Re: [Cfrg] (paper of potential interest) Re: One question about MODP: the structure of DLP prime in a finite field

"Hao, Feng" <> Tue, 19 November 2019 15:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6F8B41208FF for <>; Tue, 19 Nov 2019 07:59:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id f4eMAlonXVTD for <>; Tue, 19 Nov 2019 07:59:07 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7A578120959 for <>; Tue, 19 Nov 2019 07:59:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=QCC4+Iqlfopdlds8uaW/CNyFnLXaZIktC+t6XNq2iJeHU9wAH+pLStLCkjtGnDFBOa8oeCwgQG/N5EMDhElQzIWhbTtkP9drJ4xjsNzg62YqjGH4MtCd5JyKhVwsB6O4PP7QUroOP+AqY0nq3Sdyq9+rAnm8kAwBQFAM31iWyXQP/25QOkKUnousTBiGZw5LlkX0YpLbvF7o5YGzgU9B13+iDzJEiEbpctYgubhtKltrsun7jdpWIVuaXMuTEXgDdJoea7vM7YLVkKI/JCjb6dhQDZDsIEgtGWE/wrgUVr5dbzWyqcSy2qtHvBGoiqnCCjyzlSJc73UvmUV+1JXuUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vepK2iNHEHlXQqT6i9FjtoBqtrFqzv6PNfleQPj/eBg=; b=k3bzCoc/Z38LtQoyff+sR45n/VOneGjRjMW7pSQQpqaIXhLCRjcCfuzyvpAwB1m1EEnokiBHf8e+nUE0Zkz0RGRNt+73EPf4WODBDQCprZE5W5oI9krVOeIAIUDjU+qnH30VdOSp7y6eN4wVBsEZfy9vcEtng0B8QPLaArqK+av1SN4APPgt4clERDapVLWn0iaKghruPmjmrznyQtuIbaN3ThKdCZbSc2FyFqaYhVAcVpCFBX/sagpkhMIR10owOQRHQZPumojkVH8M7xGaQGmHvhAPqrV0GAJvQFW1Imh+BskHwQSB0sjiVkRQ6dT+FTpHmF1FeMj+0UsHEW0Rxg==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.23; Tue, 19 Nov 2019 15:59:00 +0000
Received: from ([fe80::e925:ac07:6d27:3073]) by ([fe80::e925:ac07:6d27:3073%7]) with mapi id 15.20.2474.015; Tue, 19 Nov 2019 15:59:00 +0000
From: "Hao, Feng" <>
To: Rene Struik <>, Wang Guilin <>, "" <>
Thread-Topic: (paper of potential interest) Re: [Cfrg] One question about MODP: the structure of DLP prime in a finite field
Thread-Index: AQHVnuKoQqMssU+rwUedIi9xYW2btaeSoJWAgAAGKIA=
Date: Tue, 19 Nov 2019 15:58:59 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6c9c76b8-4901-4a30-4286-08d76d096455
x-ms-traffictypediagnostic: DB7PR01MB4394:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 022649CC2C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(376002)(346002)(396003)(39860400002)(136003)(199004)(189003)(14014004)(51914003)(476003)(26005)(186003)(446003)(486006)(6246003)(25786009)(305945005)(6486002)(64756008)(7736002)(6306002)(66946007)(66556008)(76176011)(66446008)(256004)(6506007)(66476007)(6512007)(14444005)(11346002)(6436002)(53546011)(6116002)(229853002)(102836004)(2906002)(3846002)(91956017)(8936002)(33656002)(2501003)(76116006)(5660300002)(413944005)(81166006)(966005)(8676002)(81156014)(110136005)(86362001)(325944009)(786003)(478600001)(99286004)(14454004)(58126008)(71190400001)(71200400001)(66066001)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR01MB4394;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0lz7rajsmXYkSP2z3KojS5r8R7gqgZkuFyGHovb1IFDFMAUGgaksFV773RIF2Rl4lDkPQO9YVLaqpmsR7vkXVGzurJlaPYtsmMuh6k2cSIYx7fmyRJU98TCbHNNvCli5AoCPaZoC5Pqra3jcFA7ZLh1JHEeMUCrlLqk1xy7g5n+yMmlc/g5e2bM6Hx4Le8bDOyRtn5k1VLXkBHKNSohJDaqcYyox4Xiu/ZB1XOjkhXUoATtucBta8Bl2w9l1Izy6dpE65twimbnBH6EzrZ00Feide7x1d/xQjZd0QVBv9LDIuqB1h5LC+nwEMSZO5LXIPhr75uBntr7AQuxgB0aTcI4wn48si4mm3odo53rvkxtXLNYh4eqQku+f/T+s3ll4ubudpBsei3zFB1C1JO1/VxQrn5sV309mdlKV7r4S4P+IeB/53ypeNA+/pfSObkr4+i9fnmdSUvwyHys3rmnKwVYwrlpEAQP4EbQTHCLn5kc=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6c9c76b8-4901-4a30-4286-08d76d096455
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Nov 2019 15:58:59.6759 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: W+3Gxl5+e49mTgPe+NBmO49DKmEfd68/n8JSQ9YQjVLEVZDUBOEv7C3zIiQsfbaRbE5PMyKCDbl635fv7wTD0JrLOHkpylYnB5NVdiSIRoE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB4394
Archived-At: <>
Subject: Re: [Cfrg] (paper of potential interest) Re: One question about MODP: the structure of DLP prime in a finite field
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Nov 2019 15:59:10 -0000

Dear Rene,

Thanks for the link. I'm not sure if the proofs are complete though as they are deferred to a full paper. But I couldn't find the full paper .... Maybe someone knows?

The following paper may also be interest (Oorschot, Wiener, Encrypt'96)

The general recommendation tends to be a line with using short exponents for a subgroup of prime order. That is more an established practice.


On 19/11/2019, 15:37, "Rene Struik" <> wrote:

    Dear colleagues:
    The paper [a] may be of interest.
    [a] Short Exponents Diffie-Hellman Problems (Kaoru Kurosawa, Takeshi 
    Koshiba, PKC 2004)
    Best regards, Rene
    On 11/19/2019 9:07 AM, Hao, Feng wrote:
    > Dear Guilin,
    >   > About security, I also feel it looks secure if we only select short exponents, say 256 bit strings for x and y in SPEKE, even though q is 2047 bits. However, to my best knowledge, it seems that this has not been confirmed by any academic research [I may be wrong on this]. Security is subtle and tricky...
    > The use of a short exponent for a safe-prime modulus was first suggested in Jablon's original SPEKE paper [1], but later in a follow-up paper [2] he gave a more cautionary note that this might not be safe. Indeed, the use of a short exponent in this manner implies that given a full-length secret key in Z_q on the exponent, nearly 90% secret bits are exposed by definition (and fixed at 0), and the security relies on the rest small percentage of bits being incomputable. The security of this practice hasn't been confirmed by any other study as far I am aware. So it remains a heuristic suggestion. Quit likely, the CDH and DDH assumptions will not hold if that matters.
    > [1] D. Jablon, “Strong password-only authenticated key exchange,” ACM Computer Communications Review, Vol. 26, No. 5, pp. 5–26, October 1996.
    > [2] D. Jablon, “Password authentication using multiple servers,” Topics in Cryptology – CT-RSA, pp. 344–360, LNCS 2020, April 2001.
    > _______________________________________________
    > Cfrg mailing list
    email: | Skype: rstruik
    cell: +1 (647) 867-5658 | US: +1 (415) 690-7363