[Cfrg] (paper of potential interest) Re: One question about MODP: the structure of DLP prime in a finite field

Rene Struik <rstruik.ext@gmail.com> Tue, 19 November 2019 15:37 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE4A8120847 for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 07:37:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rDc0ufNFyp3p for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 07:37:02 -0800 (PST)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 050C2120108 for <cfrg@irtf.org>; Tue, 19 Nov 2019 07:37:02 -0800 (PST)
Received: by mail-qt1-x830.google.com with SMTP id o49so25066300qta.7 for <cfrg@irtf.org>; Tue, 19 Nov 2019 07:37:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=77AOkCz1QJyaQk5h377Lkk+/3tCzaBKcCk79/3m0Td8=; b=Vvta4whMN0fcJBj21omfjkjxzZSvKPiTnVvnbaNArU+mBfsHByN4cy090q6nGWlEmr 3jPRklJoSLU+mKpnZFaLmjfKwq/vU/maotwCJxN7ukOF5+IRvI7UyGbQBp/YLXMN6Ngd hTTy1tsR9q/I17tuohcMPzJa9Y1YokEH69Vhszpvvt/25OjmBuNNDzRIE/JkTc3thI9B N5qqUdRX+KA2VIYW5WLPcXfxCVC9FcrxAROyvdS5VpS5+qQyNgqr4/z0B9xa1ddZ9DMx TWWuy6E3RMDsXbmho5B76GH+E6nvEhlcWm8+ufql12845BfFbvDf7dy+kFcbUHn8sGIS gsng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=77AOkCz1QJyaQk5h377Lkk+/3tCzaBKcCk79/3m0Td8=; b=Dwpjcpv+bVttvpNeFnesagbGAVqjA4+FIgfRyvjP7kd/4Ejgrx7R5pM5dR1zPTrOzT 0ln6UkuaU2PrfjZ+sq3XkQBFg5AsdYAFXje3wVVwoZp8ZwhQd5rQTumBabOlNjC9XGkg wZ34DdBCEqKJB4E1PzLdQF1CriFmMk4/pUgM+fhbpI220Mfrjmj6bQJTDLI3qU7HJFD6 hu7AXMuEWkvkt1GhJmGTCZkDFKQfePEUz4qW3sDZoNzm3TwhXyJTDO3AIuKx7oJwqaIT usT5XWS/ur3J6WXkqUve63WVeePqS/VYoMx7Bdqa/hHtJPlNP7jpBPyKH5OT6t367kz4 W50A==
X-Gm-Message-State: APjAAAVB9licNnCr+VOzVtFzt6hyZv+Rg32ZKvJ61jdQSmb1ooDlL3+C rThxysAu6huGIJKXtXjU66bpdFWT
X-Google-Smtp-Source: APXvYqzIx2COtAqoiDOP1PgYmmQDw3Qe6Dt+wG+nPSBtXudIZFAPRJlabDXVu1Pr4c+w73qdGw0Xmw==
X-Received: by 2002:ac8:2f4e:: with SMTP id k14mr33840783qta.357.1574177820901; Tue, 19 Nov 2019 07:37:00 -0800 (PST)
Received: from ?IPv6:2607:fea8:69f:fa3a:fc5f:12b:d173:619a? ([2607:fea8:69f:fa3a:fc5f:12b:d173:619a]) by smtp.gmail.com with ESMTPSA id a70sm10206296qkb.86.2019.11.19.07.36.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Nov 2019 07:37:00 -0800 (PST)
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>, Wang Guilin <Wang.Guilin@huawei.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <90660A69-4146-4451-A6F2-42DEBC9956B0@live.warwick.ac.uk>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <c715e1ec-e03f-4d1e-6aee-3cc22b87548c@gmail.com>
Date: Tue, 19 Nov 2019 10:36:57 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <90660A69-4146-4451-A6F2-42DEBC9956B0@live.warwick.ac.uk>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NwIheqS7-deGP7LbOphGyEGvqdw>
Subject: [Cfrg] (paper of potential interest) Re: One question about MODP: the structure of DLP prime in a finite field
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 15:37:04 -0000

Dear colleagues:

The paper [a] may be of interest.

[a] Short Exponents Diffie-Hellman Problems (Kaoru Kurosawa, Takeshi 
Koshiba, PKC 2004)

Best regards, Rene

On 11/19/2019 9:07 AM, Hao, Feng wrote:
> Dear Guilin,
>   
>   > About security, I also feel it looks secure if we only select short exponents, say 256 bit strings for x and y in SPEKE, even though q is 2047 bits. However, to my best knowledge, it seems that this has not been confirmed by any academic research [I may be wrong on this]. Security is subtle and tricky...
>      
> The use of a short exponent for a safe-prime modulus was first suggested in Jablon's original SPEKE paper [1], but later in a follow-up paper [2] he gave a more cautionary note that this might not be safe. Indeed, the use of a short exponent in this manner implies that given a full-length secret key in Z_q on the exponent, nearly 90% secret bits are exposed by definition (and fixed at 0), and the security relies on the rest small percentage of bits being incomputable. The security of this practice hasn't been confirmed by any other study as far I am aware. So it remains a heuristic suggestion. Quit likely, the CDH and DDH assumptions will not hold if that matters.
>
> [1] D. Jablon, “Strong password-only authenticated key exchange,” ACM Computer Communications Review, Vol. 26, No. 5, pp. 5–26, October 1996.
> [2] D. Jablon, “Password authentication using multiple servers,” Topics in Cryptology – CT-RSA, pp. 344–360, LNCS 2020, April 2001.
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363