There is a possibility that one day a dedicated entity will find a nontrivial relationship in the generators used for a particular parameter set. This is about as hard as computing a discrete logarithm (about 128 bits of security), as has been proven before, thus we take this impossibility for granted. What worries me is this:
Once one or few of such nontrivial relationships are found, they might translate not into an attack on one particular key pair, but into an attack on all key pairs using the same api_id, which severely increases the reward for anyone attempting such an attack.
One simple fix would be to hash the public key into the initial value of v (maybe even into all of them), which would however make caching of generators more expensive and less useful. What do you think about this potential threat? Is it worth it to incorporate measures against it?
There is a possibility that one day a dedicated entity will find a nontrivial relationship in the generators used for a particular parameter set. This is about as hard as computing a discrete logarithm (about 128 bits of security), as has been proven before, thus we take this impossibility for granted. What worries me is this:
Once one or few of such nontrivial relationships are found, they might translate not into an attack on one particular key pair, but into an attack on all key pairs using the same
api_id, which severely increases the reward for anyone attempting such an attack.One simple fix would be to hash the public key into the initial value of
v(maybe even into all of them), which would however make caching of generators more expensive and less useful. What do you think about this potential threat? Is it worth it to incorporate measures against it?