IETF Logo Mail Archive

Re: [Cfrg] One question about MODP: the structure of DLP prime in a finite field

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Tue, 19 November 2019 14:07 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9727312004F for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 06:07:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pxzOT3gYFPld for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 06:07:24 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130087.outbound.protection.outlook.com [40.107.13.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 768A912011A for <cfrg@irtf.org>; Tue, 19 Nov 2019 06:07:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FJE71Va9uRtEZ7npiVQECHJW/drhtGJ6hfinEMYfhZBQELVDEL9ylpObm2D229gquTPQG9Ng8uxh9JE13EW6SNrCwSGE2h9hBs2kHUDUaJqd8noCG79E/fkFOJLk+xqEXV9KJ+Vm3Y335N7Oi17PhHEvgJQ4iuZ+BsSNLaIB0IhREWM+pMhuW3THzAqOmoX45ToK5+kEQ9jQvSy3X5vW8ay0sAkI+xQ2SBf3e0j8KF48eld6EeSB5Db4uVEHcyemJPMjRcc1eLtEuq35Ijcq/7Pt4TFrIVvUE7/s/z9RqMJTT0yHYVwVUC8Nc8LIJIwsgTe2YqehvlwL5GmyAMKs4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jNZsaEo7kQ0yNDXydakE3cvpFjO/tdhMy9RVfDr3voI=; b=kGfAiNI9FZcp7mmQW7Enk06lVqKK7Zht+p7NgNnNm/69Taw5sQvsGZgzqiPummZ9Hl08pCZxacSqLWNoIcR0aDJw21SiL95mvtqiS4Abg2KOqGT43kx0y+ycF1jT4LRJnfnljXi3asNMUJNtjjaBPJLgKfs2JhDQqC6U+ZtXimq+FodpoEkhs1RVoXN3LJLSGXyfcNR9/1bQvvn9VqjDPSqkTRn6vBdFWSkB2R1ZXpSmCQ4o2NIS5MKC0N92k/KSxa3YkiSEv5o1Tt8TVHyrG5Te8i3NNhekuYi0zL71qVSJkzmbWadoGBZlXQ6YB+N8+2bI7YNvRgeI5qWh0buI6w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com (20.178.104.28) by DB7PR01MB5221.eurprd01.prod.exchangelabs.com (20.177.193.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.28; Tue, 19 Nov 2019 14:07:21 +0000
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::e925:ac07:6d27:3073]) by DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::e925:ac07:6d27:3073%7]) with mapi id 15.20.2474.015; Tue, 19 Nov 2019 14:07:21 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Wang Guilin <Wang.Guilin@huawei.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] One question about MODP: the structure of DLP prime in a finite field
Thread-Index: AQHVnuKoQqMssU+rwUedIi9xYW2btQ==
Date: Tue, 19 Nov 2019 14:07:20 +0000
Message-ID: <90660A69-4146-4451-A6F2-42DEBC9956B0@live.warwick.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.10.191111
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Feng.Hao@warwick.ac.uk;
x-originating-ip: [137.205.238.137]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bbb311e1-581d-40ac-7294-08d76cf9cb75
x-ms-traffictypediagnostic: DB7PR01MB5221:
x-microsoft-antispam-prvs: <DB7PR01MB52213000D2B627CF1EEF88E2D64C0@DB7PR01MB5221.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 022649CC2C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(366004)(346002)(136003)(396003)(39860400002)(14014004)(199004)(189003)(33656002)(2501003)(91956017)(229853002)(110136005)(316002)(786003)(66446008)(66476007)(2906002)(6436002)(486006)(66946007)(66556008)(64756008)(58126008)(7736002)(305945005)(5660300002)(25786009)(3846002)(6116002)(71200400001)(256004)(6486002)(6246003)(76116006)(86362001)(476003)(14444005)(186003)(71190400001)(8676002)(478600001)(26005)(8936002)(413944005)(102836004)(6512007)(81166006)(14454004)(81156014)(6506007)(66066001)(99286004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR01MB5221; H:DB7PR01MB5435.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: warwick.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HiThUPCZ8R1aUX6Zs4iA02oqJhRRrwR4W8WfTrQeWVaLO6M0/FRK7zjHCovKNMctp9VNP/v2nixVqJN4q0x5+JIv6Om1MyAm7kloQ53e/+s3jo+H5bfrfYFVWsMKwiB1z8o3DFb0OKPMXVFWOHTi8fVfLJf2UHBr2CRo5JTajRXptz8dxaNmCjywOsYLCxYVPy+xQHs1jcykRK0UQmdLfS4p37iV1QbgyIT19/6mTG5K5RykYy+7F17mKTdUo8rNoz9CfoHrqIZmkHoQr1uXrdB3vIgl4DZLKDYI/MChdk9I03CO23vj5t04TJYYDAmc+csRuevvU45cSLgacI0+gjdfVo/NTFItfW8VyaibMDWVf8dTIPjjI8tfsBbGdFCkyEYMW286lJIWuxvn+hLtMaDgj2r1V+r3vTDlRxaVVNAlLIeUOaLvpJwDxTf4u4vI
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <A0C0FDE2BCC60843BAD03E178C670DC9@eurprd01.prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: bbb311e1-581d-40ac-7294-08d76cf9cb75
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Nov 2019 14:07:20.9614 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TPdQ5ySEnOJoVzXtshQeWIREEpuMa1XHPyzrjfEeo+Qi8WS9IFSpgUaS+NIew9ygvNUR3T8XJ7ro881yUDE2cKRy09eghm24i8j2fpTB31Y=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB5221
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/mBpvtJeEKo-XZXx8CgQlRegPvdk>
Subject: Re: [Cfrg] One question about MODP: the structure of DLP prime in a finite field
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 14:07:26 -0000

Dear Guilin,
 
 > About security, I also feel it looks secure if we only select short exponents, say 256 bit strings for x and y in SPEKE, even though q is 2047 bits. However, to my best knowledge, it seems that this has not been confirmed by any academic research [I may be wrong on this]. Security is subtle and tricky...
    
The use of a short exponent for a safe-prime modulus was first suggested in Jablon's original SPEKE paper [1], but later in a follow-up paper [2] he gave a more cautionary note that this might not be safe. Indeed, the use of a short exponent in this manner implies that given a full-length secret key in Z_q on the exponent, nearly 90% secret bits are exposed by definition (and fixed at 0), and the security relies on the rest small percentage of bits being incomputable. The security of this practice hasn't been confirmed by any other study as far I am aware. So it remains a heuristic suggestion. Quit likely, the CDH and DDH assumptions will not hold if that matters.

[1] D. Jablon, “Strong password-only authenticated key exchange,” ACM Computer Communications Review, Vol. 26, No. 5, pp. 5–26, October 1996.
[2] D. Jablon, “Password authentication using multiple servers,” Topics in Cryptology – CT-RSA, pp. 344–360, LNCS 2020, April 2001.

v2.23.0 | Report a Bug | By Email