Re: [Cfrg] using hash2curve in a protocol

"Riad S. Wahby" <> Sat, 10 August 2019 20:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8EAA6120094 for <>; Sat, 10 Aug 2019 13:28:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.697
X-Spam-Status: No, score=-1.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.201, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vOvNnX3ctzSJ for <>; Sat, 10 Aug 2019 13:28:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5948712008B for <>; Sat, 10 Aug 2019 13:28:00 -0700 (PDT)
Received: by with SMTP id r26so11579032pgl.10 for <>; Sat, 10 Aug 2019 13:28:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=m/r3i+nIZlZY8AY7vsXbRyHzVbq3RwPSpJH9Cv4g1zk=; b=joSgZvfb9d5aI4sJ7qeUrdmmzqt1vdRY9eBLvKGhPX7SUACl2/eJmCqU0CH+inA1XJ Hw3/lbCWUvFsvor7Ixq8md1MCW5DMywvIt2hLlK31QqhEwhxy3M8tHlCMLVYTE6Sx3Vs gDUjyUZRD8IIApGAtMZ08YB2wZwn/BOn8Mv2nmyfFSJ+CFeUuwqkV6hE0DeN3TEGmLQI /wnuplaxQijdwYJQXgXCFhzTMaMvtvqd4pw5R3TNWBUWZ3O7DRsiNd/GrzIKvfU+5Xpy zxgV6YHsYlMKdO3vQUOe2Hm40b7Pk0Mf3bELeihCPFnd3N6gJL0c+EmIly2+GjFfZx6D arWw==
X-Gm-Message-State: APjAAAX4/hyXJtMvlR91ZrNqh/vBE47IWbzfA0VmHwTN7T46tqZ91rlg yFhVUAVchbuzAmBVJKhTLSY=
X-Google-Smtp-Source: APXvYqxRVOq1uRAo+XDTSeLe+Qv3fxCjs2DGIvVlgqexp4vr/gAYZx8J9hHw3ldkZkzPE75me30BQw==
X-Received: by 2002:a65:640d:: with SMTP id a13mr5046100pgv.256.1565468879786; Sat, 10 Aug 2019 13:27:59 -0700 (PDT)
Received: from localhost ( []) by with ESMTPSA id k5sm2704306pgo.45.2019. (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 10 Aug 2019 13:27:58 -0700 (PDT)
Date: Sat, 10 Aug 2019 13:27:57 -0700
From: "Riad S. Wahby" <>
To: Mathy Vanhoef <>
Cc: Watson Ladd <>, "" <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
Subject: Re: [Cfrg] using hash2curve in a protocol
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 10 Aug 2019 20:28:01 -0000

Mathy Vanhoef <> wrote:
> Because similar changes are also being proposed in an update to the
> Wi-Fi standard, one remark is that in the simplified_swu and
> hash_to_ffc routine you can use PBKDF2 or similar instead of HKDF.
> This will make possible brute-force attacks (e.g. due to
> implementation issues or other side-channels) more costly.

This is a great suggestion. To keep things modular, it might be
reasonable to treat the output of PBKDF2 (or bcrypt, scrypt, ...)
as the input to the hash-to-curve or hash-to-field algorithm
rather than merging the two. This ends up requiring some extra HKDF
invocations, but at least when hashing to curves those are cheap
relative to other costs. (This is likely also true when hashing to
a mod-p subgroup, since there's an exponentiation at the end.)

In any case, a small bit of care is warranted: roughly speaking,
the underlying hash function needs to give collision resistance
commensurate with the security level of the target curve or field.
For example, processing a password with PBKDF2-HMAC-SHA256 before
hashing to Ed448 isn't great, but PBKDF2-HMAC-SHA512 would be.