Re: [Cfrg] Preliminary disclosure on twist security ...

Dan Brown <> Wed, 26 November 2014 16:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 163571A014C for <>; Wed, 26 Nov 2014 08:50:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.299
X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_22=0.6, LOTS_OF_MONEY=0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fBsJYJrcxKl1 for <>; Wed, 26 Nov 2014 08:50:01 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 41DCE1A0143 for <>; Wed, 26 Nov 2014 08:50:00 -0800 (PST)
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 26 Nov 2014 11:49:56 -0500
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 26 Nov 2014 11:49:55 -0500
Received: from ([fe80::45d:f4fe:6277:5d1b]) by ([::1]) with mapi id 14.03.0174.001; Wed, 26 Nov 2014 11:49:54 -0500
From: Dan Brown <>
To: "''" <>
Thread-Topic: [Cfrg] Preliminary disclosure on twist security ...
Thread-Index: AdAJieU4Ye2dd7TATPKiXX6WalzfrwAMWVyAAAkAiPA=
Date: Wed, 26 Nov 2014 16:49:54 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0181_01D0096F.177E5700"
MIME-Version: 1.0
Cc: "''" <>, "''" <>
Subject: Re: [Cfrg] Preliminary disclosure on twist security ...
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Nov 2014 16:50:03 -0000

> -----Original Message-----
> From: Watson Ladd 
> The patent in question is US6563928.
> The claim cited reads as follows:
> "53. A method of establishing a session key for encryption of data between a
> pair of correspondents comprising the steps of one of said correspondents
> selecting a finite group G, establishing a subgroup S having an order q of the
> group G, determining an element α of the subgroup S to generate greater than
> a predetermined number of the q elements of the subgroup S and utilising said
> element α to generate a session key at said one correspondent."
> "59: 58. A method according to claim 53 wherein said order of said subgroup is
> of the form utilising an integral number of a product of a plurality of large
> primes.
> 59. A method according to claim 58 wherein the order of said subgroup is of
> the form nrr′ where n, r and r′ are each integers and r and r′ are each prime
> numbers."
> This doesn't appear to have anything to do that directly with twist security. 

Well, this is what I was thinking:

Let F_p be the underlying field.

Let E be the twist-secure curve, with size #E(F_p) = hr, where h is a small cofactor and r a large prime.  Its twist E' has size h'r' where h' to the another small cofactor and r' is another large prime.

Now G be the group of F_p^2 rational points, which is a group of size hh'rr', right?  Then let S be the subgroup with of G of size q = rr'.

Let alpha be the element of S used to generate the yet smaller subgroup of size, i.e. the conventional DH prime-order subgroup of E(F_p).  Now alpha generates r elements, which is greater than a predetermined number, e.g. 2^250.

This means putting n =1 in Claim 59.

Best regards,