Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-08.txt
Marek Jankowski <mjankowski309@gmail.com> Thu, 11 June 2020 14:00 UTC
Return-Path: <mjankowski309@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E54A3A0882 for <cfrg@ietfa.amsl.com>; Thu, 11 Jun 2020 07:00:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id guG5GwLRxAvU for <cfrg@ietfa.amsl.com>; Thu, 11 Jun 2020 07:00:20 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB4F53A0881 for <cfrg@irtf.org>; Thu, 11 Jun 2020 07:00:20 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id o5so6366363iow.8 for <cfrg@irtf.org>; Thu, 11 Jun 2020 07:00:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dz3oF8oXgLizo4t6RiMaQyqtGmvUP/w30NILFMbL9xI=; b=aFWi1pktPM7OWLBuiUOkTtfFNDhZEOfNGtntialZ/QJC7+fqz/bDxp04cfvtFCZsAC gBKm3/gVq6sLpYN7nP/6oBoRHAUzCppb2j9Hli4eUcRGrU5I0My8ymRiOqOQdamYke1a Nx8Be9xtodSRo60KkrrEjyMkv6YMEEux/T42WEsim+pv5h7zhz1psa7hmHvRL1gwI2hs raWBjLqvFB4EtoRFwfktQ52vJ1lC2PnI9J09Uqa5Sz9CXtVwskERjDm9dP15czxvKnay pFNue4NscYudac2CPj7OFFVK/UhUMHb8IQTBTnNqth7W9ssIfGc89tscEL2C061z5HhV 4GRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dz3oF8oXgLizo4t6RiMaQyqtGmvUP/w30NILFMbL9xI=; b=EBHf0jMT8fCCkxwFOHXQs5cyJ6ItLVGl5KsnD7aNP9NtOhMwJGzFY5wx8gjef9I2bD G7DmkaDF2e8ZpgTI16fOMfmCDLBzC8MZKe7jDN5C3ka0zIqsIbIJnU6qcnM7cy98qQCK 28tNgcs9ZSJ+Uz0YeLuUvbN5afY/yf5wpLkdEIa1MxIixwzKmIu52/cY5VAcqkMQrKMx UKjlhCwTcg6lRmZGBrt0aV2bQFtoF9ZjluARJFEyF0h2dqoijaCrfXnguci+XB5/AKKU XGkZ/BjBTQolbMVUsZ6plX6OCKVX0THmfo5XzXOTwbW1B5BOnViWUFjgmsZsP2JqiT5v l/JQ==
X-Gm-Message-State: AOAM533R79B61EM/mYFpBonJ1QkinZVBt++Sn+92xbGyJrPXUttycH6W t7p5QrQBP+b1pj5zSJoulenwAMS70RJgFY4YuDUEgg==
X-Google-Smtp-Source: ABdhPJyDctKY5l2RFzxL+4iFQDLQ/I7u40ieQp38BHDSVWHE9BqIsOLbXnmHBEpFI3+4UCR46GbWrT33+HSi76RiRqo=
X-Received: by 2002:a05:6602:6c1:: with SMTP id n1mr8530105iox.4.1591884019902; Thu, 11 Jun 2020 07:00:19 -0700 (PDT)
MIME-Version: 1.0
References: <159105346858.24004.14161783051029023247@ietfa.amsl.com> <ac8f59fe-a82b-4cef-9b05-dd617625df64@www.fastmail.com>
In-Reply-To: <ac8f59fe-a82b-4cef-9b05-dd617625df64@www.fastmail.com>
From: Marek Jankowski <mjankowski309@gmail.com>
Date: Thu, 11 Jun 2020 15:08:23 +0200
Message-ID: <CAMCcN7Qe-Z5+mLiv4iNUzwWzpQ4S3O4QGVO+G7+9QqLGm1iirw@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000087bef905a7cf61fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-ykeWhSbzdxtfXr4jjmgzR0iCPs>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-08.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2020 14:00:23 -0000
Hi Chris, I think this is a great draft - it explains very well hashing to curves, which is vital for many new applications that I hope to see coming, mainly those using pairings. The section about domain separation is very important and I'm glad to see it explained explicitly and thoroughly. Here are a few suggestions, most of them minor: a. I think Table 1 (Sec. 2.1) could be better formatted, using less line breaks. Please consider redistributing the widths of the columns. b. The second paragraph in 2.2.1 can be simplified: it suffices to say it needs not be bijective/surjective/injective. Also I'm not entirely sure it's best practice to use the term 'invertible' for just _efficiently_ reversible functions. c. I think a better formulation in the first paragraph in 2.2.5 is something like "...assuming the attacker accesses RO only through the protocol, viz. the RO is not used elsewhere." d. The word 'encode' (Sec. 3) implies that its output can be decoded. Perhaps there's a better word for noninvertible maps. e. Domain separation (Sec. 3.1): I believe that if needed for backwards compatibility, it is not a disaster if we omit the version number from the Tag. Maybe it is worth a "NOT RECOMMENDED". f. It says that expand_message MUST NOT use rejection sampling (5.3.4). To the best of my understanding, rejection sampling is to be avoided for the sole purpose of mitigating side channel attacks; this is defined (Sec. 4) as a SHOULD, so I believe this SHOULD should (no pun intended :-) propagate there. g. Do we really want to approve as many curves as in [Table 2, Sec. 8]? We are standardizing something new here, so we can allow ourselves to stick to just the best curves. In my opinion Curve25519 is in every way superior to the NIST curve of the same strength, so the latter can be omitted. Again, I am very supportive of the draft and will be happy to further help in the process. Cheers, Marek On Tue, Jun 2, 2020 at 1:32 AM Christopher Wood <caw@heapingbits.net> wrote: > This update carries a number of important changes, including, though not > limited to: > > - Domain separation mitigations for expand_message_xmd (as part of > hash-to-field). > - Mapping function fixes and clarifications. Elligator 2 alignment is one > such update. > - An overall reduction in suites. There is now one recommended RO and NU > suite per target curve. > - Expanded test vectors, including those for expand_message. > - Much improved security considerations text, particularly around domain > separation guarantees. > - Alignment with the VRF specification [1]. > > We believe the document is now ready for RGLC, and would appreciate > reviews and feedback to help get it across the finish line. > > Thanks! > Chris > > [1] https://github.com/fcelda/nsec5-draft/pull/35 > > On Mon, Jun 1, 2020, at 4:17 PM, internet-drafts@ietf.org wrote: > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the Crypto Forum RG of the IRTF. > > > > Title : Hashing to Elliptic Curves > > Authors : Armando Faz-Hernandez > > Sam Scott > > Nick Sullivan > > Riad S. Wahby > > Christopher A. Wood > > Filename : draft-irtf-cfrg-hash-to-curve-08.txt > > Pages : 156 > > Date : 2020-06-01 > > > > Abstract: > > This document specifies a number of algorithms for encoding or > > hashing an arbitrary string to a point on an elliptic curve. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-08 > > https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-08 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-hash-to-curve-08 > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-… internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Christopher Wood
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Michael Scott
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Riad S. Wahby
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Marek Jankowski
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Christopher Wood