[curves] Is there an established name for the hardness assumption capturing twist security of a curve?

[Rene Struik]

Hi Bjorn:

Why not simply check whether the point is on the curve? Within the 
context of DH schemes, this is trivial to do and comes at negligible 
incremental cost (a few field multiplies) even if one implements ECDH 
using Montgomery ladders and is only given the x-coordinate of a point.

Best regards, Rene


On 6/12/2020 3:32 AM, Björn Haase wrote:
> Hi to all,
>
> I am currently re-working the security proof for CPace
> https://datatracker.ietf.org/doc/draft-haase-cpace/ such that tight
> computational bounds for the adversary could be given.
>
> In this context, I am still looking for the name and defininition of the
> problem that captures the feature of "twist security", i.e. for the
> tight reduction for the case where an active adversary passes a point on
> the twist to a honest party.
>
> I did not find an established security notion so far that captures this
> property so that I could re-use it in the re-worked proof.
> I'd coin it "exponential transfer" and formulate it in the way:
> Given two groups (modulo negation) J and J' with co-factors c and c' in
> which the discrete logarithm problem is assumed to be hard in the prime
> order subgroup and with c' = n * c and d=max(c,c'), the *exponential
> transfer problem * is defined as:
> Given two points B,X = B^(d * x) in J: Provide two points B' and X' in
> J' with X' = B'^(d * x).
> I'd like to avoid having to newly define it myself. I would very much
> appreciate if anybody could give me a pointer.
> Yours,
> Björn
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves


-- 
email: rstruik.ext at gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867