If you have the time and inclination, I would sure love to read a more elaborated (slightly more towards layman comprehension) explanation of what is subject to factorization and not related to the inability to find the multiple between two points given by ECLP
So would I.
Cao kept the unknown factorisation assumption even after reducing to a single base in modular DLP, so it has nothing to do with multiple base point commitment (Fujisaki-Okamoto):
http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=2B21218DC3B721C6834211C3DFEE544D?doi=10.1.1.79.5740&rep=rep1&type=pdfApparently, "if the order of the group is known, the [widened-interval] protocol becomes easy to break". It will take some time for me to figure out whether this is true or not (or maybe only applies to non-prime curves and some types of commitments). I don't know the specific attack.
In short, it appears you can either employ a Hash on the relative base points or on the values committed to the base points. Afaics, your original proof in a large interval did the latter and thus was already immune to factorization of the committed values.
Possibly. Will take some time to figure out.
From
section 4:
Alice cannot cheat Bob even she knows the order of g.
The factorization of the modulus n is unknown by Alice, which implies that D = α + xc is just an integer (not a residue class).
The authors [6] gave the original presentation of CFT proof in ElGamal setting[12]. It’s corrected soon [7] because Alice can cheat Bob if the order of the cryptographic group is known by her.
A residue class in this context would be a functional relationship between the commited values
D and the commitment values
gD mod n w.r.t. to modulus
n such that Alice (as an adversary) would know all values for
D which produce the same commitment value
gD mod n. Thus when
−2t+lb > x > 2t+lb, Alice would not be limited to only one value for
α which fulfills the proof. Thus the probability of Alice cheating would not be limited to
1/2t+lb[/sub]. The hash
C = H(W) is secure only under the assumption that Alice can't factor the curve order so that
D is just an integer to Alice and not a member of a residue class which Alice
knows.
For ECC, the "n" is the order of the curve, i.e. the finite number of elements in the field which is the "modulus" where
xG wraps around and repeats values that are obtained for other values of
x.
Thus the simple solution to this problem is to make the curve order prime so that it can't be factored and thus a residual class can't be found (in the computationally conditional not
information-theoretic security model) . In [7] two distinct finite fields were employed because it was constructed in the setting where one of the prime factors of the modulus was known (thus the modulus could be theoretically factored), but in our case only the curve order is known, so we merely have to make it prime to make it (theoretically assuming the proof of it being prime is sound) unfactorable.
Or you do what you proposed which is hash the mathematical relationship of the commitment values (not just hash the integer relationship, thus why two hashes are required) so that no such residue class can be found, but this makes your algorithm 50% slower. My way of thinking about this is that the committed values are a distinct
field from the commitment values, thus the hash
C = H(W) applies to the field of real numbers (stated as "integer" by Cao) and does not apply to the abelian group field of the commitment values.
Note that Berstein's curves have odd prime orders:
http://ed25519.cr.yp.to/eddsa-20150704.pdfSo problem solved and efficiency maintained.
Again I am not a mathematician and my training in this area of algebraic geometry is non-existent, so please do peer review of my statements.
For n00bs, remember it is the factorability of the RSA modulus (because it is composed of two prime factors) which makes it vulnerable (but this
may not be the only vulnerability) and why it needs
exponentially larger keys than ECDSA (or Berstein's EdDSA):
http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/https://bithin.wordpress.com/2012/02/22/simple-explanation-for-elliptic-curve-cryptography-ecc/https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Example