Re: [Cfrg] Your Secret is Too Short (was: Is Diffie-Hellman Better Than We Think?)
Andrey Jivsov <crypto@brainhub.org> Fri, 23 October 2020 02:15 UTC
Return-Path: <andrey@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A1733A10C7 for <cfrg@ietfa.amsl.com>; Thu, 22 Oct 2020 19:15:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62EJgBWUWtvs for <cfrg@ietfa.amsl.com>; Thu, 22 Oct 2020 19:15:49 -0700 (PDT)
Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF7663A10C5 for <cfrg@irtf.org>; Thu, 22 Oct 2020 19:15:47 -0700 (PDT)
Received: by mail-lj1-f173.google.com with SMTP id a5so4071659ljj.11 for <cfrg@irtf.org>; Thu, 22 Oct 2020 19:15:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LL6JrC7i3cTsJzjP8o/6Bv12pSSke2Ee7/roF7ihuSQ=; b=RMsgK2+adT3XIsbZgO9rJfW2NAWwM6v8fy0DViXfivULr+E1ULxEQl2FFa+vl1yFX+ GtWqnizhbN8i0lhJYeeHsCp1dL7CuUjpCSViqV9jqQ4JXHi5CO1hz78A7wsa0nLdJO/q VlFAiiUy3iGLdNIak9FRcu6QSglv55bRBJHeq7kr8/yYUkioHjMtTgw2QylgAl3fQQpQ 0Id1eoYoGYYp2yRlR/vqob3YbfX9+Xa5JGOuIoyVyQJIEG/jH/N7Oqi8/y7atXgEStTS /GCpiCnM4nLS2ezn/S/DBORBTMg6CYezug9CuCUTBhUuZJpuDvFTikbB9I5Gtf5jmL0y fzLw==
X-Gm-Message-State: AOAM533TMspQGC+t+mSxsdic7qqUln+pIn8xasQiOcyVOmzHCIFq/AZk 1Cq6kEf3+OztGWlCBaAC9HMUoSTMmu8X82g6B7+uLw==
X-Google-Smtp-Source: ABdhPJxu0V5g0D5PB4lXXr8dZfF0/HrbQAiY4+rSg2vkKtTCgdr0Xag3TA3MnJ0ovxctFtnYrcbPZLoUf33SeHak4hs=
X-Received: by 2002:a2e:b055:: with SMTP id d21mr1972391ljl.244.1603419345917; Thu, 22 Oct 2020 19:15:45 -0700 (PDT)
MIME-Version: 1.0
References: <ACF3D521-99D7-4A46-A3E6-2865FE53A816@gmail.com> <19672d78-77de-4744-b9d8-470a18dc3ac0@www.fastmail.com> <770E332F-B404-45C8-898B-BAD69A9B75A0@shiftleft.org> <cc5b03ef-01d0-44a3-9030-1faa99107425@www.fastmail.com> <3c63be30-5c09-42b0-a0a4-18190ef5d548@www.fastmail.com> <bc77f256-2fc6-48c1-9a7a-60ec6caaa55d@www.fastmail.com> <1ed370e4-8a09-4a41-bf15-22d8e61bef6e@www.fastmail.com> <81ebf7c4-7529-4693-85c9-edc3ece508a6@www.fastmail.com> <F372A9D6-3B48-4967-8D3B-53B328F332D9@shiftleft.org> <CAKUk3btW4xfRyuyuZYE9qzdB42qSCqBXJBVoLaY3EJiO_cBUOA@mail.gmail.com> <20201022021543.GR16060@yoink.cs.uwaterloo.ca> <CAKUk3btJ9e77umCMQatSQ_G7GFKpVPuk3xRgxkT3tM0CO2Mbmg@mail.gmail.com>
In-Reply-To: <CAKUk3btJ9e77umCMQatSQ_G7GFKpVPuk3xRgxkT3tM0CO2Mbmg@mail.gmail.com>
From: Andrey Jivsov <crypto@brainhub.org>
Date: Thu, 22 Oct 2020 19:15:33 -0700
Message-ID: <CAKUk3btYb38GH3s6v+z1L40_gQmfGKX13_0c5++U8fg=qaoSAg@mail.gmail.com>
To: Ian Goldberg <iang@uwaterloo.ca>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000008a563e05b24d287b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/0QpFNTifacb956YurqPg8QyC0eI>
Subject: Re: [Cfrg] Your Secret is Too Short (was: Is Diffie-Hellman Better Than We Think?)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2020 02:15:51 -0000
Thanks to an anonymous reply, I see this https://eprint.iacr.org/2010/615.pdf, sec. 2, which is a good description of the enhanced algorithm that takes advantage of a short exponent (The Gaudry-Schost Algorithm). It's similar to Pollard-Rho algorithm, but its not the the same, and the link below is not an accurate description of this algorithm. In particular, this later algorithm is structured to contain the "walk" within the small set corresponding to small exponents, which doesn't happen with the Pollar-Rho algorithm. Looks like a private key expanded from 128 bits into 256 is needed as a mitigation e.g. if you must use a 128-bit secret with e.g. P-256. Thank you. On Thu, Oct 22, 2020 at 3:12 PM Andrey Jivsov <crypto@brainhub.org> wrote: > Hm, this was my original question. When the generator is in a large > subgroup/group, I don't see how the algorithm on Wikipedia page benefits > from the limited range of the secret exponent. > > I can further enhance my question by saying that instead of using x in > [1,sqrt(group_order)] the secrets are derived with a KDF(128-bit key, x), > where KDF's output is 256 bits (mod group order), so that they are > unpredictable values. However, I don't even see why this is needed. > > It seems that the page is written for a small 128-bit subgroup (for a > 256-bit curve). > > On Wed, Oct 21, 2020 at 7:15 PM Ian Goldberg <iang@uwaterloo.ca> wrote: > >> On Wed, Oct 21, 2020 at 06:20:33PM -0700, Andrey Jivsov wrote: >> > Is the Pollar-Rho algorithm able to take advantage of the exponent size >> > that is about the size of the security parameter? >> > >> > Let's consider ECDLP for P-256 or Curve25519. Does private x for public >> > Q=xG need to be ~256 bits? I would appreciate pointers on how does >> > Pollard-Rho can take advantage of x~2^128 for P-256 of Curve25519. >> >> If you choose x ~ 2^128 and Q=xG, Pollard's kangaroo (aka Pollard's >> lambda) algorithm can break that in ~2^64 time. >> >> https://en.wikipedia.org/wiki/Pollard%27s_kangaroo_algorithm >> >> > ( I know that e.g. NIST documents recommend a private key to be as you >> Mike >> > wrote, e.g. 256 bits for P-256) >> >> As well it should. Is there a standard that suggests choosing a 128-bit >> x? >> >> -- >> Ian Goldberg >> Canada Research Chair in Privacy Enhancing Technologies >> Professor, Cheriton School of Computer Science >> University of Waterloo >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> >
- [Cfrg] Weak Diffie-Hellman Primes Michael D'Errico
- Re: [Cfrg] Weak Diffie-Hellman Primes Dan Brown
- Re: [Cfrg] Weak Diffie-Hellman Primes Michael D'Errico
- Re: [Cfrg] Weak Diffie-Hellman Primes Michael D'Errico
- Re: [Cfrg] Weak Diffie-Hellman Primes Anna Johnston
- Re: [Cfrg] Weak Diffie-Hellman Primes Michael D'Errico
- Re: [Cfrg] Weak Diffie-Hellman Primes Mike Hamburg
- [Cfrg] Inadequate Definition of "Safe Prime" ? (w… Michael D'Errico
- Re: [Cfrg] Inadequate Definition of "Safe Prime" … Michael D'Errico
- [Cfrg] Ideal Diffie-Hellman Primes (was: Inadequa… Michael D'Errico
- [Cfrg] Is Diffie-Hellman Better Than We Think? (w… Michael D'Errico
- Re: [Cfrg] Is Diffie-Hellman Better Than We Think… Christopher Patton
- [Cfrg] Your Secret is Too Short (was: Is Diffie-H… Michael D'Errico
- Re: [Cfrg] Your Secret is Too Short (was: Is Diff… Mike Hamburg
- Re: [Cfrg] Your Secret is Too Short (was: Is Diff… Dan Brown
- Re: [Cfrg] Your Secret is Too Short (was: Is Diff… Andrey Jivsov
- Re: [Cfrg] Your Secret is Too Short (was: Is Diff… Ian Goldberg
- Re: [Cfrg] Your Secret is Too Short (was: Is Diff… Dan Brown
- Re: [Cfrg] Your Secret is Too Short (was: Is Diff… Andrey Jivsov
- Re: [Cfrg] Your Secret is Too Short (was: Is Diff… Andrey Jivsov
- Re: [Cfrg] Your Secret is Too Short (was: Is Diff… Ian Goldberg
- [Cfrg] New Type of Math Object Discovered? (was: … Michael D'Errico