Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-04.txt

Björn Haase <bjoern.m.haase@web.de> Mon, 22 July 2019 20:08 UTC

Return-Path: <bjoern.m.haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1274312011B for <cfrg@ietfa.amsl.com>; Mon, 22 Jul 2019 13:08:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pxOJ7JecUp9v for <cfrg@ietfa.amsl.com>; Mon, 22 Jul 2019 13:08:29 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.17.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B300D12008F for <cfrg@irtf.org>; Mon, 22 Jul 2019 13:08:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1563826105; bh=pc3K8cPRWSmlTlysnO29aahNAKYSPF05/rERUSZevVo=; h=X-UI-Sender-Class:Subject:References:To:From:Date:In-Reply-To; b=L/P1MNlMMl49aBoQgfm6ZRT6ia0NnekxmLOOerMs+IX+IjJlRowjlunY5ugW9qtLy 8OCpH9ozSSaRFWScutYk9wNOzvZ8VeZWOdTn6fPUM7jMLZyAQTQm3kq6/zdUfWxWon zu4lUj23Kc0VwbukY3QhWtsqhRLWy4MJpa86fFjM=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.2.161] ([92.75.65.225]) by smtp.web.de (mrweb101 [213.165.67.124]) with ESMTPSA (Nemesis) id 0MMW2M-1hlmz911jy-008NQ0 for <cfrg@irtf.org>; Mon, 22 Jul 2019 22:08:25 +0200
References: <46863a4d-e193-1697-058d-2c14106c317e@web.de>
To: cfrg@irtf.org
From: =?UTF-8?Q?Bj=c3=b6rn_Haase?= <bjoern.m.haase@web.de>
X-Forwarded-Message-Id: <46863a4d-e193-1697-058d-2c14106c317e@web.de>
Message-ID: <84012971-70cd-da2d-55b7-944635c92b65@web.de>
Date: Mon, 22 Jul 2019 22:08:25 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <46863a4d-e193-1697-058d-2c14106c317e@web.de>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:c+fvhl/6gh7OBefwPxsVUHtlIBg8AeLHmOo0jTaKGSDZdKrTfGM mO7mQlaxFYi9mYeV4kf2Yng8YgM8+PQhVtCAI1h0GAqxwlMHXmvqwfYBl+YtAuExIvlkA/t TAqLN2DaRIfzb7E4Cd6mAg+XZC7McmzGCyfau154BownB1WlFpMMx0ZF5JHmvt0WBTcnBVb g1elP1ffDNu13xKLiMARA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:KbPwkjBlI+c=:jpMhhnm04mEsygS0hMgNUs NCN2KYJVNNzxIcwIpo69o0SNjNFiaISJIv6OKkmEJMhvSeiraw0Z3Sa4O0V1M9c8S6hFm9G/R EgKdrkwhu/vQpdS3WTRtkCDWWV2Zdgha+pIqPC+0bzFIASjtE6uP+J8ZoSCsZBe5evfop1YKO 2shA2sq0trOQ4eE/HKwZvyKCZnA49DpOELjG6PDWn525YlSnNcN5XdT49PxnpSZaFxlrDBHGN Sd18DcWlpFVkrKlZqT4m39kOcYY+EWrv55PzzQ3Z5npXXpbJa1XMuM7vlxtVNY41PDLsoKcmR 1Ns5ot5Pj3UmSEGkcELqDRWkkmj7QSMMOTnTigH8dOFnSFPmwxAak7nAfNWUaoPQomhZ3dHbV yKq5zMs71zgml4FhZYEypLgzOE+jzVYE4Pt3hG6gW9SSZXE6+NK1ChA86prNTFLF9Q+qjVutA YxpSrvH3ikPAVwx2cUCGZEdVuVJcdIaeg0Ma9C9EnpRqxVcXHWUcPspOyT6iXSa3iVtwHmC7i nFLo4ANZmL26l1q9jh4+vGvxfhPD9OiaddUG108n9Yg1uPs9/+r3uKxFxt0uohnKUQ7ECWeDq 5krahCDsIqFu72pgX+n+LQQIXX1LfQT8sVrEy8/LiIOtqMpHSpEqYAKRMS/+vx1MnHd6TjLPu PD57zVRoUn87D6Icpsqra/36FvrNU9aKlGZ4TNz36qMQZVnaTKGLhA4BquzTDRjBRVb4sx1Vs kOrBg6puPxbJe19M/0xBDn85Cv5JX8FAK0l+9npnxHruBL2AxKJwOtjH+M3pAEoJWxe9glvfb AOszcAoym/LubbbK6rdcZHgYq9SKw7wGdKiEk6hDjWHbjWzKI9JmYTENW/Uz15b7QhCO9EYh/ upXImhWWMvG4qHx8Z05Ov0fjzC1NtpUDLJQOOm1d3lWJBVce/wumsK7OxYKTdtWBhRZSXjwX+ vGhhVgjKpOq3OGLn8LorqDLlu7PbhgSCJC0hZ0Ra70q9sWTqUoDyg/V6ETRsu134mIYqkJc2k 2GpdjrVLpXcxUYmkVePdpQQa1kgZSuDJricn1gVyKRjLcbcph/bqFUxrhUQs0sySJIJsLSz/n +lKiKFcYKaZEnfPDt0BW1kuDeof5yDEdG3Z
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/1U5jlJdE_Gheg4OKyfjcALeKRfU>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-04.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 20:08:31 -0000

Dear Rene,

As a general rule for avoiding complexity as possible error source, I
would always only considera single mapping: the most efficient mapping
that is safely not covered by patents for a curve.


This means: For any Montgomery or Edwards curve, we probably should
concentrate on Elligator2 and not suggest use of SWU.

The second simple question IMO is P384. I'd not consider Icart's mapping
as long as the patents apply. I'd use plain SWU here.

Choice for P256 and other curves such as Brainpool with q = 3 mod 4
might be a bit more difficult. I'd suggest that we carry out a patent
review and stick to a simplified SWU version which avoids "-1" as
non-square if we have all consensus that this is not covered by known
patents. In case that there remains any un-certainty, I'd suggest to
stick to plain SWU as single mapping proposal for P256.

I believe that the possible benefit of the mapping for protocols such as
OPAQUE or AuCPace is so large that we should really avoid any doubt by
some people that the mapping might be covered by patents.

Yours,

Björn.


Am 22.07.2019 um 20:53 schrieb Rene Struik:
> Hi Armando:
>
> Thanks for your note. Curve448 is defined over a field GF(q) with q=3
> (mod 4), so it seems the simplified SWU mapping, as well as
> "Elligator2" (which can be viewed as a "repackaged" version of
> simplified SWU for Montgomery curves) both apply.
>
> Rene