IETF Logo Mail Archive

Re: [Cfrg] Question about A=6 Montgomery over 2^89-1

"Grigory Marshalko" <marshalko_gb@tc26.ru> Sat, 12 December 2015 18:21 UTC

Return-Path: <marshalko_gb@tc26.ru>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E2811A8A4A for <cfrg@ietfa.amsl.com>; Sat, 12 Dec 2015 10:21:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.541
X-Spam-Level:
X-Spam-Status: No, score=-0.541 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0zeP7BqhVSlv for <cfrg@ietfa.amsl.com>; Sat, 12 Dec 2015 10:21:24 -0800 (PST)
Received: from mail.tc26.ru (mail.tc26.ru [188.40.163.82]) by ietfa.amsl.com (Postfix) with ESMTP id 5A0A81A8A47 for <cfrg@ietf.org>; Sat, 12 Dec 2015 10:21:24 -0800 (PST)
Received: from mail.tc26.ru (localhost [127.0.0.1]) by mail.tc26.ru (Postfix) with ESMTPSA id D2D10300338; Sat, 12 Dec 2015 21:21:22 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tc26.ru D2D10300338
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tc26.ru; s=mx; t=1449944483; bh=ysMm9EP9hTxtjdtS0giio1EV0NNLpNM6c9b1+B0G1BU=; h=Date:From:Subject:To:In-Reply-To:References:From; b=By+iYQFAedIrm58MqNlBaKE78eo+J/BmucUhafVvw230oHhEucJ+8F7WFROPjJWVV E8yYPCr5WI4n/pZw9LiKO+TrVL/WRNE2arhbXcPZhLz1bcqXqGCQxQZJ3xxlmiYg/B tqc7TM1PouFx+uoKL20VRdZp/VP+jSo/Y+oY92xs=
Mime-Version: 1.0
Date: Sat, 12 Dec 2015 18:21:22 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <ea5cc1453e8f3ad6c0d77af33fe9178e@mail.tc26.ru>
X-Mailer: RainLoop/1.9.3.365
From: Grigory Marshalko <marshalko_gb@tc26.ru>
To: Dan Brown <dbrown@certicom.com>, cfrg@ietf.org
In-Reply-To: <20151212152324.5701716.2323.10706@certicom.com>
References: <20151212152324.5701716.2323.10706@certicom.com> <f62deb1f355c38b6254b2e8364bd4480@mail.tc26.ru> <810C31990B57ED40B2062BA10D43FBF5E97737@XMB116CNC.rim.net>, <7bdba271cc9c9223d98dcf8677bcb49d@mail.tc26.ru>
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 88179 [Dec 12 2015]
X-KLMS-AntiSpam-Version: 5.5.6
X-KLMS-AntiSpam-Envelope-From: marshalko_gb@tc26.ru
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Moebius-Timestamps: 3867077, 3867091, 3866829
X-KLMS-AntiSpam-Info: LuaCore: 378 378 1e7ea7963800114ee93165eacd681fad09c7a7a4, 127.0.0.200:7.1.3; tc26.ru:7.1.1; www2.warwick.ac.uk:7.1.1; pages.cs.wisc.edu:4.0.4,7.1.1; www.irtf.org:7.1.1; d41d8cd98f00b204e9800998ecf8427e.com:7.1.1; 127.0.0.199:7.1.2; mail.tc26.ru:7.1.1, Auth:dkim=none
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiPhishing: Clean, 2015/12/07 15:50:10
X-KLMS-AntiVirus: Kaspersky Security 8.0 for Linux Mail Server, version 8.0.1.721, bases: 2015/12/12 13:37:00 #6730006
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/3BVVWpG9rszLv1-oQzpZx2QFroU>
Subject: Re: [Cfrg] Question about A=6 Montgomery over 2^89-1
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2015 18:21:26 -0000

Yes, exactly 13, see for example http://www2.warwick.ac.uk/fac/cross_fac/complexity/people/students/dtc/students2013/klaise/janis_klaise_ug_report.pdf

Regards,
Grigory Marshalko,
expert,
Technical committee for standardisation "Cryptography and security mechanisms" (ТC 26)
www.tc26.ru
12 декабря 2015 г., 18:23, "Dan Brown" <dbrown@certicom.com> написал:
> So 66^3 is one of the few (13???) integral j-invariants with CM over the rationals (the
> Baker-Stark-Heegner theorem?). And yes Elkies shows that half the primes will give a supersingular.
> I'll look at how j=66^3 corresponds to A=6 in 2016, and eventually try to sort out whether there's
> much to say about small |A|.
> 
> Original Message
> From: Grigory Marshalko
> Sent: Friday, December 11, 2015 4:09 PM
> To: Dan Brown; cfrg@ietf.org
> Subject: Re: [MASSMAIL][Cfrg] Question about A=6 Montgomery over 2^89-1
> 
> This seems to be a better answer
> 
> http://alexricemath.com/wp-content/uploads/2013/07/EC2.pdf
> 
> Regards,
> Grigory Marshalko,
> expert,
> Technical committee for standardisation "Cryptography and security mechanisms" (ТC 26)
> www.tc26.ru
> 11 декабря 2015 г., 23:20, "Grigory Marshalko" <marshalko_gb@tc26.ru> написал:
> 
>> Hi,
>> 
>> May be this is the case:
>> from wiki:
>> If an elliptic curve over the rationals has complex multiplication then the set of primes for which
>> it is supersingular has density 1/2. If it does not have complex multiplication then Serre showed
>> that the set of primes for which it is supersingular has density zero. Elkies (1987) showed that
>> any elliptic curve defined over the rationals is supersingular for an infinite number of primes.
>> 
>> and this is also may be useful http://pages.cs.wisc.edu/~cdx/ComplexMult.pdf
>> 
>> Regards,
>> Grigory Marshalko,
>> expert,
>> Technical committee for standardisation "Cryptography and security mechanisms" (ТC 26)
>> www.tc26.ru
>> 11 декабря 2015 г., 00:22, "Dan Brown" <dbrown@certicom.com> написал:
>> 
>>> Hi,
>>> 
>>> I stumbled upon something surprising (to me), using Sage (while searching
>>> for something else).
>>> 
>>> The Montgomery curve y^2 = x^3 + 6x^2 + x over the field of size 2^89-1, has
>>> order 2^89, so it is maximally vulnerable to Pohlig-Hellman. (Other
>>> details: it has order p+1, so is also vulnerable to MOV. I haven't checked
>>> yet, but I'd _bet_ it's supersingular. It has j-invariant 66^3.)
>>> 
>>> As is well-known, the supersingular curve y^2 = x^3 + x also has order 2^89
>>> (it has j-invariant 1728=12^3). But I recall a result of Koblitz saying
>>> that curves over F_p with order p+1 are very rare (among isomorphism
>>> classes). Naively, I would think that finding two such curves so close
>>> together (A=0 and A= 6) has negligible chance, unless these weak curves are
>>> distributed towards small |A|.
>>> 
>>> Nonetheless, I still hope that this does _not_ indicate some general _weak_
>>> correlation between Montgomery curves with a small coefficient and known
>>> attacks.
>>> 
>>> To that end, I'd be curious if somebody here could explain the theory behind
>>> this example curve. For example, it would be re-assuring to explain this as
>>> a mere one-time coincidence, rather than a higher chance of a known attack
>>> (e.g. MOV or PH) on smaller-coefficient curves. (Purely speculating: maybe
>>> there's a good theory of supersingular j-invariants for each prime p, then a
>>> way to deduce A from j, such that p=2^89-1 and j=66^3 formed a superstorm to
>>> arrive at a small A=6.)
>>> 
>>> Absent such an explanation, the worry is that if known attacks more
>>> generally exhibit this kind of correlation with coefficient size, then how
>>> wise is it to suggest small-coefficient curve as a remedy against secret
>>> attacks?
>>> 
>>> I am aware that there are other worries of a different nature
>>> ("manipulation") involved with methods that generate larger coefficients,
>>> but maybe there's a good way to balance both concerns.
>>> 
>>> Best regards,
>>> 
>>> Daniel Brown
>>> 
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email