lists.openwall.net lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC Open Source and information security mailing list archives
```Date: Fri, 05 Sep 2014 17:06:29 -0400
From: Bill Cox <waywardgeek@...hershed.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] A review per day - Makwa

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/05/2014 04:37 PM, Thomas Pornin wrote:
> On Fri, Sep 05, 2014 at 01:40:45PM -0400, Bill Cox wrote:
>> The concern I am working through right now is trying to convince
>> myself that Makwa will have good long cycle lengths when squaring
>> over and over, with effectively zero chance of getting a weak
>> cycle where finding the square root is many times easier.
>
> If you can find small cycles then you can factor the modulus.
>
> Indeed, choose a random x modulo N. Probability that x is a
> quadratic residue modulo p is about 1/2. Probability that x is a
> quadratic residue modulo q is also about 1/2. You can compute the
> Jacobi symbol of x relatively to n, which will be 1 or -1; the
> http://en.wikipedia.org/wiki/Jacobi_symbol ). We are here
> interested in values x such that the Jacobi symbol (x|n) = -1:
> these are exactly the values which are a square modulo p but not
> modulo q, or are a square modulo q but not modulo p. Probability of
> a random x to be such a value is about 1/2, so finding one is
> easy.
>
> Suppose that such a x generates a small cycle. You can them
> compute x^2, x^4, x^8... and so on, until you complete the cycle:
> you end up with a value y which is such that y^2 = x^2 modulo N.
> However, y is a quadratic residue, but x is not, so y != x; and
> since (x|n) = -1, x cannot be equal to -y either. The consequence
> is that y-x is a multiple of p and not q, or of q and not p. A
> simple GCD computation between y-x and N reveals p or q, and N is
> factored.
>
> Therefore, if the probability of hitting a small cycle is not
> negligible, then you have an efficient factoring algorithm. Since
> integer factorization is hard for 2048-bit RSA-like moduli, small
> cycles will not be reachable in practice, even if you try hard.
>
>
>
> The notion of "safe prime" has been coined at various times, not
> always for the same values. Usually, a prime p is called "safe" if
> (p-1)/2 is also prime (note that it is not exactly the same meaning
> as the one you use). That specific notion of safe prime was about
> resistance to a factorization algorithm known as the "p-1 method",
> which works for integers N = pq where p-1 is the product of only
> small integers (this is called a "smooth integer"); in that sense,
> selecting your prime factors (for RSA key pair generation) to be
> "safe" (in that sense) guaranteed that the "p-1 method" was not
> applicable.

I actually did mean that (p-1)/2 was prime when I said "safe" prime.

> However, this was overkill. The probability that p-1 was
> sufficiently smooth for a random prime p is extremely small, far
> into the "utterly negligible" area. For a 1000-bit random integer
> x, the average size of the largest prime factor of x is about 624
> bits (this is linked to the Golomb-Dickman constant). I am too lazy
> and rushed right now to compute the probability that, by generating
> random 1000-bit integers, you hit a value whose largest prime
> factor is less than 2^80, but it is negligible (less than 1 in
> 2^200).
>
> In the case of short cycles for Makwa, similar results hold. I
> don't have time right now to quantify it (I'll try later this
> week-end), but probability of finding a small cycle will be
> negligible (which explains why it does not work in practice as a
> factorization algorithm).
>
>
> Yet another way to see it is the following: if you hit a short
> cycle, short enough to be walked extensively, then you are breaking
> Rabin encryption.
>
>
>
> To sum up, trying to generate p and q factors with special
> properties ot ensure a lack of short cycles is mostly wasted CPU,
> since purely random primes will already ensure it with overwhelming
> probability. You _can_ apply extra checks or insist on "safe prime"
> for some notion of "safe", but the benefits will be only
> psychological, not cryptographic: this won't improve security in
> any tangible way, but it may help you sleep at night.
>
> Since I personally don't have qualms with regards to short cycles,
> I did not enforced any such "safe primes" in the modulus generation
> tool provided with the Makwa reference code.
>
>
> --Thomas Pornin

Thanks for that explanation!  I am nearly convinced that we can
increase the bit-strength against a cycle measuring attack to just a
few bits short of n's length.  However, given that attacking factoring
n with the simplest possible attack has strength sqrt(n), there's no
point.  Knowing that the cycle length being less than 2^1024 happens
with negligible probability is enough.

However, I did have a *lot* of fun with that analysis :-)

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUCiXRAAoJEAcQZQdOpZUZ2nkQAKPk0u/ap/0wLM3CR9Qcm7H3
OWOebxrxqYNY4TsDwQ2Ku9Ra2tEZGPCQLJxAAxnn11w0wSGWul5+428cl5xWgBgD
y5jx7LeCG8iDYzH16DrGY/ug7z2mQPFYgddl6BbQgW7jqDH3shLTd5mtNlBu1NTC
WE0rrnkGn6kk52GiQt5xNq6DvCTEFfO0lhzEuINKhbdGAFPnXshpmrlxtnobYCqa
qRzOJKcYk9kciwAXJpTRdny3wYPqDgQa4jcctPPh+db1d9kTIHt9LF7lGdA4cNsu
S7KU4UZB5S5E3SNnFA3d1DrQ6vWU4fWv2EL4ef+1jjvkqV96AESHNqspKvtMcFgf
mg4EA3LSN/FgUmI/zjI+Ut5o8NMRU8aZbb7XSKPGO20XkkOgpP+pAxhDQ1obz586
+J5aloxtkvnhn2kEPFZxpdoSIsUYX6KaVzwYJDYoiNQkJk2og2mf6UDoU5IMoe+x
QWDrPUX4Kzx0QwsynAt13DWtY7KD0md3h0l8dGUQ8hf9TxTdpzJLH1tT0JzS0CmA
Et9uPQ/WEgQNA17bdKL/eRaoLbnQB4vwgXp8duY4c9FsMn/gGmdhrzouPAcJd+To
tt+CxU/CnMjInrVBHrufRfh5gblBY0IrXl1+kG2CuEQwWCyQQhAG8KJjckWrJYIp
8bnbi41UZ5bERqEcdUe4
=cl6r
-----END PGP SIGNATURE-----
```