Re: [Cfrg] (paper of potential interest) Re: One question about MODP: the structure of DLP prime in a finite field
"Hao, Feng" <Feng.Hao@warwick.ac.uk> Tue, 19 November 2019 15:59 UTC
Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F8B41208FF for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 07:59:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f4eMAlonXVTD for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 07:59:07 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10045.outbound.protection.outlook.com [40.107.1.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A578120959 for <cfrg@irtf.org>; Tue, 19 Nov 2019 07:59:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QCC4+Iqlfopdlds8uaW/CNyFnLXaZIktC+t6XNq2iJeHU9wAH+pLStLCkjtGnDFBOa8oeCwgQG/N5EMDhElQzIWhbTtkP9drJ4xjsNzg62YqjGH4MtCd5JyKhVwsB6O4PP7QUroOP+AqY0nq3Sdyq9+rAnm8kAwBQFAM31iWyXQP/25QOkKUnousTBiGZw5LlkX0YpLbvF7o5YGzgU9B13+iDzJEiEbpctYgubhtKltrsun7jdpWIVuaXMuTEXgDdJoea7vM7YLVkKI/JCjb6dhQDZDsIEgtGWE/wrgUVr5dbzWyqcSy2qtHvBGoiqnCCjyzlSJc73UvmUV+1JXuUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vepK2iNHEHlXQqT6i9FjtoBqtrFqzv6PNfleQPj/eBg=; b=k3bzCoc/Z38LtQoyff+sR45n/VOneGjRjMW7pSQQpqaIXhLCRjcCfuzyvpAwB1m1EEnokiBHf8e+nUE0Zkz0RGRNt+73EPf4WODBDQCprZE5W5oI9krVOeIAIUDjU+qnH30VdOSp7y6eN4wVBsEZfy9vcEtng0B8QPLaArqK+av1SN4APPgt4clERDapVLWn0iaKghruPmjmrznyQtuIbaN3ThKdCZbSc2FyFqaYhVAcVpCFBX/sagpkhMIR10owOQRHQZPumojkVH8M7xGaQGmHvhAPqrV0GAJvQFW1Imh+BskHwQSB0sjiVkRQ6dT+FTpHmF1FeMj+0UsHEW0Rxg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com (20.178.104.28) by DB7PR01MB4394.eurprd01.prod.exchangelabs.com (52.135.140.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.23; Tue, 19 Nov 2019 15:59:00 +0000
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::e925:ac07:6d27:3073]) by DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::e925:ac07:6d27:3073%7]) with mapi id 15.20.2474.015; Tue, 19 Nov 2019 15:59:00 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Rene Struik <rstruik.ext@gmail.com>, Wang Guilin <Wang.Guilin@huawei.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: (paper of potential interest) Re: [Cfrg] One question about MODP: the structure of DLP prime in a finite field
Thread-Index: AQHVnuKoQqMssU+rwUedIi9xYW2btaeSoJWAgAAGKIA=
Date: Tue, 19 Nov 2019 15:58:59 +0000
Message-ID: <9E11CB96-4720-4B16-9916-849DE1065AB8@live.warwick.ac.uk>
References: <90660A69-4146-4451-A6F2-42DEBC9956B0@live.warwick.ac.uk> <c715e1ec-e03f-4d1e-6aee-3cc22b87548c@gmail.com>
In-Reply-To: <c715e1ec-e03f-4d1e-6aee-3cc22b87548c@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.10.191111
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Feng.Hao@warwick.ac.uk;
x-originating-ip: [137.205.238.137]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6c9c76b8-4901-4a30-4286-08d76d096455
x-ms-traffictypediagnostic: DB7PR01MB4394:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DB7PR01MB43941EE3877C6754769AB474D64C0@DB7PR01MB4394.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 022649CC2C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(376002)(346002)(396003)(39860400002)(136003)(199004)(189003)(14014004)(51914003)(476003)(26005)(186003)(446003)(486006)(6246003)(25786009)(305945005)(6486002)(64756008)(7736002)(6306002)(66946007)(66556008)(76176011)(66446008)(256004)(6506007)(66476007)(6512007)(14444005)(11346002)(6436002)(53546011)(6116002)(229853002)(102836004)(2906002)(3846002)(91956017)(8936002)(33656002)(2501003)(76116006)(5660300002)(413944005)(81166006)(966005)(8676002)(81156014)(110136005)(86362001)(325944009)(786003)(478600001)(99286004)(14454004)(58126008)(71190400001)(71200400001)(66066001)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR01MB4394; H:DB7PR01MB5435.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: warwick.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0lz7rajsmXYkSP2z3KojS5r8R7gqgZkuFyGHovb1IFDFMAUGgaksFV773RIF2Rl4lDkPQO9YVLaqpmsR7vkXVGzurJlaPYtsmMuh6k2cSIYx7fmyRJU98TCbHNNvCli5AoCPaZoC5Pqra3jcFA7ZLh1JHEeMUCrlLqk1xy7g5n+yMmlc/g5e2bM6Hx4Le8bDOyRtn5k1VLXkBHKNSohJDaqcYyox4Xiu/ZB1XOjkhXUoATtucBta8Bl2w9l1Izy6dpE65twimbnBH6EzrZ00Feide7x1d/xQjZd0QVBv9LDIuqB1h5LC+nwEMSZO5LXIPhr75uBntr7AQuxgB0aTcI4wn48si4mm3odo53rvkxtXLNYh4eqQku+f/T+s3ll4ubudpBsei3zFB1C1JO1/VxQrn5sV309mdlKV7r4S4P+IeB/53ypeNA+/pfSObkr4+i9fnmdSUvwyHys3rmnKwVYwrlpEAQP4EbQTHCLn5kc=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <081F7E275DAC8B4CA27438B672C976BB@eurprd01.prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 6c9c76b8-4901-4a30-4286-08d76d096455
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Nov 2019 15:58:59.6759 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: W+3Gxl5+e49mTgPe+NBmO49DKmEfd68/n8JSQ9YQjVLEVZDUBOEv7C3zIiQsfbaRbE5PMyKCDbl635fv7wTD0JrLOHkpylYnB5NVdiSIRoE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB4394
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3O7tnjt2CeAoqMDXg_Z5O5d8e5A>
Subject: Re: [Cfrg] (paper of potential interest) Re: One question about MODP: the structure of DLP prime in a finite field
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 15:59:10 -0000
Dear Rene, Thanks for the link. I'm not sure if the proofs are complete though as they are deferred to a full paper. But I couldn't find the full paper .... Maybe someone knows? The following paper may also be interest (Oorschot, Wiener, Encrypt'96) https://people.scs.carleton.ca/~paulv/papers/Euro96-DH.pdf The general recommendation tends to be a line with using short exponents for a subgroup of prime order. That is more an established practice. Cheers, Feng On 19/11/2019, 15:37, "Rene Struik" <rstruik.ext@gmail.com> wrote: Dear colleagues: The paper [a] may be of interest. [a] Short Exponents Diffie-Hellman Problems (Kaoru Kurosawa, Takeshi Koshiba, PKC 2004) Best regards, Rene On 11/19/2019 9:07 AM, Hao, Feng wrote: > Dear Guilin, > > > About security, I also feel it looks secure if we only select short exponents, say 256 bit strings for x and y in SPEKE, even though q is 2047 bits. However, to my best knowledge, it seems that this has not been confirmed by any academic research [I may be wrong on this]. Security is subtle and tricky... > > The use of a short exponent for a safe-prime modulus was first suggested in Jablon's original SPEKE paper [1], but later in a follow-up paper [2] he gave a more cautionary note that this might not be safe. Indeed, the use of a short exponent in this manner implies that given a full-length secret key in Z_q on the exponent, nearly 90% secret bits are exposed by definition (and fixed at 0), and the security relies on the rest small percentage of bits being incomputable. The security of this practice hasn't been confirmed by any other study as far I am aware. So it remains a heuristic suggestion. Quit likely, the CDH and DDH assumptions will not hold if that matters. > > [1] D. Jablon, “Strong password-only authenticated key exchange,” ACM Computer Communications Review, Vol. 26, No. 5, pp. 5–26, October 1996. > [2] D. Jablon, “Password authentication using multiple servers,” Topics in Cryptology – CT-RSA, pp. 344–360, LNCS 2020, April 2001. > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- [Cfrg] One question about MODP: the structure of … Wang Guilin
- Re: [Cfrg] One question about MODP: the structure… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] One question about MODP: the structure… Wang Guilin
- Re: [Cfrg] One question about MODP: the structure… Hao, Feng
- [Cfrg] (paper of potential interest) Re: One ques… Rene Struik
- Re: [Cfrg] (paper of potential interest) Re: One … Hao, Feng
- Re: [Cfrg] One question about MODP: the structure… Nasrul Zikri