[Cfrg] Malicious pseudoprimes versus 2y^2=x^3+x/GF(8^91+5)
Dan Brown <danibrown@blackberry.com> Fri, 17 August 2018 18:36 UTC
Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D8DD130FDE for <cfrg@ietfa.amsl.com>; Fri, 17 Aug 2018 11:36:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHvpyQ-wcbl5 for <cfrg@ietfa.amsl.com>; Fri, 17 Aug 2018 11:36:56 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A64B130F9A for <cfrg@irtf.org>; Fri, 17 Aug 2018 11:36:54 -0700 (PDT)
X-Spoof:
Received: from xct102cnc.rim.net ([10.65.161.202]) by mhs211cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Aug 2018 14:36:52 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT102CNC.rim.net ([fe80::2066:5d4f:8c45:af55%17]) with mapi id 14.03.0408.000; Fri, 17 Aug 2018 14:36:52 -0400
From: Dan Brown <danibrown@blackberry.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Malicious pseudoprimes versus 2y^2=x^3+x/GF(8^91+5)
Thread-Index: AdQ2VMdWVX1NUjMzSXiTpolIdEeqpg==
Date: Fri, 17 Aug 2018 18:36:52 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501CBD808@XMB116CNC.rim.net>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0176_01D43637.BC0E1E10"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/XU3YyNOo0GnTe3hduV2CSgINnlw>
Subject: [Cfrg] Malicious pseudoprimes versus 2y^2=x^3+x/GF(8^91+5)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Aug 2018 18:37:06 -0000
Hi CFRG, Because the recent report of Albrecht, Massimo, Paterson and Somorovsky (AMPS) raised real-world attacks with malicious pseudoprimes https://ia.cr/2018/749 - and also mentioned that SageMath (via PARI) resists this attack - I thought it appropriate for me to provide a short sage script about the primes in the recently proposed elliptic curve 2y^3=x^3+x/GF(8^91+5): p=8^91+5 E=EllipticCurve(GF(p),[-1,0]) # justifiable since 2y^2=x^3+x isomorphic (over GF(p)) to y^2=x^3-x n=E.cardinality() proof.arithmetic(True) # default, but just in case mod(n,72),is_prime(p),is_prime(n//72) # // needed to get integer division Output (0,True,True) should indicate success, apparently in terms of provable primes (although I'm not sure what SageMath does with the "proof"). This requires trusting the code above and SageMath. However, SageMath is very large, so maybe there is a smaller software that can do a similar job (PARI?). In any case, some kind of software would be needed ... I would say a primality proof here is defense in the depth, since the AMPS attack seems to require extensive searching, since the malicious pseudoprime are rare, etc., and the AMPS attack depends on the vagaries the primality test mechanism (IIUC). So, under a reasonable heuristic assumptions, these malicious pseudoprimes are likely have high Kolmogorov complexity, much higher than 8^91+5, etc. Well, at least, that's my main excuse for not trying to run provable primality tests before now (real reason, I was too lazy to read the manuals on software I already had that could do this for me). I recall that others on the list mentioned finding primality proofs for 8^91+5, but I don't recall if provable primality tests were reported for the curve order's large prime factor. So, I seem to have replicated some of the previous findings. Thanks. For other curves, I presume that previous work has already been done to find primality proofs for most other standard curves, so have not bothered to run any myself ... Best regards, Dan