最近RSA暗号化を学びながらディフィー・ヘルマンの鍵交換アルゴリズムを復習しました。
What caught my interest is that the integer g (which along with p) is publicly exchanged between the two parties) must be a primitive root modulo p (which is prime). The point of the algorithm is for two parties (usually referred to as Alice and Bob) to be able to exchange messages using a single (symmetric) key while never publishing that key over the wire. This shared key is g^(ab) mod p, where a is a number known only to Alice and b is a number known only to Bob. The flow is as follows:
1. Alice sends Bob g and p. She then sends g^a.
2. Bob sends back g^b.
3. Both of them generate g^(ab) mod p. This can be done because (g^a)^b = (g^b)^a (mod p).
My concern is why g's properties are relevant. It must affect either:
1. the equality of the keys independently generated by Alice and Bob
2. the ease with which an attacker might guess g^(ab) mod p, knowing g, p, g^a, and g^b
Assume g is not a primitive root mod p. A primitive root mod p is defined as a value g such that for any number x coprime to p, there exists a power k of g such that g^k = x (mod p).
While I have yet to prove this rigorously, I suspect that choosing a g that is not a primitive root modulo p makes g^(ab) mod p easier to guess. i.e. powers of g might cycle mod p so that the number of possible g^(ab) mod p values is much fewer than p.
An extreme example would be: p = 5, g =5. Then all powers of g equal 0 mod p. Thus, g^(ab) mod p must be 0. The attacker can guess the symmetric key knowing only p and g.