Skip to main content

零知识证明 Diffie-Hellman 密钥交换

alt text

Prerequisite:

  • User has register the Public Key A_pub=aGA\_{pub} = {a\cdot G} that generated by MFKDF method.
  • User has register the Public Key P_pubP\_{pub} that generated by Passkey.
  • The server has publish its long-term Public key B_pub=bGB\_{pub} = {b\cdot G} with some way, e.g. ENS text record, or hard code for convenient.

Compute a shared key as session key

Method 1: ECDH all the way with MFKDF public key

image-4.png

Then user got:

Ku=xB_share K_u = x\cdot B\_{\text{share}}

server got:

Ks=yA_share K_s = y\cdot A\_{\text{share}}

and:

Ku=Ks K_u = K_s

proof:

Ku=xBshare=xbyApub=xbyaG=yaxBpub=yAshare=KsK_u = x\cdot B_{share} = x\cdot b\cdot y\cdot A_{pub} = x\cdot b\cdot y\cdot a\cdot G = y\cdot a\cdot x\cdot B_{pub} = y\cdot A_{share} = K_s

alt text

The shared key KK can be used to derive a symmetric secret, do encryption or authentication, this method has forward secrecy property. But it requires the user side has the private key aa, which requires the user to recover it from MFKDF, so we cannot use it with Passkey only.

Method 2: Sign the shared

PlantUML Diagram

Then user got:

Ku=xB_share K_u=x\cdot B\_{\text{share}}

server got:

Ks=yA_share K_s=y\cdot A\_{\text{share}}

and:

Ku=Ks K_u=K_s

proof:

Ku=xB_share=xyG=yA_share=Ks K \cdot u = x \cdot B\_{\text{share}} = x \cdot y \cdot G = y \cdot A\_{\text{share}} = K_s

This method can be use in both cases, include MFKDF only and Passkey only, as we can change the user signature sig*a from Passkey to MFKDF without any problem. This method also has forward secrecy as the KK is also Ephemeral Key.

proof 推导

为了证明在 Diffie-Hellman 密钥交换协议中,双方计算出的共享密钥是相同的,我们可以通过数学推导来展示这一点。以下是详细的证明过程:

参数设定

  • 选择一个大素数 pp 和一个生成元 gg(这些参数是公开的)。
  • 用户 A 选择一个私有随机数 aa 作为私钥,并计算 A=gamodpA = g^a \mod p 作为公钥。
  • 用户 B 选择一个私有随机数 bb 作为私钥,并计算 B=gbmodpB = g^b \mod p 作为公钥。

交换公钥

  • 用户 A 将公钥 AA 发送给用户 B。
  • 用户 B 将公钥 BB 发送给用户 A。

计算共享密钥

  • 用户 A 使用用户 B 的公钥 BB 和自己的私钥 aa 计算共享密钥: KA=BamodpK_A = B^a \mod p
  • 用户 B 使用用户 A 的公钥 AA 和自己的私钥 bb 计算共享密钥: KB=AbmodpK_B = A^b \mod p

证明共享密钥相同

我们需要证明 KA=KBK_A = K_B,即用户 A 和用户 B 计算出的共享密钥是相同的。

  1. 用户 A 计算共享密钥 KAK_A

    KA=BamodpK_A = B^a \mod p

    其中 B=gbmodpB = g^b \mod p,因此:

    KA=(gbmodp)amodpK_A = (g^b \mod p)^a \mod p

    根据模运算的性质 (乘法和幂) ,可以得到:

    KA=gbamodpK_A = g^{ba} \mod p

  2. 用户 B 计算共享密钥 KBK_B

    KB=AbmodpK_B = A^b \mod p

    其中 A=gamodpA = g^a \mod p,因此:

    KB=(gamodp)bmodpK_B = (g^a \mod p)^b \mod p

    同样地,根据模运算的性质,可以得到:

    KB=gabmodpK_B = g^{ab} \mod p

由于指数运算的交换性,即 ab=baab = ba,因此:

KA=gbamodp=gabmodp=KBK_A = g^{ba} \mod p = g^{ab} \mod p = K_B

结论

通过上述推导,我们证明了用户 A 和用户 B 计算出的共享密钥 KAK_AKBK_B 是相同的,即:

KA=KB=gabmodpK_A = K_B = g^{ab} \mod p

因此,Diffie-Hellman 密钥交换协议能够确保双方在不安全的通信信道上安全地生成相同的共享密钥。这一共享密钥可以用于后续的加密通信,确保数据的机密性和完整性。