IETF Logo Mail Archive

Re: [Cfrg] request for comments: ZSS Short Signature Scheme for SS and BN Curves

Laura Hitt <lhitt@21ct.com> Mon, 23 September 2013 20:57 UTC

Return-Path: <lhitt@21ct.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B034821F9E5B for <cfrg@ietfa.amsl.com>; Mon, 23 Sep 2013 13:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.364
X-Spam-Level: *
X-Spam-Status: No, score=1.364 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0YoXnQx6t7Nf for <cfrg@ietfa.amsl.com>; Mon, 23 Sep 2013 13:57:48 -0700 (PDT)
Received: from 21ct-exg07.21technologies.com (unknown [173.226.154.197]) by ietfa.amsl.com (Postfix) with ESMTP id 41ECE21F8F24 for <cfrg@irtf.org>; Mon, 23 Sep 2013 13:57:48 -0700 (PDT)
Received: from 21ct-exg07.21technologies.com ([10.0.10.16]) by 21ct-exg07.21technologies.com ([10.0.10.16]) with mapi; Mon, 23 Sep 2013 15:57:45 -0500
From: Laura Hitt <lhitt@21ct.com>
To: Kohei Kasamatsu <kasamatsu.kohei@po.ntts.co.jp>
Date: Mon, 23 Sep 2013 15:57:44 -0500
Thread-Topic: [Cfrg] request for comments: ZSS Short Signature Scheme for SS and BN Curves
Thread-Index: Ac604WNpn6K2D/zrRBWCaeR7qwVkSgDvgX1g
Message-ID: <04920BD67C651C469D0387704CD7692A8723612A33@21ct-exg07.21technologies.com>
References: <04920BD67C651C469D0387704CD7692A74B0844B94@21ct-exg07.21technologies.com> <51F0F1E6.5080505@po.ntts.co.jp> <04920BD67C651C469D0387704CD7692A801128D84A@21ct-exg07.21technologies.com> <523A6393.60407@po.ntts.co.jp>
In-Reply-To: <523A6393.60407@po.ntts.co.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] request for comments: ZSS Short Signature Scheme for SS and BN Curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2013 20:57:53 -0000

Hi Kohei,

The Cheon attack assumes knowledge of s^i * P for i in [0,d] in order to determine s, where d is some divisor of p-1 or p+1.  I believe you are suggesting that with d pairs of signature and message, one would obtain the necessary s^i * P.  However, if we look at the ZSS signature scheme explicitly, we shall see that is not the case.

Signature 1 = [H(m1)+x]^-1 * P
Signature 2 = [H(m2)+x]^-1 * P
...
Signature i = [H(mi)+x]^-1 * P

There is no oracle providing the necessary s^i * P for the ZSS signature scheme, so I do not believe the I-D needs to be changed to address the Cheon attacks.

Please let me know if you have further questions or concerns.

Best,
Laura

-----Original Message-----
From: Kohei Kasamatsu [mailto:kasamatsu.kohei@po.ntts.co.jp] 
Sent: Wednesday, September 18, 2013 9:38 PM
To: Laura Hitt
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] request for comments: ZSS Short Signature Scheme for SS and BN Curves

Hi Laura,


Thank you for you email and I apologise for the delay in replying to you.

I recommend ZSS signature to use elliptic curves with prime order p such that both of p+1 and p−1 have no small divisor greater than (log p)^2. This condition of prime order p prevents Cheon attack.
Detailed information on above countermeasure is given in [1].

The reason of my recommendation is that applying ZSS signature to cheon algorithm gives influence on estimation of exact security strength.
(It gives no influence on asymptotic estimation.) I think that standard NSF cannot be applied to elliptic curves and pollard-rho algorithm is best performance against ECDLP of elliptic curves at present. Although cost of cheon attack depends on value d of 
d+1 Exponent Problem (d is the number of pairs of signature and message
which attacker can obtain in the case of ZSS signature), I think that there is possibility that the cost is smaller than one of Pollard-rho algorithm which is exponential algorithm.

Please let me know if there are any mistakes.
Welcome to discussion.

Best,

[1] J.H. Cheon, Security Analysis of the Strong Diffie-Hellman Problem, EUROCRYPT 2006, LNCS 4004, pp. 1-11, Springer, 2006

(2013/08/27 4:23), Laura Hitt wrote:
> Dear Kohei Kasamatsu,
>
> Thank you for your comment. The Cheon attacks against (variably
> named) strong or static Diffie-Hellman assumption, or the 
> Diffie-Hellman with Auxiliary Input problem are very interesting work. 
> I will include the suggested references in the I-D. However, I do not 
> believe it poses a substantial danger for ZSS for the following 
> reasons:
>
> 1) Those attacks are predicated on the notion that the attacker will 
> have access to an oracle that will supply s^d*P for large d to help 
> solve the discrete log of sP for s, and there's not sufficient reason 
> to think that this additional information would be available in the 
> cases of interest.
>
> 2) Because the parameters used in the I-D (taken from the MIKEY-SAKKE 
> rfc) have a full sized cryptographic subgroup, even if the attack 
> applied, at best these attacks convert the problem to 
> O(Sqrt{(p-1)/d}+d) which is optimized if d<=p^(1/3), but for the rfc 
> parameters, this would still be an attack of order O(p^(1/3))~=2^341, 
> which is way worse than the standard NSF costing.
>
> Thanks again for your comment. Please let me know if you have other 
> concerns.
>
> All the best,
> Laura
>
>
> -----Original Message-----
> From: Kohei Kasamatsu [mailto:kasamatsu.kohei@po.ntts.co.jp]
> Sent: Thursday, July 25, 2013 4:38 AM
> To: Laura Hitt
> Cc: cfrg@irtf.org
> Subject: Re: [Cfrg] request for comments: ZSS Short Signature Scheme 
> for SS and BN Curves
>
> Dear L. Hitt
>
>
> I have a comment.
>
> The security of ZSS-signature depends on k+1 Exponent Problem.
> The problem more efficiently can be computed by cheon algorithm [1,2] than Pollard's method. (cheon algorithm is not probabilistic polynomial time algorithm) Hence I think that it is needed that you analyze security against the algorithm.
>
>
> [1] J.H. Cheon, Security Analysis of the Strong Diffie-Hellman Problem, EUROCRYPT 2006, LNCS 4004, pp. 1-11, Springer, 2006 [2] Y. Sakemi, G. Hanaoka, T. Izu, M. Takenaka, and M. Yasuda, "Solving a discrete logarithm problem with auxiliary input on a 160-bit elliptic curve", PKC 2012, LNCS 7293 pp. 595-608, Springer, 2012.
>
> Best regards,
> Kohei Kasamatsu
>
>
>
>
> (2013/03/23 2:27), Laura Hitt wrote:
>> <my apologies if this was sent twice, I saw strange behavior on my 
>> end, so thought I'd try again.>
>>
>> I have recently submitted (as an Individual) two I-Ds and would greatly appreciate any comments you are able to offer.  They pertain to the ZSS short signature scheme from bilinear pairings on supersingular elliptic curves and on Barreto-Naerhig elliptic curves.
>>
>> http://www.ietf.org/internet-drafts/draft-irtf-cfrg-zss-00.txt
>> http://www.ietf.org/internet-drafts/draft-irtf-cfrg-zssbn-00.txt
>>
>> Thank you!
>> Laura Hitt
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>
>
> --
> Kohei Kasamatsu
>
> NTT Software Corporation
> E-mail: kasamatsu.kohei@po.ntts.co.jp
>
>
>


--
Kohei KASAMATSU

NTT Software Corporation
E-mail: kasamatsu.kohei@po.ntts.co.jp

v2.23.0 | Report a Bug | By Email