Can the Diffie-Hellman protocol be used as a base for digital signatures?

I am implementing a custo crypto library using the Diffie-Hellman protocol (yes, i know about rsa/ssl/and the likes - i am using it specific purposes) and so far it turned out better than i original expected - using GMP, it's very fast.

My question is, besides the obvious key exchange part, if this protocol can be used for digital signatures as well.

I have looked at quite a few resources online, but so far my search has been fruitless.

Is this at all possible? Any (serious) ideas are welcome.

Update:
Thanks for the comments. And for the more curious people:

my DH implementation is meant - among other things - to distribute encrypted "resources" to client-side applications. both are, for the most part, my own code.
every client has a DH key pair, and i use it along with my server's public key to generate the shared keys. in turn, i use them for HMACs and symmetric encryption.
DH keys are built anywhere from 128 up to 512 bits, using safe primes as modulus.

I realize how "pure" D-H alone can't be used for signatures, i was hoping for something close to it (or as simple).

"The first rule of implementing crypto is don't implement crypto." - I like the 'Fight Club' analogy. So true....

Mitch Wheat 2009-09-23 11:53:28

Thanks. D-H implementation is... dead simple (if you know or look at the protocol it's easy to realize) and it's being used to get encryption keys (for symmetric encryption) in custom code.That said, i am close to forget about the signing part...

jcinacio 2009-09-23 11:59:55

@jcinacio: The reason for not implementing crypto isn't that it's hard to implement correctly - it's that it's hard to implement "securely" in a way that would make it hard to break.

Tal Pressman 2009-09-24 05:28:09

It is *never* a good answer to say: "Don't try. You will fail. What you try is to difficult for you, ... etc."

Accipitridae 2009-09-24 06:14:33

@Accipitridae I didn't say don't try and I didn't say she/he would fail. Infact the very first line of my answer was a link to how to do this - exactly what was asked for. I said "the first rule..." because this is a good piece of general advice. I have no idea what skills this person has and so I have no reason to think he would fail but I have good reason to suggest it is hard and suggest an easier alternative.

Steve Haigh 2009-09-24 13:08:19

@Accipitridae the problem has to do with the simplest change in a standard crypto library can lead to many many dangers. The Debian maintainer had a giant egg in his face when he disabled the seed somehow and limited the keyspace for ssh.If the OP is doing this for fun, sure, not a problem. I wouldn't use it for anything remotely production though.

Calyth 2009-09-25 19:15:45

@Calyth. I absolutely agree that small changes to a crypto system can make it insecure. Therefore it is important to use a well defined standard like DSA. NIST has put a lot of work into this standard to avoid lots of pitfalls in these schemes. The answer above, however, does not point to a relevant standard (like e.g. Rasmus Faber did). It rather points to a web page that insufficiently describes DL-based signatures schemes. Pointing out how to implement something correctly is much more helpfult, than just say it is difficult, don't try

Accipitridae 2009-09-27 10:40:01

There are of course many variants of ElGamal signature schemes, but I'd agree that DSA is a good choice when looking for a standarized scheme.

Accipitridae 2009-09-24 06:17:42

thanks, i've look at DSA (and Elgamal) and they aren't too far off to what i was looking for

jcinacio 2009-09-24 14:44:45

ansaurus

tags:

views:

answers:

Can the Diffie-Hellman protocol be used as a base for digital signatures?

related questions