[Cfrg] Twist security question

Dan Brown <dbrown@certicom.com> Mon, 21 July 2014 17:07 UTC

From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Twist security question
Thread-Index: Ac+lBjJ/jspEZYkdTLK4AZ6myj9axg==
Date: Mon, 21 Jul 2014 17:07:05 +0000
Message-ID: <20140721170703.6656149.88919.16917@certicom.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="===============2019853508=="
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/IuUb06jGt_dNCGQj8oMo1iOF-xY
Subject: [Cfrg] Twist security question
Precedence: list

Since Curve25519 DH protocol lets info about private key out via the twist (then kdf, mac and cipher), it seems to require an extra computational assumption, right? 

Probably this has been considered before. Maybe there's a reduction to a standard problem, or a generic group model proof, at least, which ought to be easy.

Best regards, 

-- Dan

PS N. Smart's comments about twist security got me thinking about this.

Attachment: smime.p7s

[Cfrg] Twist security question Dan Brown
Re: [Cfrg] Twist security question Michael Hamburg
Re: [Cfrg] Twist security question Robert Ransom

[Cfrg] Twist security question

Attachment: smime.p7s