[curves] Is there an established name for the hardness assumption capturing twist security of a curve?

Björn Haase bjoern.m.haase at web.de
Fri Jun 12 00:32:28 PDT 2020

Hi to all,

I am currently re-working the security proof for CPace
https://datatracker.ietf.org/doc/draft-haase-cpace/ such that tight
computational bounds for the adversary could be given.

In this context, I am still looking for the name and defininition of the
problem that captures the feature of "twist security", i.e. for the
tight reduction for the case where an active adversary passes a point on
the twist to a honest party.

I did not find an established security notion so far that captures this
property so that I could re-use it in the re-worked proof.
I'd coin it "exponential transfer" and formulate it in the way:
Given two groups (modulo negation) J and J' with co-factors c and c' in
which the discrete logarithm problem is assumed to be hard in the prime
order subgroup and with c' = n * c and d=max(c,c'), the *exponential
transfer problem * is defined as:
Given two points B,X = B^(d * x) in J: Provide two points B' and X' in
J' with X' = B'^(d * x).
I'd like to avoid having to newly define it myself. I would very much
appreciate if anybody could give me a pointer.

More information about the Curves mailing list