IETF Logo Mail Archive

Re: [Cfrg] request for comments: ZSS Short Signature Scheme for SS and BN Curves

Laura Hitt <lhitt@21ct.com> Mon, 26 August 2013 19:24 UTC

Return-Path: <lhitt@21ct.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC82B21F99CE for <cfrg@ietfa.amsl.com>; Mon, 26 Aug 2013 12:24:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7NiNtukPkIVj for <cfrg@ietfa.amsl.com>; Mon, 26 Aug 2013 12:24:02 -0700 (PDT)
Received: from 21ct-exg07.21technologies.com (unknown [173.226.154.197]) by ietfa.amsl.com (Postfix) with ESMTP id 7D57D21F8C0C for <cfrg@irtf.org>; Mon, 26 Aug 2013 12:24:02 -0700 (PDT)
Received: from 21ct-exg07.21technologies.com ([10.0.10.16]) by 21ct-exg07.21technologies.com ([10.0.10.16]) with mapi; Mon, 26 Aug 2013 14:23:55 -0500
From: Laura Hitt <lhitt@21ct.com>
To: Kohei Kasamatsu <kasamatsu.kohei@po.ntts.co.jp>
Date: Mon, 26 Aug 2013 14:23:54 -0500
Thread-Topic: [Cfrg] request for comments: ZSS Short Signature Scheme for SS and BN Curves
Thread-Index: Ac6JGr9S4ZGNVFTUS6q0Je1ar1gRGgZdttuA
Message-ID: <04920BD67C651C469D0387704CD7692A801128D84A@21ct-exg07.21technologies.com>
References: <04920BD67C651C469D0387704CD7692A74B0844B94@21ct-exg07.21technologies.com> <51F0F1E6.5080505@po.ntts.co.jp>
In-Reply-To: <51F0F1E6.5080505@po.ntts.co.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] request for comments: ZSS Short Signature Scheme for SS and BN Curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Aug 2013 19:24:07 -0000

Dear Kohei Kasamatsu,

Thank you for your comment. The Cheon attacks against (variably
named) strong or static Diffie-Hellman assumption, or the
Diffie-Hellman with Auxiliary Input problem are very
interesting work. I will include the suggested references in
the I-D. However, I do not believe it poses a substantial
danger for ZSS for the following reasons:

1) Those attacks are predicated on the notion that the attacker
will have access to an oracle that will supply s^d*P for large
d to help solve the discrete log of sP for s, and there's not
sufficient reason to think that this additional information
would be available in the cases of interest.

2) Because the parameters used in the I-D (taken from the
MIKEY-SAKKE rfc) have a full sized cryptographic subgroup, even
if the attack applied, at best these attacks convert the
problem to O(Sqrt{(p-1)/d}+d) which is optimized if d<=p^(1/3),
but for the rfc parameters, this would still be an attack of
order O(p^(1/3))~=2^341, which is way worse than the standard
NSF costing.

Thanks again for your comment. Please let me know if you have
other concerns.

All the best,
Laura
 

-----Original Message-----
From: Kohei Kasamatsu [mailto:kasamatsu.kohei@po.ntts.co.jp] 
Sent: Thursday, July 25, 2013 4:38 AM
To: Laura Hitt
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] request for comments: ZSS Short Signature Scheme for SS and BN Curves

Dear L. Hitt


I have a comment.

The security of ZSS-signature depends on k+1 Exponent Problem.
The problem more efficiently can be computed by cheon algorithm [1,2] than Pollard's method. (cheon algorithm is not probabilistic polynomial time algorithm) Hence I think that it is needed that you analyze security against the algorithm.


[1] J.H. Cheon, Security Analysis of the Strong Diffie-Hellman Problem, EUROCRYPT 2006, LNCS 4004, pp. 1-11, Springer, 2006 [2] Y. Sakemi, G. Hanaoka, T. Izu, M. Takenaka, and M. Yasuda, "Solving a discrete logarithm problem with auxiliary input on a 160-bit elliptic curve", PKC 2012, LNCS 7293 pp. 595-608, Springer, 2012.

Best regards,
Kohei Kasamatsu




(2013/03/23 2:27), Laura Hitt wrote:
> <my apologies if this was sent twice, I saw strange behavior on my 
> end, so thought I'd try again.>
>
> I have recently submitted (as an Individual) two I-Ds and would greatly appreciate any comments you are able to offer.  They pertain to the ZSS short signature scheme from bilinear pairings on supersingular elliptic curves and on Barreto-Naerhig elliptic curves.
>
> http://www.ietf.org/internet-drafts/draft-irtf-cfrg-zss-00.txt
> http://www.ietf.org/internet-drafts/draft-irtf-cfrg-zssbn-00.txt
>
> Thank you!
> Laura Hitt
>
>
>
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>


--
Kohei Kasamatsu

NTT Software Corporation
E-mail: kasamatsu.kohei@po.ntts.co.jp

v2.23.0 | Report a Bug | By Email