# Diffie-Hellman Revisited: Subgroup-Confinement Attacks This set is going to focus on elliptic curves. But before we get to that, we're going to kick things off with some classic Diffie-Hellman. Trust me, it's gonna make sense later. Let's get right into it. First, build your typical Diffie-Hellman key agreement: Alice and Bob exchange public keys and derive the same shared secret. Then Bob sends Alice some message with a MAC over it. Easy as pie. Use these parameters: p = 7199773997391911030609999317773941274322764333428698921736339643928346453700085358802973900485592910475480089726140708102474957429903531369589969318716771 g = 4565356397095740655436854503483826832136106141639563487732438195343690437606117828318042418238184896212352329118608100083187535033402010599512641674644143 The generator g has order q: q = 236234353446506858198510045061214171961 "Order" is a new word, but it just means g^q = 1 mod p. You might notice that q is a prime, just like p. This isn't mere chance: in fact, we chose q and p together such that q divides p-1 (the order or size of the group itself) evenly. This guarantees that an element g of order q will exist. (In fact, there will be q-1 such elements.) Back to the protocol. Alice and Bob should choose their secret keys as random integers mod q. There's no point in choosing them mod p; since g has order q, the numbers will just start repeating after that. You can prove this to yourself by verifying g^x mod p = g^(x + k*q) mod p for any x and k. The rest is the same as before. How can we attack this protocol? Remember what we said before about order: the fact that q divides p-1 guarantees the existence of elements of order q. What if there are smaller divisors of p-1? Spoiler alert: there are. I chose j = (p-1) / q to have many small factors because I want you to be happy. Find them by factoring j, which is: j = 30477252323177606811760882179058908038824640750610513771646768011063128035873508507547741559514324673960576895059570 You don't need to factor it all the way. Just find a bunch of factors smaller than, say, 2^16. There should be plenty. (Friendly tip: maybe avoid any repeated factors. They only complicate things.) Got 'em? Good. Now, we can use these to recover Bob's secret key using the Pohlig-Hellman algorithm for discrete logarithms. Here's how: 1. Take one of the small factors j. Call it r. We want to find an element h of order r. To find it, do: h := rand(1, p)^((p-1)/r) mod p If h = 1, try again. 2. You're Eve. Send Bob h as your public key. Note that h is not a valid public key! There is no x such that h = g^x mod p. But Bob doesn't know that. 3. Bob will compute: K := h^x mod p Where x is his secret key and K is the output shared secret. Bob then sends back (m, t), with: m := "crazy flamboyant for the rap enjoyment" t := MAC(K, m) 4. We (Eve) can't compute K, because h isn't actually a valid public key. But we're not licked yet. Remember how we saw that g^x starts repeating when x > q? h has the same property with r. This means there are only r possible values of K that Bob could have generated. We can recover K by doing a brute-force search over these values until t = MAC(K, m). Now we know Bob's secret key x mod r. 5. Repeat steps 1 through 4 many times. Eventually you will know: x = b1 mod r1 x = b2 mod r2 x = b3 mod r3 ... Once (r1*r2*...*rn) > q, you'll have enough information to reassemble Bob's secret key using the Chinese Remainder Theorem.