Re: [Cfrg] 512-bit twisted Edwards curve and curve generation methods in Russian standardization
CodesInChaos <codesinchaos@gmail.com> Thu, 29 January 2015 15:24 UTC
Return-Path: <codesinchaos@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 727421A1A9C for <cfrg@ietfa.amsl.com>; Thu, 29 Jan 2015 07:24:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TuD3YFkJiG_3 for <cfrg@ietfa.amsl.com>; Thu, 29 Jan 2015 07:24:42 -0800 (PST)
Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A56161A0092 for <cfrg@irtf.org>; Thu, 29 Jan 2015 07:24:42 -0800 (PST)
Received: by mail-yk0-f171.google.com with SMTP id 10so13782812ykt.2 for <cfrg@irtf.org>; Thu, 29 Jan 2015 07:24:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pKDCz4u+oEfIBD2UXUDH5JT8ejfBjUfCldPIZg1CC20=; b=X+ZxX8+azwxVhYhhsVkZo0LjxaF9wuQ2rhIEs2o6L6lrG5k6ijEzI5IuOytun7s3Df CnsHSkFmp9IbH3SEDXbHJHeATfqPnCRWI5BUFaxkP2uLONqaSWowEMm8PxZF/vR5hHAp R4jAZFCQpRuNRtDgYJ8SwvIvb5ptyulduQ5MX52T9FnMFDo0Qrr2zHsQW5Vods5VyBUh lYZ9ThV8Hu4XQh7ZwFEWM5nmNlKiBX1pJSXsFXKe/DdU/GcEjG4x5O+fIKVVVXQeQyHz R0PSn4lEmagEnxp6IxggXbM4KCbFCb2UCbi0/bkyo2NB69T1pMOxDLXvsgQdVxVcYJYw VFaw==
MIME-Version: 1.0
X-Received: by 10.170.117.16 with SMTP id j16mr791353ykb.15.1422545081933; Thu, 29 Jan 2015 07:24:41 -0800 (PST)
Received: by 10.170.146.139 with HTTP; Thu, 29 Jan 2015 07:24:41 -0800 (PST)
In-Reply-To: <CAMr0u6kC_DpZo8LVtp1Ljmqzvcz1wtB_yhajEW3-bZ7mbqBbyA@mail.gmail.com>
References: <CAMr0u6=prmjMv7e+S5UAGVw+uCQWPk-f86Koa04GVx8CZs4J4Q@mail.gmail.com> <C877C13D-0178-4BDD-BC58-4E7C417600D1@akr.io> <CAMr0u6=pgV8P19zoEbztCas20XX68V40wN-3qwrbqAxQeMpJQg@mail.gmail.com> <54C924AC.7060504@akr.io> <CAMr0u6kC_DpZo8LVtp1Ljmqzvcz1wtB_yhajEW3-bZ7mbqBbyA@mail.gmail.com>
Date: Thu, 29 Jan 2015 16:24:41 +0100
Message-ID: <CAK9dnSzHsNAsdmDVodsQhSDPB5NY7bT5CGW1_t2nURUXivpxBg@mail.gmail.com>
From: CodesInChaos <codesinchaos@gmail.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/AT6H2GboGn9UDec-mAU26dy1QEo>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] 512-bit twisted Edwards curve and curve generation methods in Russian standardization
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 15:24:47 -0000
On Thu, Jan 29, 2015 at 9:08 AM, Stanislav V. Smyshlyaev <smyshsv@gmail.com> wrote: > by a group of experts where the condition mentioned by Paul ("a > group where even if a single person is trusted") is satisfied How did the generation process work? When just hashing together input from trusted and untrusted sources, the last source to pick their value can run a brute-force search, to manipulate the output. Depending on the time and money restrictions on that attacker, it should be possible to execute such an attack even if weak curves were significantly rarer than 2^{18}. I'd guess somewhere around 2^{-40} to 2^{-60} is in range for a powerful attacker. If generation was done using a commitment followed by revealing the inputs only after all participants commited, then this is indeed random as long as at least one participant is honest.
- [Cfrg] 512-bit twisted Edwards curve and curve ge… Станислав Смышляев
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Paterson, Kenny
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Stanislav V. Smyshlyaev
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Alyssa Rowan
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Stanislav V. Smyshlyaev
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Tony Arcieri
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Paul Hoffman
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Watson Ladd
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Tony Arcieri
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Stanislav V. Smyshlyaev
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Paul Hoffman
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Alyssa Rowan
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Tony Arcieri
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Stanislav V. Smyshlyaev
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… Stanislav V. Smyshlyaev
- Re: [Cfrg] 512-bit twisted Edwards curve and curv… CodesInChaos