IETF Logo Mail Archive

[Cfrg] Malicious pseudoprimes versus 2y^2=x^3+x/GF(8^91+5)

Dan Brown <danibrown@blackberry.com> Fri, 17 August 2018 18:36 UTC

Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D8DD130FDE for <cfrg@ietfa.amsl.com>; Fri, 17 Aug 2018 11:36:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHvpyQ-wcbl5 for <cfrg@ietfa.amsl.com>; Fri, 17 Aug 2018 11:36:56 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A64B130F9A for <cfrg@irtf.org>; Fri, 17 Aug 2018 11:36:54 -0700 (PDT)
X-Spoof:
Received: from xct102cnc.rim.net ([10.65.161.202]) by mhs211cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Aug 2018 14:36:52 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT102CNC.rim.net ([fe80::2066:5d4f:8c45:af55%17]) with mapi id 14.03.0408.000; Fri, 17 Aug 2018 14:36:52 -0400
From: Dan Brown <danibrown@blackberry.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Malicious pseudoprimes versus 2y^2=x^3+x/GF(8^91+5)
Thread-Index: AdQ2VMdWVX1NUjMzSXiTpolIdEeqpg==
Date: Fri, 17 Aug 2018 18:36:52 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501CBD808@XMB116CNC.rim.net>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0176_01D43637.BC0E1E10"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/XU3YyNOo0GnTe3hduV2CSgINnlw>
Subject: [Cfrg] Malicious pseudoprimes versus 2y^2=x^3+x/GF(8^91+5)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Aug 2018 18:37:06 -0000

Hi CFRG,

Because the recent report of Albrecht, Massimo, Paterson and Somorovsky (AMPS) 
raised real-world attacks with malicious pseudoprimes https://ia.cr/2018/749 - 
and also mentioned that SageMath (via PARI) resists this attack - I thought it 
appropriate for me to provide a short sage script about the primes in the 
recently proposed elliptic curve 2y^3=x^3+x/GF(8^91+5):

p=8^91+5
E=EllipticCurve(GF(p),[-1,0]) # justifiable since 2y^2=x^3+x isomorphic (over 
GF(p)) to y^2=x^3-x
n=E.cardinality()
proof.arithmetic(True) # default, but just in case
mod(n,72),is_prime(p),is_prime(n//72)  # // needed to get integer division

Output (0,True,True) should indicate success, apparently in terms of provable 
primes (although I'm not sure what SageMath does with the "proof").  This 
requires trusting the code above and SageMath.  However, SageMath is very 
large, so maybe there is a smaller software that can do a similar job (PARI?). 
In any case, some kind of software would be needed ...

I would say a primality proof here is defense in the depth, since the AMPS 
attack seems to require extensive searching, since the malicious pseudoprime 
are rare, etc., and the AMPS attack depends on the vagaries the primality test 
mechanism (IIUC).  So, under a reasonable heuristic assumptions, these 
malicious pseudoprimes are likely have high Kolmogorov complexity, much higher 
than 8^91+5, etc.  Well, at least, that's my main excuse for not trying to run 
provable primality tests before now (real reason, I was too lazy to read the 
manuals on software I already had that could do this for me).

I recall that others on the list mentioned finding primality proofs for 
8^91+5, but I don't recall if provable primality tests were reported for the 
curve order's large prime factor.  So, I seem to have replicated some of the 
previous findings.  Thanks.

For other curves, I presume that previous work has already been done to find 
primality proofs for most other standard curves, so have not bothered to run 
any myself ...

Best regards,

Dan

v2.23.0 | Report a Bug | By Email