Re: [Cfrg] Question about A=6 Montgomery over 2^89-1
Ben Laurie <ben@links.org> Sun, 13 December 2015 22:13 UTC
Return-Path: <benlaurie@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B80F11A883E for <cfrg@ietfa.amsl.com>; Sun, 13 Dec 2015 14:13:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.723
X-Spam-Level:
X-Spam-Status: No, score=0.723 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c03ApBzvqU_h for <cfrg@ietfa.amsl.com>; Sun, 13 Dec 2015 14:13:25 -0800 (PST)
Received: from mail-lb0-f176.google.com (mail-lb0-f176.google.com [209.85.217.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0401F1A883C for <cfrg@ietf.org>; Sun, 13 Dec 2015 14:13:25 -0800 (PST)
Received: by lbbcs9 with SMTP id cs9so96146023lbb.1 for <cfrg@ietf.org>; Sun, 13 Dec 2015 14:13:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=7aQeoIn/etYfk2CJtvJ95CMY6JvzK6W0iTCCGeLdfOw=; b=Z8wFsPxa5gPXNn6JzYw9zNDQips5TBZVioA+ZOh+MySOMsT/A5FGLaXCIfVSY9Rwxg HzVPPnzoatNPb9go8nNMoka+uzPWksRDfrnZXImZbMmBdwylO4rtVdssNTyGuE2zCmON o6Gd/hH/BFsflSSV4rve+T0VNiwwgfEm6sHgWWSEuQ6Sx2/3kovvQvJVcdEk/HYnCYGT 7/CAICv6N3PfMhdFOI2FxFeLRW7c+Skj8ewKsOzUo3pyYyWufQGxiiCwXxTmBrgN/s4S g/0N5RU3N8Rj5Xz5dbY8kBz/k37CcSgwmherJiqIkUYW43DuxaUOk1WuMkjRCkvSrdAX No8g==
X-Received: by 10.112.202.168 with SMTP id kj8mr11542961lbc.12.1450044803063; Sun, 13 Dec 2015 14:13:23 -0800 (PST)
MIME-Version: 1.0
References: <f62deb1f355c38b6254b2e8364bd4480@mail.tc26.ru> <810C31990B57ED40B2062BA10D43FBF5E97737@XMB116CNC.rim.net> <7bdba271cc9c9223d98dcf8677bcb49d@mail.tc26.ru> <20151212152324.5701716.2323.10706@certicom.com> <D2921778.5E708%kenny.paterson@rhul.ac.uk>
In-Reply-To: <D2921778.5E708%kenny.paterson@rhul.ac.uk>
From: Ben Laurie <ben@links.org>
Date: Sun, 13 Dec 2015 22:13:13 +0000
Message-ID: <CAG5KPzwazdS_Pr=sYgNrXs1GXwVgGJpC-tBVDJL0XVYJ27eE-Q@mail.gmail.com>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, Dan Brown <dbrown@certicom.com>, Grigory Marshalko <marshalko_gb@tc26.ru>, "cfrg@ietf.org" <cfrg@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c37aa46527fd0526ceddc3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/-CsWbuON8R_rkHQLHvfdbrNoHu4>
Cc: Steven Galbraith <s.galbraith@math.auckland.ac.nz>
Subject: Re: [Cfrg] Question about A=6 Montgomery over 2^89-1
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2015 22:13:28 -0000
OK, now I want the shortest possible reading course that lets me figure out what you just said. Actually a serious request. On Sat, 12 Dec 2015 at 18:29 Paterson, Kenny <Kenny.Paterson@rhul.ac.uk> wrote: > Hi Dan, > > I asked Steven Galbraith about this. Here's what he said: > > "Some thoughts on the elliptic curve: E : y^2 = x^3 + 6x^2 + x > It is a global CM curve with j(E) = 66^3, so it has complex > multiplication of discriminant -16. > Due to congruence conditions it is therefore supersingular. > To flip the question around: For a given prime p, there is usually a CM > elliptic curve over Q which is supersingular modulo p. And since that > curve is from a finite list it usually has small coefficients. So it is > not at all surprising that one can find a curve with small coefficients > that is supersingular. And if the prime p is such that p+1 is smooth > then this is weak for Pohlig-Hellman. > There is no reason to think there would be another other such example, > so I guess there is nothing to worry about." > > Steven no longer subscribes to this list, so include him in cc if you want > him to see any responses. > > Cheers > > Kenny > > > > On 12/12/2015 15:23, "Cfrg on behalf of Dan Brown" <cfrg-bounces@irtf.org > on behalf of dbrown@certicom.com> wrote: > > >So 66^3 is one of the few (13???) integral j-invariants with CM over the > >rationals (the Baker-Stark-Heegner theorem?). And yes Elkies shows that > >half the primes will give a supersingular. I'll look at how j=66^3 > >corresponds to A=6 in 2016, and eventually try to sort out whether > >there's much to say about small |A|. > > > > Original Message > >From: Grigory Marshalko > >Sent: Friday, December 11, 2015 4:09 PM > >To: Dan Brown; cfrg@ietf.org > >Subject: Re: [MASSMAIL][Cfrg] Question about A=6 Montgomery over 2^89-1 > > > > > >This seems to be a better answer > > > >http://alexricemath.com/wp-content/uploads/2013/07/EC2.pdf > > > >Regards, > >Grigory Marshalko, > >expert, > >Technical committee for standardisation "Cryptography and security > >mechanisms" (ТC 26) > >www.tc26.ru > >11 декабря 2015 г., 23:20, "Grigory Marshalko" <marshalko_gb@tc26.ru> > >написал: > > > >> Hi, > >> > >> May be this is the case: > >> from wiki: > >> If an elliptic curve over the rationals has complex multiplication then > >>the set of primes for which > >> it is supersingular has density 1/2. If it does not have complex > >>multiplication then Serre showed > >> that the set of primes for which it is supersingular has density zero. > >>Elkies (1987) showed that > >> any elliptic curve defined over the rationals is supersingular for an > >>infinite number of primes. > >> > >> and this is also may be useful > >>http://pages.cs.wisc.edu/~cdx/ComplexMult.pdf > >> > >> Regards, > >> Grigory Marshalko, > >> expert, > >> Technical committee for standardisation "Cryptography and security > >>mechanisms" (ТC 26) > >> www.tc26.ru > >> 11 декабря 2015 г., 00:22, "Dan Brown" <dbrown@certicom.com> написал: > >> > >>> Hi, > >>> > >>> I stumbled upon something surprising (to me), using Sage (while > >>>searching > >>> for something else). > >>> > >>> The Montgomery curve y^2 = x^3 + 6x^2 + x over the field of size > >>>2^89-1, has > >>> order 2^89, so it is maximally vulnerable to Pohlig-Hellman. (Other > >>> details: it has order p+1, so is also vulnerable to MOV. I haven't > >>>checked > >>> yet, but I'd _bet_ it's supersingular. It has j-invariant 66^3.) > >>> > >>> As is well-known, the supersingular curve y^2 = x^3 + x also has order > >>>2^89 > >>> (it has j-invariant 1728=12^3). But I recall a result of Koblitz saying > >>> that curves over F_p with order p+1 are very rare (among isomorphism > >>> classes). Naively, I would think that finding two such curves so close > >>> together (A=0 and A= 6) has negligible chance, unless these weak > >>>curves are > >>> distributed towards small |A|. > >>> > >>> Nonetheless, I still hope that this does _not_ indicate some general > >>>_weak_ > >>> correlation between Montgomery curves with a small coefficient and > >>>known > >>> attacks. > >>> > >>> To that end, I'd be curious if somebody here could explain the theory > >>>behind > >>> this example curve. For example, it would be re-assuring to explain > >>>this as > >>> a mere one-time coincidence, rather than a higher chance of a known > >>>attack > >>> (e.g. MOV or PH) on smaller-coefficient curves. (Purely speculating: > >>>maybe > >>> there's a good theory of supersingular j-invariants for each prime p, > >>>then a > >>> way to deduce A from j, such that p=2^89-1 and j=66^3 formed a > >>>superstorm to > >>> arrive at a small A=6.) > >>> > >>> Absent such an explanation, the worry is that if known attacks more > >>> generally exhibit this kind of correlation with coefficient size, then > >>>how > >>> wise is it to suggest small-coefficient curve as a remedy against > >>>secret > >>> attacks? > >>> > >>> I am aware that there are other worries of a different nature > >>> ("manipulation") involved with methods that generate larger > >>>coefficients, > >>> but maybe there's a good way to balance both concerns. > >>> > >>> Best regards, > >>> > >>> Daniel Brown > >>> > >>> _______________________________________________ > >>> Cfrg mailing list > >>> Cfrg@irtf.org > >>> https://www.irtf.org/mailman/listinfo/cfrg > > > >_______________________________________________ > >Cfrg mailing list > >Cfrg@irtf.org > >https://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Question about A=6 Montgomery over 2^89-1 Dan Brown
- Re: [Cfrg] [MASSMAIL] Question about A=6 Montgome… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL] Question about A=6 Montgome… Grigory Marshalko
- Re: [Cfrg] Question about A=6 Montgomery over 2^8… Dan Brown
- Re: [Cfrg] Question about A=6 Montgomery over 2^8… Grigory Marshalko
- Re: [Cfrg] Question about A=6 Montgomery over 2^8… Paterson, Kenny
- Re: [Cfrg] Question about A=6 Montgomery over 2^8… Ben Laurie
- Re: [Cfrg] Question about A=6 Montgomery over 2^8… Dan Brown