Re: [Cfrg] [MASSMAIL] Question about A=6 Montgomery over 2^89-1
"Grigory Marshalko" <marshalko_gb@tc26.ru> Fri, 11 December 2015 20:20 UTC
Return-Path: <marshalko_gb@tc26.ru>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECD911A1B20 for <cfrg@ietfa.amsl.com>; Fri, 11 Dec 2015 12:20:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.159
X-Spam-Level: **
X-Spam-Status: No, score=2.159 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJchuh8quPyc for <cfrg@ietfa.amsl.com>; Fri, 11 Dec 2015 12:20:20 -0800 (PST)
Received: from mail.tc26.ru (mail.tc26.ru [188.40.163.82]) by ietfa.amsl.com (Postfix) with ESMTP id 7D5241A1BA5 for <cfrg@ietf.org>; Fri, 11 Dec 2015 12:20:12 -0800 (PST)
Received: from mail.tc26.ru (localhost [127.0.0.1]) by mail.tc26.ru (Postfix) with ESMTPSA id B977930053D; Fri, 11 Dec 2015 23:20:01 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tc26.ru B977930053D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tc26.ru; s=mx; t=1449865210; bh=EbtdaMP50DOZ29CIXX+yUKfzyej024Ihe2EWh/xlbD0=; h=Date:From:Subject:To:In-Reply-To:References:From; b=DInTK0YiaRpARxGMxzj2fDnzocMwNXzYZP+UmqEQJw9G5h0M/cTLQ6vgn23F17XAt RXjgrhLId3PkifwHGJrLRFrtMTNz1OeurN8BuhPAwbcvk8hkq7T+og/2qNmnCFQ/Lv JYBKHjOQMGk/COb0weAK/YNoFM/ngm3Inqjxg/bk=
Mime-Version: 1.0
Date: Fri, 11 Dec 2015 20:20:01 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <f62deb1f355c38b6254b2e8364bd4480@mail.tc26.ru>
X-Mailer: RainLoop/1.9.3.365
From: Grigory Marshalko <marshalko_gb@tc26.ru>
To: Dan Brown <dbrown@certicom.com>, cfrg@ietf.org
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5E97737@XMB116CNC.rim.net>
References: <810C31990B57ED40B2062BA10D43FBF5E97737@XMB116CNC.rim.net>
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 88128 [Dec 11 2015]
X-KLMS-AntiSpam-Version: 5.5.6
X-KLMS-AntiSpam-Envelope-From: marshalko_gb@tc26.ru
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Moebius-Timestamps: 3866001, 3866026, 3866007
X-KLMS-AntiSpam-Info: LuaCore: 378 378 1e7ea7963800114ee93165eacd681fad09c7a7a4, 127.0.0.200:7.1.3; tc26.ru:7.1.1; www.irtf.org:7.1.1; mail.tc26.ru:7.1.1; d41d8cd98f00b204e9800998ecf8427e.com:7.1.1; 127.0.0.199:7.1.2; pages.cs.wisc.edu:4.0.4,7.1.1, Auth:dkim=none
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiPhishing: Clean, 2015/12/07 15:50:10
X-KLMS-AntiVirus: Kaspersky Security 8.0 for Linux Mail Server, version 8.0.1.721, bases: 2015/12/11 11:51:00 #6721824
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/cKf-KSkcSYIbFW0nYOsw7xpGOK4>
Subject: Re: [Cfrg] [MASSMAIL] Question about A=6 Montgomery over 2^89-1
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2015 20:20:22 -0000
Hi, May be this is the case: from wiki: If an elliptic curve over the rationals has complex multiplication then the set of primes for which it is supersingular has density 1/2. If it does not have complex multiplication then Serre showed that the set of primes for which it is supersingular has density zero. Elkies (1987) showed that any elliptic curve defined over the rationals is supersingular for an infinite number of primes. and this is also may be useful http://pages.cs.wisc.edu/~cdx/ComplexMult.pdf Regards, Grigory Marshalko, expert, Technical committee for standardisation "Cryptography and security mechanisms" (ТC 26) www.tc26.ru 11 декабря 2015 г., 00:22, "Dan Brown" <dbrown@certicom.com> написал: > Hi, > > I stumbled upon something surprising (to me), using Sage (while searching > for something else). > > The Montgomery curve y^2 = x^3 + 6x^2 + x over the field of size 2^89-1, has > order 2^89, so it is maximally vulnerable to Pohlig-Hellman. (Other > details: it has order p+1, so is also vulnerable to MOV. I haven't checked > yet, but I'd _bet_ it's supersingular. It has j-invariant 66^3.) > > As is well-known, the supersingular curve y^2 = x^3 + x also has order 2^89 > (it has j-invariant 1728=12^3). But I recall a result of Koblitz saying > that curves over F_p with order p+1 are very rare (among isomorphism > classes). Naively, I would think that finding two such curves so close > together (A=0 and A= 6) has negligible chance, unless these weak curves are > distributed towards small |A|. > > Nonetheless, I still hope that this does _not_ indicate some general _weak_ > correlation between Montgomery curves with a small coefficient and known > attacks. > > To that end, I'd be curious if somebody here could explain the theory behind > this example curve. For example, it would be re-assuring to explain this as > a mere one-time coincidence, rather than a higher chance of a known attack > (e.g. MOV or PH) on smaller-coefficient curves. (Purely speculating: maybe > there's a good theory of supersingular j-invariants for each prime p, then a > way to deduce A from j, such that p=2^89-1 and j=66^3 formed a superstorm to > arrive at a small A=6.) > > Absent such an explanation, the worry is that if known attacks more > generally exhibit this kind of correlation with coefficient size, then how > wise is it to suggest small-coefficient curve as a remedy against secret > attacks? > > I am aware that there are other worries of a different nature > ("manipulation") involved with methods that generate larger coefficients, > but maybe there's a good way to balance both concerns. > > Best regards, > > Daniel Brown > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Question about A=6 Montgomery over 2^89-1 Dan Brown
- Re: [Cfrg] [MASSMAIL] Question about A=6 Montgome… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL] Question about A=6 Montgome… Grigory Marshalko
- Re: [Cfrg] Question about A=6 Montgomery over 2^8… Dan Brown
- Re: [Cfrg] Question about A=6 Montgomery over 2^8… Grigory Marshalko
- Re: [Cfrg] Question about A=6 Montgomery over 2^8… Paterson, Kenny
- Re: [Cfrg] Question about A=6 Montgomery over 2^8… Ben Laurie
- Re: [Cfrg] Question about A=6 Montgomery over 2^8… Dan Brown