views:

156

answers:

2

I am implementing a custo crypto library using the Diffie-Hellman protocol (yes, i know about rsa/ssl/and the likes - i am using it specific purposes) and so far it turned out better than i original expected - using GMP, it's very fast.

My question is, besides the obvious key exchange part, if this protocol can be used for digital signatures as well.

I have looked at quite a few resources online, but so far my search has been fruitless.

Is this at all possible? Any (serious) ideas are welcome.

Update:
Thanks for the comments. And for the more curious people:

  • my DH implementation is meant - among other things - to distribute encrypted "resources" to client-side applications. both are, for the most part, my own code.
  • every client has a DH key pair, and i use it along with my server's public key to generate the shared keys. in turn, i use them for HMACs and symmetric encryption.
  • DH keys are built anywhere from 128 up to 512 bits, using safe primes as modulus.

I realize how "pure" D-H alone can't be used for signatures, i was hoping for something close to it (or as simple).

+5  A: 

It would appear this is feasible: http://www.quadibloc.com/crypto/pk050302.htm.

I would question why you are doing this though. The first rule of implementing crypto is don't implement crypto. There are plenty of libraries that already exist, you would probably be better off leveraging these, crypto code is notoriously hard to get right even if you understand the science behind it.

Steve Haigh
"The first rule of implementing crypto is don't implement crypto." - I like the 'Fight Club' analogy. So true....
Mitch Wheat
Thanks. D-H implementation is... dead simple (if you know or look at the protocol it's easy to realize) and it's being used to get encryption keys (for symmetric encryption) in custom code.That said, i am close to forget about the signing part...
jcinacio
@jcinacio: The reason for not implementing crypto isn't that it's hard to implement correctly - it's that it's hard to implement "securely" in a way that would make it hard to break.
Tal Pressman
It is *never* a good answer to say: "Don't try. You will fail. What you try is to difficult for you, ... etc."
Accipitridae
@Accipitridae I didn't say don't try and I didn't say she/he would fail. Infact the very first line of my answer was a link to how to do this - exactly what was asked for. I said "the first rule..." because this is a good piece of general advice. I have no idea what skills this person has and so I have no reason to think he would fail but I have good reason to suggest it is hard and suggest an easier alternative.
Steve Haigh
@Accipitridae the problem has to do with the simplest change in a standard crypto library can lead to many many dangers. The Debian maintainer had a giant egg in his face when he disabled the seed somehow and limited the keyspace for ssh.If the OP is doing this for fun, sure, not a problem. I wouldn't use it for anything remotely production though.
Calyth
@Calyth. I absolutely agree that small changes to a crypto system can make it insecure. Therefore it is important to use a well defined standard like DSA. NIST has put a lot of work into this standard to avoid lots of pitfalls in these schemes. The answer above, however, does not point to a relevant standard (like e.g. Rasmus Faber did). It rather points to a web page that insufficiently describes DL-based signatures schemes. Pointing out how to implement something correctly is much more helpfult, than just say it is difficult, don't try
Accipitridae
+2  A: 

DSA is the standard way to make digital signatures based on the discrete logarithm problem.

And to answer a potential future question, Ephemeral-static Diffie-Hellman is the standard way to implement asymmetric encryption (to send messages where you know and trust the recipients public key (for example through a certificate), but the recipient does not know your key).

Rasmus Faber
There are of course many variants of ElGamal signature schemes, but I'd agree that DSA is a good choice when looking for a standarized scheme.
Accipitridae
thanks, i've look at DSA (and Elgamal) and they aren't too far off to what i was looking for
jcinacio