann =-=[31]-=- developed successful attacks on these channels. To defeat such attacks, Sako and Kilian [35] used a prime order subgroup in their election scheme, instead of the full multiplicative group Z p origina... |

42 |
On seeking smart public-key distribution systems
- Matsumoto, Takashima, et al.
(Show Context)
Citation Context ... to the case where each user has a correct public key. As an example, we consider the following key exchange protocol, which is an authenticated version of the MTI (Matsumoto-Takashima-Imai) protocol =-=[26]-=-. This protocol, with slight changes, is widely studied in the literature (e.g., see [27, 20]) and is also being standardized in ISO/IEC JTC1/SC27 [43]. 1. A randomly picks kA 2 Z q , computes r A = g... |

40 | Generating ElGamal signatures without knowing the secret key
- Bleichenbacher
- 1070
(Show Context)
Citation Context ...e secure parameters and check the properties or requirements assumed to be satisfied. To see this, for example, we refer the reader to Pointcheval and Stern [33] for security proof and Bleichenbacher =-=[4]-=- for signature forgery in ElGamal-type signature schemes, together with Stern [38] for further discussions on their apparent contradiction. The purpose of this paper is to reveal the insecurity of var... |

33 | Designated Confirmer Signatures and Public Key Encryption Are Equivalent - Okamoto - 1994 |

32 |
On the risk of opening distributed keys
- Burmester
- 1994
(Show Context)
Citation Context ...apply to Diffie-Hellman-type key exchange protocols. This has given rise to a lot of attacks or weaknesses under a variety of attacking scenarios. Most attacks aim at finding a session key (e.g., see =-=[10, 42]-=-) or causing authentication failure (e.g., see [27]). In this section we present a key recovery attack that can be applied to many DH-type key exchange protocols published in the literature 3 unless p... |

25 | Minding your p’s and q’s
- Anderson, Vaudenay
- 1996
(Show Context)
Citation Context ...hemes, since the involved parties do not check relevant protocol variables. Though there are several papers pointing out the importance of checking public parameters and protocol variables (e.g., see =-=[4, 41, 1, 40, 2]-=-) in DH key exchange and digital signature schemes, no literature addresses such an explicit attack revealing the involved secret. Our attack may find the whole secret key in many cases. Related Work ... |

23 |
Improved privacy in wallets with observers
- Cramer, Pedersen
- 1993
(Show Context)
Citation Context ...lig-Hellman method. Note that C can still obtain the desired signature by computing z 0 fl \Gammax Z mod p after finding xZ mod ord(fl). The same attack can be applied to its privacy enhanced version =-=[14]-=- if the signer does not check that m q = 1 mod p. The authors may omit this checking step in the thought that C can only obtain an undeniable signature for a random message, but this omission causes a... |

18 | Breaking and Repairing a Convertible Undeniable Signature Scheme - Michels, Petersen, et al. - 1996 |

13 | collisions on DSS - Vaudenay - 1996 |

13 |
A key distribution s “paradox
- Yacobi
(Show Context)
Citation Context ...apply to Diffie-Hellman-type key exchange protocols. This has given rise to a lot of attacks or weaknesses under a variety of attacking scenarios. Most attacks aim at finding a session key (e.g., see =-=[10, 42]-=-) or causing authentication failure (e.g., see [27]). In this section we present a key recovery attack that can be applied to many DH-type key exchange protocols published in the literature 3 unless p... |

11 | M.: Proving without knowing: On oblivious, agnostic and blindfolded provers
- Jakobsson, Yung
- 1996
(Show Context)
Citation Context ...ur attack otherwise. 5 (Note that it is infeasible to generate m as an element of order q for any meaningful message or its hash value if q is chosen small compared to p.) However, Jakobsson and Yung =-=[19]-=- failed to observe this fact when choosing system parameters in Chaum's scheme: p = ql + 1 (p; q prime, l integer), g a generator of G q 6 and fx 2R Z q ; y = g x mod pg as the secret/public key pair ... |

11 | Yacov Yacobi. A key escrow system with warrant bounds
- Lenstra, Winkler
(Show Context)
Citation Context ... y i = fig x i mod p. This attack will demonstrate the importance of the checking step in the certification process. We first consider the zero-message DH key exchange with public keys (e.g., used in =-=[22]-=-) 4 : Two users A and B share a session key K by computing K = h(y xA B mod p; d) = h(y xB A mod p; d), where d is time/date information. In this protocol, suppose that user B with public key y B = g ... |

6 | The validation of cryptographic algorithms
- Stern
- 1996
(Show Context)
Citation Context ...ied. To see this, for example, we refer the reader to Pointcheval and Stern [33] for security proof and Bleichenbacher [4] for signature forgery in ElGamal-type signature schemes, together with Stern =-=[38]-=- for further discussions on their apparent contradiction. The purpose of this paper is to reveal the insecurity of various protocols based on the discrete logarithm problem published in the literature... |

5 |
Design and analysis of key exchange protocols via secure channel identi cation
- Boyd, Mao
- 1994
(Show Context)
Citation Context ...f our attack. 2 It is very important to authenticate the exchanged random messages themselves, rather than the shared secret computed from them. For example, the modified STS protocol by Boyd and Mao =-=[5]-=- may be vulnerable to the middleperson attack, since it only authenticates the hashed version of the shared secret. is hard to apply to Diffie-Hellman-type key exchange protocols. This has given rise ... |

5 |
A remark on the efficiency of identification schemes
- Burmester
- 1990
(Show Context)
Citation Context ...ation scheme is used instead. Then A can pass the protocol with probability 1=ord(fi) on average, irrespective of the size of a challenge by B (A similar observation has been made before by Burmester =-=[9]-=-). Therefore, it is essential that the CA should first check that y q A = 1 mod p. We now present a key recovery attack under the assumption that an attacking user i has a public key y i = fig x i mod... |

4 | Directed Signatures and Applications to Threshold Cryptosystems
- Lim
- 1996
(Show Context)
Citation Context ...mma1 z t\Gamma1 + \Delta \Delta \Delta +a 1 z +xG with a j 2R Z q , computes secret shares x Gi = f(i) mod q for i = 1; 2; \Delta \Delta \Delta ; n and securely sends x Gi to each member i of G. (See =-=[24]-=- for a more flexible scheme not requiring such pre-distribution of secret shares.) Now, suppose that a ciphertext fc 1 ; c 2 g,where c 1 = g k mod p and c 2 = my k G mod p, is received and that a subs... |

3 |
Oorschot and M.Wiener, Authentication and authenticated key exchange
- Diffie
- 1992
(Show Context)
Citation Context ...mes K = (ff q ) kA kB mod p, which can also be computed by the attacker since he can find k i mod w from r i . This attack can be easily prevented by authenticating the random exchange, as in the STS =-=[17]-=- and SKEME [21] protocols. 2 The above attack motivates the use of a prime order subgroup, which also substantially increases the efficiency in computation and parameter generation (see [40, 2] for fu... |

2 |
P.J.Lee, Several practical protocols for authentication and key exchange
- Lim
- 1995
(Show Context)
Citation Context ...ck can be applied to any protocol if the protocol reveals an equation involving the fixed DH key g xA xB mod p. As another example, let us consider the following protocol (modified from Protocol 3 in =-=[23]-=-), where we assume that B has a public key y B = fig xB mod p. 1. A computes r A = g kA mod p with kA 2R Z q and sends it to B. 2. B computes r B = g kB mod p with kB 2R Z q and s B = kB \Gamma xB e B... |

1 |
key-management for Internet protocols
- Aziz, Prafullchandra
- 1996
(Show Context)
Citation Context ...cluding our one. Most other protocols involve the fixed secret/public key pair for key exchange and (possibly) authentication. Our attack can be applied to most of such protocols. 4 The SKIP protocol =-=[3]-=- being widely implemented in the industry also employs this scheme to get a long-term shared secret, which is used as a key-encrypting key. However, the SKIP documentation recommands to use a safe pri... |

1 |
I.Damgard and T.Pedersen, Convertible undeniable signatures
- Boyar
- 1991
(Show Context)
Citation Context ...es that we have found in the literature. They include threshold cryptosystems based on ElGamal encryption [15], anonymous channels used in electronic voting schemes [29, 35] and undeniable signatures =-=[12, 8, 28]-=-. 3.1 Shared Decryption of ElGamal Encryption ElGamal encryption of message m for user A consists of fc 1 ; c 2 g, where c 1 = g k mod p with k 2R Z q and c 2 = my k A mod p [18]. The receiver A can d... |

1 |
Y.Frankel and Y.Tsiounis, Mis-representation of identities in E-cash schemes and how to prevent it
- Chan
- 1996
(Show Context)
Citation Context ...ature z = (Ig 2 ) x mod p (g 1 ; g 2 generators of a subgroup of order q). In this case the user must prove to the bank that he knows u since I corresponds to the account number of the user (see also =-=[11]-=-). Thus our attack is not applicable here. However, as noted in Sec.2.1, it is essential to check I q = 1 mod p at the begining of the proof if a Schnorr-type identification scheme is used for this pu... |

1 | P.J.Lee, Generating efficient primes for discrete log cryptosystems
- Lim
(Show Context)
Citation Context ...iation, which seems too much in most applications. The best alternative is to use a prime p such that (p \Gamma 1)=2q is also prime or each prime factor of (p \Gamma 1)=2q is larger than q. (see also =-=[25]-=- for a method of generating primes which can substantially reduce the modular reduction time and storage usage). Such a prime can be generated much faster than a safe prime (i.e., a prime of the form ... |

1 |
Information technology - Security techniques - Key management - Part 3: Mechanisms using asymmetric techniques
- JTC1SC27
(Show Context)
Citation Context ...n of the MTI (Matsumoto-Takashima-Imai) protocol [26]. This protocol, with slight changes, is widely studied in the literature (e.g., see [27, 20]) and is also being standardized in ISO/IEC JTC1/SC27 =-=[43]-=-. 1. A randomly picks kA 2 Z q , computes r A = g kA mod p and sends r A to B. 2. B randomly picks kB 2 Z q , computes r B = g kB mod p, KB = y kB A r xB A mod p and e B = h(KB ; r B ; r A ; B; A), an... |