Hi to all, I am currently re-working the security proof for CPace https://datatracker.ietf.org/doc/draft-haase-cpace/ such that tight computational bounds for the adversary could be given.
In this context, I am still looking for the name and defininition of the problem that captures the feature of "twist security", i.e. for the tight reduction for the case where an active adversary passes a point on the twist to a honest party. I did not find an established security notion so far that captures this property so that I could re-use it in the re-worked proof. I'd coin it "exponential transfer" and formulate it in the way: Given two groups (modulo negation) J and J' with co-factors c and c' in which the discrete logarithm problem is assumed to be hard in the prime order subgroup and with c' = n * c and d=max(c,c'), the *exponential transfer problem * is defined as: Given two points B,X = B^(d * x) in J: Provide two points B' and X' in J' with X' = B'^(d * x). I'd like to avoid having to newly define it myself. I would very much appreciate if anybody could give me a pointer. Yours, Björn _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves