1
$\begingroup$

I know there’re many questions that ask how to safely HashToCurve, but I want to know if the method I found in an actual implementation is secured against the following attack where the algorithm to generate the points is widely known :

For any distinct said randomly generated point : $P_i,P_j\in \{P_1,...,P_k\}$ it should be hard to find $s$ such that $P_i=s\cdot P_j$.

The points are successfully generated using this inefficient algorithm which is fully deterministic (the first $start\_index$ used and thus next ones are known) :

Return : point on the selected twisted Edwards Curve in cartesian coordinates (returns x and y) Input : start_index Prog : begin: while(!Is_packed_point_on_the_256_bits_twisted_Edwards_Curve( blake256(start_index)%Selected_Curve_Finite_Field ) {start_index++} found_candidate_point=unpack_point(blake256(start_index)%Selected_Curve_Finite_Field) if(IsZero(found_candidate_point)) {goto begin} // rare in my case, but continue otherwise to try for the next start_index candidates else {return( Edwards_scalar_multiply(8, unpack_point(blake256(start_index)%Selected_Curve_Finite_Field) ) )

In order to get the next $P_j$ (a different point of the last 1 generated), run the function with the last value of $start\_index$.

So, would it be impossible in such a case to find the discrete logarithm between 2 different points generated from 2 different $start\_index$ without plain discrete logarithm solving that don’t use any trick in how the points are generated ?

Improve this question
$\endgroup$
4
  • 1
    $\begingroup$ Could you link the source of the method I found in an actual implementation? Also, what is the source of start_index (si)? first index = 2, and found a point at 9, second index = 8 and found the point at 0 again. So the quality of the source of first index is crucial. $\endgroup$ Commented Jun 5, 2024 at 17:13
  • $\begingroup$ Assuming the source is a high-quality random source, this is slightly another way to generate a random point on the curve ( 2. way) $\endgroup$ Commented Jun 5, 2024 at 17:17
  • $\begingroup$ Let Oracle $O$ returns $s$ given $(P_i,P_j)$ then, supply this $O$ with $(P_i,G)$ where the $G$ is the base point... $\endgroup$ Commented Jun 5, 2024 at 17:58
  • $\begingroup$ @kelalaka the source for the $start\_index$ is 0 for generating the first point and last start_index, the points are pseudorandom as the aim of the algorithm is to let verify how the points were generated (to prove there’s no backdoor). Again, I know there are better studied algorithms that are more well‑known to be secure and are also faster/more efficient, but I just want to be sure if what I found is secure (I’m meaning impossible to use how the numbers are generated to solve the elliptic curve discrete logarithm faster). $\endgroup$ Commented Jun 5, 2024 at 18:07

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.