IETF Logo Mail Archive

[Cfrg] GapDH groups: a long-term research question

Dan Brown <dbrown@certicom.com> Mon, 05 May 2014 19:38 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 603461A01AA for <cfrg@ietfa.amsl.com>; Mon, 5 May 2014 12:38:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hdWRODPETvpW for <cfrg@ietfa.amsl.com>; Mon, 5 May 2014 12:38:51 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id E11C11A01A0 for <cfrg@irtf.org>; Mon, 5 May 2014 12:38:50 -0700 (PDT)
Received: from xct103cnc.rim.net ([10.65.161.203]) by mhs212cnc.rim.net with ESMTP/TLS/AES128-SHA; 05 May 2014 15:38:39 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT103CNC.rim.net ([fe80::b8:d5e:26a5:f4d6%17]) with mapi id 14.03.0174.001; Mon, 5 May 2014 15:38:38 -0400
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: GapDH groups: a long-term research question
Thread-Index: Ac9oleqS12YElKZWR3ulBq2CeyojDg==
Date: Mon, 05 May 2014 19:38:38 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5C7C169@XMB116CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0010_01CF6878.15679D70"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/n5UvOw-5RFXV6doB3rergVvu8zo
Subject: [Cfrg] GapDH groups: a long-term research question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 19:38:54 -0000

Dear CFRG List,

 

What about EC groups with a pairing to an extension field with a degree high
enough such that the DLP is infeasible in the extension field, but low
enough such that pairing is feasible (but not practical)?

 

An upside is that proofs assuming hard GapDH problem become less
theoretical, since a DDH oracle becomes available.  E.g. if a 2^128
adversary can be converted to a 2^129  DH solver by invoking the a 2^64 cost
pairing 2^64 times, then we have a fairly concrete construction.

 

A downside is that it weakens the DDH, but then we always use a one-way
PRF/KDF, so DDH attacks cannot be extended to PRF.  (This is the same as one
argument to ignore Cheon attacks against schemes with static DH keys and
hashed shared secrets.)

 

A second downside is the risk of using such a curve, because it is special.
Random curves would not be expected to have this property.

 

A third downside is that this may not be a well-studied idea, except by
those who often think about the GapDH, and TLS seems to want something soon
(to solve a different problem .).

 

I raised this now, because of the argument that CFRG should commit to
recommending a single curve (per security level), that this recommendation
should be long-lasting, and that the same recommendation should be used
across multiple IETF applications.  To me, this suggests that CFRG should
recommend a curve as secure as possible.

 

Best regards,

 


Daniel Brown


Research In Motion Limited

v2.23.0 | Report a Bug | By Email