[Cfrg] GapDH groups: a long-term research question
Dan Brown <dbrown@certicom.com> Mon, 05 May 2014 19:38 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 603461A01AA for <cfrg@ietfa.amsl.com>; Mon, 5 May 2014 12:38:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hdWRODPETvpW for <cfrg@ietfa.amsl.com>; Mon, 5 May 2014 12:38:51 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id E11C11A01A0 for <cfrg@irtf.org>; Mon, 5 May 2014 12:38:50 -0700 (PDT)
Received: from xct103cnc.rim.net ([10.65.161.203]) by mhs212cnc.rim.net with ESMTP/TLS/AES128-SHA; 05 May 2014 15:38:39 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT103CNC.rim.net ([fe80::b8:d5e:26a5:f4d6%17]) with mapi id 14.03.0174.001; Mon, 5 May 2014 15:38:38 -0400
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: GapDH groups: a long-term research question
Thread-Index: Ac9oleqS12YElKZWR3ulBq2CeyojDg==
Date: Mon, 05 May 2014 19:38:38 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5C7C169@XMB116CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0010_01CF6878.15679D70"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/n5UvOw-5RFXV6doB3rergVvu8zo
Subject: [Cfrg] GapDH groups: a long-term research question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 19:38:54 -0000
Dear CFRG List, What about EC groups with a pairing to an extension field with a degree high enough such that the DLP is infeasible in the extension field, but low enough such that pairing is feasible (but not practical)? An upside is that proofs assuming hard GapDH problem become less theoretical, since a DDH oracle becomes available. E.g. if a 2^128 adversary can be converted to a 2^129 DH solver by invoking the a 2^64 cost pairing 2^64 times, then we have a fairly concrete construction. A downside is that it weakens the DDH, but then we always use a one-way PRF/KDF, so DDH attacks cannot be extended to PRF. (This is the same as one argument to ignore Cheon attacks against schemes with static DH keys and hashed shared secrets.) A second downside is the risk of using such a curve, because it is special. Random curves would not be expected to have this property. A third downside is that this may not be a well-studied idea, except by those who often think about the GapDH, and TLS seems to want something soon (to solve a different problem .). I raised this now, because of the argument that CFRG should commit to recommending a single curve (per security level), that this recommendation should be long-lasting, and that the same recommendation should be used across multiple IETF applications. To me, this suggests that CFRG should recommend a curve as secure as possible. Best regards, Daniel Brown Research In Motion Limited
- [Cfrg] GapDH groups: a long-term research question Dan Brown
- Re: [Cfrg] GapDH groups: a long-term research que… Michael Hamburg
- Re: [Cfrg] GapDH groups: a long-term research que… Watson Ladd
- Re: [Cfrg] GapDH groups: a long-term research que… Dan Brown