Re: [Cfrg] Preliminary disclosure on twist security ...

Watson Ladd <watsonbladd@gmail.com> Wed, 26 November 2014 18:05 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E72C11A0373 for <cfrg@ietfa.amsl.com>; Wed, 26 Nov 2014 10:05:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_22=0.6, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZhOmhuVupKWT for <cfrg@ietfa.amsl.com>; Wed, 26 Nov 2014 10:05:33 -0800 (PST)
Received: from mail-yh0-x231.google.com (mail-yh0-x231.google.com [IPv6:2607:f8b0:4002:c01::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C62A71A0366 for <cfrg@irtf.org>; Wed, 26 Nov 2014 10:05:32 -0800 (PST)
Received: by mail-yh0-f49.google.com with SMTP id f10so1545079yha.8 for <cfrg@irtf.org>; Wed, 26 Nov 2014 10:05:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=IPhIm0lYe3g8uMI/vRVieE2nv4d4OFKviM1CRQJFUKc=; b=xDTlgsjUBuCDNzs2bdIMF5tFfafxbfBJWJl6cOfWecFsFqEyQaPE65iaejoUfkU2CM 5WbDghOkLx+azIWCt4TaAcJDtXDJKuBOvQNQrDsBvGYh9hjo4YeDBBevSyfz7QSaqzuf xXAfM3hbZaX657aQZaDVI8Ovz6kMba2CiciMONjXeg1eMzOO3FwSTCT99kjqo6WGIcMY elssLYF+BORU+biiFKOM3LbJKqrD1+M5O+tVFPPnPbXOA8IibYTybVZBc4LYdNENOnfm ZuX3gS40f98Cxb3ebxb0i67vqKp+wrj9NcxS26ZDmbA94PJVs9nZMi0JTiL2f2trEnH8 Hbfw==
MIME-Version: 1.0
X-Received: by 10.236.7.52 with SMTP id 40mr32484938yho.172.1417025132074; Wed, 26 Nov 2014 10:05:32 -0800 (PST)
Received: by 10.170.195.21 with HTTP; Wed, 26 Nov 2014 10:05:32 -0800 (PST)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5D0742B@XMB116CNC.rim.net>
References: <810C31990B57ED40B2062BA10D43FBF5D072C5@XMB116CNC.rim.net> <CACsn0ck5vgB5qojL2o38Vb=mt9ZFNres+EVXBsBK=VRjrpwLzw@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF5D0742B@XMB116CNC.rim.net>
Date: Wed, 26 Nov 2014 10:05:32 -0800
Message-ID: <CACsn0ckthZehQZkYyBBcCmHKrf-DsCk5s95Mr8_kQcNSD+7hPQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/FoW6g5OtkwVeizeSqReu3lt4_jA
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "djb@cr.yp.to" <djb@cr.yp.to>
Subject: Re: [Cfrg] Preliminary disclosure on twist security ...
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2014 18:05:34 -0000

On Wed, Nov 26, 2014 at 8:49 AM, Dan Brown <dbrown@certicom.com> wrote:
>
>> -----Original Message-----
>> From: Watson Ladd
>>
>> The patent in question is US6563928.
>>
>> The claim cited reads as follows:
>>
>> "53. A method of establishing a session key for encryption of data between a
>> pair of correspondents comprising the steps of one of said correspondents
>> selecting a finite group G, establishing a subgroup S having an order q of the
>> group G, determining an element α of the subgroup S to generate greater than
>> a predetermined number of the q elements of the subgroup S and utilising said
>> element α to generate a session key at said one correspondent."
>>
>> "59: 58. A method according to claim 53 wherein said order of said subgroup is
>> of the form utilising an integral number of a product of a plurality of large
>> primes.
>> 59. A method according to claim 58 wherein the order of said subgroup is of
>> the form nrr′ where n, r and r′ are each integers and r and r′ are each prime
>> numbers."
>>
>> This doesn't appear to have anything to do that directly with twist security.
>
> Well, this is what I was thinking:
>
> Let F_p be the underlying field.
>
> Let E be the twist-secure curve, with size #E(F_p) = hr, where h is a small cofactor and r a large prime.  Its twist E' has size h'r' where h' to the another small cofactor and r' is another large prime.
>
> Now G be the group of F_p^2 rational points, which is a group of size hh'rr', right?

Nope: Take t=p+1-hr. t is the trace of a matrix with determinant p,
say diagonal with \alpha and \beta as eigenvalues. |G| = p^2+1-t_2,
where t_2=\apha^2+\beta^2. Using Viete's formulas, or maybe Newton's,
we write t^2-2p=t_2. So the order of |G| is p^2+2p+1-(p+1-hr)^2. It's
not hh'rr'.

I may have made a typo in the above: check Silverman for the exact details.

>Then let S be the subgroup with of G of size q = rr'.
>
> Let alpha be the element of S used to generate the yet smaller subgroup of size, i.e. the conventional DH prime-order subgroup of E(F_p).  Now alpha generates r elements, which is greater than a predetermined number, e.g. 2^250.
>
> This means putting n =1 in Claim 59.
>
> Best regards,
>
> Dan



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin