You also need the group structure, ie. a(bG) = b(aG) = (ab)G.
But AFAICT, elliptic curve groups really are the best known groups where DH is hard. The "Why curves win" section talks about it terms of key size, but the reason other groups require larger keys is they have some kind of structure which can be exploited to attack the "hard" direction (eg. in a finite field, the ability to factor over primes can be used to solve discrete logs), so the group size has to go up to compensate.
You can make as many slight variations as you want by creating a specific instantiation of a hard problem with different constants. But we don't know how many meaningfully different hard problems exist.
These are problems that have been studied for many years, that are more-or-less central to mathematics, and where we have good reason to think that an efficient solution would be extremely surprising.
If you have much lower standards, there's going to be infinely many that I can't personally solve. Or if you have impractically high standards, there could be zero hard problems, if they just so happen to all have efficient solutions that we haven't found yet. We can't formally prove any of these are hard.
I'd be very surprised if the number of meaningfully hard problems is capable of being bounded. As a proposition it feels opposite to almost everything else we believe about numbers. But, that's just my naieve view.
I think there's a weak claim that I'm happy to make and then a much stronger one. The set of hard problems in general is vastly larger than hard problems that are considered useful to cryptographers. The latter is very much finite, and hardness in cryptography is rarely a formal affair either. At best cryptographers can prove reductions to problems that they think are hard, but they can't prove the hardness of the problems themselves. We don't know that the ECDLP is hard, for example. And I'd be very surprised if complexity theorists were able to say anything about these kind of hard problem in my lifetime.
For the stronger claim, if you pick a complexity class like NP and assume P!=NP, I'm pretty confident you could find as many problems as you want in NP that aren't in P and that all look meaningfully different from each other. So the claim that these are bounded is probably false. But hard problems in the sense of NP-hardness isn't sufficient to make them useful to cryptographers.
You’re right — under direct physical coercion this design does not provide strong resistance.
My current threat model is focused more on long-term survivability and secret non-storage rather than state-level coercion resistance.
I’m experimenting with limited deniability extensions (e.g. decoy derivation paths), but I’m aware that application-layer branching is not equivalent to formally secure deniable encryption.
So I wouldn’t claim this passes a true “wrench test.” At best it may reduce risk in casual coercion scenarios.
If the goal were coercion resistance specifically, the architecture would likely need to move toward threshold schemes or multi-party secret sharing instead.
reply