Re: [Cfrg] Twist security question
Robert Ransom <rransom.8774@gmail.com> Mon, 21 July 2014 17:51 UTC
Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE82A1A0053 for <cfrg@ietfa.amsl.com>; Mon, 21 Jul 2014 10:51:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7LVNDT6PdYE for <cfrg@ietfa.amsl.com>; Mon, 21 Jul 2014 10:51:37 -0700 (PDT)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E552D1A000E for <cfrg@irtf.org>; Mon, 21 Jul 2014 10:51:36 -0700 (PDT)
Received: by mail-qg0-f52.google.com with SMTP id f51so5636568qge.39 for <cfrg@irtf.org>; Mon, 21 Jul 2014 10:51:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=15SGDZl8c7ocDpsfzvuXnGDkjnYrsSVAO5Ng2QlFFpI=; b=c9OoDt1wG5Ix8uTTeiRGB1LG2uaSyd4p9PCEUq199A7Y0cZunjiv8BixARp95xaFf2 89jt4NEpn8zVcVSvSEF2kHFqc28Ahi1gU00/v1jr4cNVcbGuLNJ9sp39rONgMJ2LWTe3 TlSGHRhsDfx5eDrZeFJ6ozqRVEvgM9v6jNQD81so4vC5Q+wk2cIDCxfUALqRO9ArSeHV vA5XyLMpvCnZs3fpfqEzJgZ2t2C318h87HcZVwsJ6pUt213IhkckGLT3NcpOEA82ww6O 8Xwm3FIEAJE0DJ6nQqdZ/LvJoDX1a0rgy7uXD2xFaChaFy7va2vvOxaImS+bQ1dcFQKw CAxg==
MIME-Version: 1.0
X-Received: by 10.224.137.135 with SMTP id w7mr30142232qat.52.1405965096102; Mon, 21 Jul 2014 10:51:36 -0700 (PDT)
Received: by 10.140.98.233 with HTTP; Mon, 21 Jul 2014 10:51:36 -0700 (PDT)
In-Reply-To: <31A4333C-1CDF-4734-88CB-D62E66618E5E@shiftleft.org>
References: <20140721170703.6656149.88919.16917@certicom.com> <31A4333C-1CDF-4734-88CB-D62E66618E5E@shiftleft.org>
Date: Mon, 21 Jul 2014 10:51:36 -0700
Message-ID: <CABqy+sp9DO1YzKRy5qvK2hvoNroL+wdWdrYWLttHDfgwSMv8rQ@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Michael Hamburg <mike@shiftleft.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/jzk0udnklaFdh5orw5g2Un_h9Sw
Cc: Dan Brown <dbrown@certicom.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Twist security question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 17:51:37 -0000
On 7/21/14, Michael Hamburg <mike@shiftleft.org> wrote: > Yeah, I’ve wondered about that too. If you give the attacker the point on > the twist, it probably gives away information in E(F^2) as well which she > wouldn't obtain otherwise. But in Curve25519 you hash the point, and in the > random oracle the attack is going to be really weak. > > The attacker supplies a point P on the twist, and gets (information derived > from) the hash of some other point Q on the twist. She can’t force Q into a > subgroup other than {identity} or the whole q-torsion. She can’t guess Q if > it’s in the q-torsion. So it seems she can’t learn anything from that hash. > Likewise, she can’t predict anything about the hash (except whether it’s > H(identity)), so she can’t attack the rest of the protocol with it. This does leak whether the honest party is using a Montgomery-ladder implementation or an implementation which decompresses to Edwards form on only one of the curves, which is relevant to anonymity systems. > In the ROM there's not even an attack through discrete log or CDH on the > twist, because no honest party ever outputs a point on the twist. Is there any useful attack against systems which use Möller's curve-or-twist trick for generating ciphertexts indistinguishable from uniform? Is there any useful attack against the obvious variant of Möller's technique where a single scalar is used on both the curve and the twist? (I didn't realize that Möller had specified to use independent scalars until the Elligator paper pointed it out.) If those systems are not vulnerable to any useful attack (and they certainly should be secure), then Curve25519 is clearly safe too. Robert Ransom
- [Cfrg] Twist security question Dan Brown
- Re: [Cfrg] Twist security question Michael Hamburg
- Re: [Cfrg] Twist security question Robert Ransom