Re: [Cfrg] Static-DH oracles, strong-DH security

Taylor R Campbell <> Fri, 22 November 2019 00:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 86BF3120828 for <>; Thu, 21 Nov 2019 16:02:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rkqewLf7HrAh for <>; Thu, 21 Nov 2019 16:01:59 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ABCB6120219 for <>; Thu, 21 Nov 2019 16:01:59 -0800 (PST)
Received: by (Postfix, from userid 1014) id 10DF360A41; Fri, 22 Nov 2019 00:01:55 +0000 (UTC)
From: Taylor R Campbell <>
To: Alex Davidson <>
CC:, Dan Brown <>
In-reply-to: <> (
Date: Fri, 22 Nov 2019 00:01:54 +0000
Sender: Taylor R Campbell <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <>
Archived-At: <>
Subject: Re: [Cfrg] Static-DH oracles, strong-DH security
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Nov 2019 00:02:03 -0000

> Date: Thu, 21 Nov 2019 11:38:00 +0000
> From: Alex Davidson <>
> > Even a global network like Cloudflare can't answer more than 2^64
> > sequential queries: at one nanosecond per query that would be nearly
> > five hundred years. So we really only need to worry about divisors d
> > of p +/- 1 where p is the order of the group in which the oracle
> > operates and where d is below 2^64.
> So, my only comment on your analysis is that I think restricting the
> number of queries to 2^64 is something that I would personally like to
> avoid.

To be clear: I don't mean to suppose limiting adversaries to 2^64
queries overall; rather, I mean to suppose limiting them to 2^64
queries made _one after the other_ -- not in parallel.

What matters is the _latency_ of a query, not the _bandwidth_ of the
global Cloudflare network.  And I think it is quite reasonable to
suppose limiting the latency of a query to at least a nanosecond:

- Even if scalar multiplication were instantaneous, Cloudflare would
  have to be physically located less than 15cm away from me in order
  for the information to propagate within one nanosecond -- unless I
  figure out something about physics that would earn me a lot more
  than a few captcha-skipping tokens are worth!

- Even if all the networking latency and parsing overhead were
  dispensed with (perhaps the oracle is on a shared VPS host), it's
  hard to imagine that computing a scalar multiplication could take
  less than a nanosecond to begin with.