chris-wood
commented
2 years ago The only other issue (which has been raised a number of times before) is the selection of a global M for a specific parameter set. While this is convenient, this also means that the protocol has a 'solve one discrete log problem, break the entire system globally' property that I cannot endorse.
This is an interesting point. I think we can address this by saying that implementations MAY generate M and N that meet the requirements, provided we list the requirements (DLOG is not known). We do this for M and N out of alignment with the security analysis, so I think we ought to keep this the same and not use the identity element for N.
@ttaubert, what do you think?
I went through the draft, the TLDR is that other than one sticking point (which has been raised before), it looks pretty good; my comments were about a few places which I thought could be expressed clearer.
Here are my comments (actually, I initially reviewed the -03 version and had more comments; some of those have already been addressed before I even raised them):
In section 3.1 (the offline initialization), you state:
We fix two random elements M and N in the prime-order subgroup of G as defined in the table in this document for common groups, as well as a generator P of the (large) prime-order subgroup of G.
log of M wrt P; IMHO, something that critical should be called out.
In section 3.4 (Protocol), you give the various steps of the on-line protocol. However, some of those steps are out of order (for example, A checks on the received value Y before B computes and sends it); I believe it would be clearer if you followed strict chronological order (and included the mandatory error checking in pseudocode, rather than just in text).
In section 3.4, you also state:
All proofs of security hold even if the discrete log of the fixed group element N is known to the adversary. In particular, one MAY set N=I, i.e. set N to the unit element in G.
After all, this simplifies the computation.
The only other issue (which has been raised a number of times before) is the selection of a global M for a specific parameter set. While this is convenient, this also means that the protocol has a 'solve one discrete log problem, break the entire system globally' property that I cannot endorse.