Re: [Cfrg] Preliminary disclosure on twist security ...

Watson Ladd <> Wed, 26 November 2014 15:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6D81F1A034F for <>; Wed, 26 Nov 2014 07:55:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id r6iunctdbR43 for <>; Wed, 26 Nov 2014 07:55:22 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DA0EE1A0363 for <>; Wed, 26 Nov 2014 07:55:21 -0800 (PST)
Received: by with SMTP id 142so1380223ykq.40 for <>; Wed, 26 Nov 2014 07:55:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=1QSqHIvxh2qJA0r7ky7JRbL7Yk7csz9H2ak+dDl2ppc=; b=cpk1O83eZywV6YHBz0jXjrfCkgeExvx/qzEbz5jLE02J6QyNChpNafnmwKXecD4NCq 742fCrmfMHBi6+SNI4thH5ULEoNAzYrB3yhKRvYUwI8u1K4UaQN6bgpbeGFMsYp9Acd6 DRlwGC8vW7jqJFvRcYft+v+CeOclzydgajYS2bN1692aYY1edwQ14sAeXMNe6d4PGy3H eGVqJpWeVp2G0klp1n5tMRP5uQISbuthqMgLASDD3qDmkCs4XlGzs2soINc4y9M/gKey qdAmg7DiNgtGKH7P5DGZcy5cvXusSpGuolDqQEtG8lb505zr/0pv4yM0rSTztPrnvJ+L ZUag==
MIME-Version: 1.0
X-Received: by with SMTP id g124mr22378167yka.24.1417017321078; Wed, 26 Nov 2014 07:55:21 -0800 (PST)
Received: by with HTTP; Wed, 26 Nov 2014 07:55:21 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Wed, 26 Nov 2014 07:55:21 -0800
Message-ID: <>
From: Watson Ladd <>
To: Dan Brown <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: "" <>, "" <>
Subject: Re: [Cfrg] Preliminary disclosure on twist security ...
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Nov 2014 15:55:23 -0000

The patent in question is US6563928.

The claim cited reads as follows:

"53. A method of establishing a session key for encryption of data
between a pair of correspondents comprising the steps of one of said
correspondents selecting a finite group G, establishing a subgroup S
having an order q of the group G, determining an element α of the
subgroup S to generate greater than a predetermined number of the q
elements of the subgroup S and utilising said element α to generate a
session key at said one correspondent."

"59: 58. A method according to claim 53 wherein said order of said
subgroup is of the form utilising an integral number of a product of a
plurality of large primes.
59. A method according to claim 58 wherein the order of said subgroup
is of the form nrr′ where n, r and r′ are each integers and r and r′
are each prime numbers."

This doesn't appear to have anything to do that directly with twist
security. It does appear to cover the algorithm Microsoft proposed for
dealing with points of low order on NUMS curves in claim 15.  The
claim above would seem to cover any implementation of discrete
logarithm based cryptography that uses subgroup membership checks as a
means to ensure contributory behavior.

Watson Ladd

2014-11-26 7:35 GMT-08:00 Dan Brown <>;:
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin