Re: [Cfrg] GapDH groups: a long-term research question
Michael Hamburg <mike@shiftleft.org> Mon, 05 May 2014 19:52 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 115F41A0489 for <cfrg@ietfa.amsl.com>; Mon, 5 May 2014 12:52:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.557
X-Spam-Level: *
X-Spam-Status: No, score=1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kHyE7izLkI6W for <cfrg@ietfa.amsl.com>; Mon, 5 May 2014 12:52:25 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) by ietfa.amsl.com (Postfix) with ESMTP id 8E4861A0452 for <cfrg@irtf.org>; Mon, 5 May 2014 12:52:25 -0700 (PDT)
Received: from [10.184.148.249] (w035.z205158021.lax-ca.dsl.cnc.net [205.158.21.35]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id DCC783AA3F; Mon, 5 May 2014 12:50:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1399319412; bh=3zeE23xMzZXlI4wGqoVBiiuuhnOWewMESa+8xq8duSw=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=cD3tH9drPoXJ2BQkSz/CQ38Lc6JP5iU70u3nhZfD35DvmAZrNnAFP2sUy2P52Hmj3 PfdFSTLB5ShuboM8bJEmILwVQXmmm7/r1OLNkA1SRmEcoDZSwqB8rPMg+iyNm/+1f+ MlrZTKDbv/f2BvJv5gkpUBlsCZ0sVSODeKBkxWps=
Content-Type: multipart/alternative; boundary="Apple-Mail=_67CDB899-2378-42B2-AC80-298E1E13E76C"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5C7C169@XMB116CNC.rim.net>
Date: Mon, 05 May 2014 12:52:21 -0700
Message-Id: <72DFBA59-ACEC-4697-B8B4-6739578021C5@shiftleft.org>
References: <810C31990B57ED40B2062BA10D43FBF5C7C169@XMB116CNC.rim.net>
To: Dan Brown <dbrown@certicom.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/h_FhLejSYXwrzDuiwVwhYhHOK0g
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] GapDH groups: a long-term research question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 19:52:27 -0000
Hi Dan, This is an interesting proposal! But I can see three major issues, none of which is insurmountable: First, is there there reason to believe that GapDH is actually harder in a gap group? Sure, you can actually run a proposed GapDH solver, but that seems like a downside as much as an upside, since it breaks CDH. I suppose there is an argument from Bernstein’s “special curves might be better” line, but that would need more evidence. Second, if the pairing is available to the attacker, then why not make it available to the user, i.e. why not make it practical? Third, is there a way to avoid a large cofactor? — Mike On May 5, 2014, at 12:38 PM, Dan Brown <dbrown@certicom.com> wrote: > Dear CFRG List, > > What about EC groups with a pairing to an extension field with a degree high enough such that the DLP is infeasible in the extension field, but low enough such that pairing is feasible (but not practical)? > > An upside is that proofs assuming hard GapDH problem become less theoretical, since a DDH oracle becomes available. E.g. if a 2^128 adversary can be converted to a 2^129 DH solver by invoking the a 2^64 cost pairing 2^64 times, then we have a fairly concrete construction. > > A downside is that it weakens the DDH, but then we always use a one-way PRF/KDF, so DDH attacks cannot be extended to PRF. (This is the same as one argument to ignore Cheon attacks against schemes with static DH keys and hashed shared secrets.) > > A second downside is the risk of using such a curve, because it is special. Random curves would not be expected to have this property. > > A third downside is that this may not be a well-studied idea, except by those who often think about the GapDH, and TLS seems to want something soon (to solve a different problem …). > > I raised this now, because of the argument that CFRG should commit to recommending a single curve (per security level), that this recommendation should be long-lasting, and that the same recommendation should be used across multiple IETF applications. To me, this suggests that CFRG should recommend a curve as secure as possible. > > Best regards, > > Daniel Brown > Research In Motion Limited > <image001.jpg> > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] GapDH groups: a long-term research question Dan Brown
- Re: [Cfrg] GapDH groups: a long-term research que… Michael Hamburg
- Re: [Cfrg] GapDH groups: a long-term research que… Watson Ladd
- Re: [Cfrg] GapDH groups: a long-term research que… Dan Brown