[CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)

Rene Struik <rstruik.ext@gmail.com> Sat, 10 April 2021 15:34 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45A253A1141 for <cfrg@ietfa.amsl.com>; Sat, 10 Apr 2021 08:34:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DwLHrYYVl4fw for <cfrg@ietfa.amsl.com>; Sat, 10 Apr 2021 08:34:32 -0700 (PDT)
Received: from mail-qv1-xf30.google.com (mail-qv1-xf30.google.com [IPv6:2607:f8b0:4864:20::f30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A37E53A1140 for <cfrg@irtf.org>; Sat, 10 Apr 2021 08:34:32 -0700 (PDT)
Received: by mail-qv1-xf30.google.com with SMTP id o11so4185442qvh.11 for <cfrg@irtf.org>; Sat, 10 Apr 2021 08:34:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=1ODpvvJp2X4Lx3h2KTrBe/JBV4PMpVyWPby7oYStKC0=; b=ZiXBmmKmmZtxcs+ozmiPxn1N4hXxEYrzO767usvB2I7+SMs6HNnIxxH3ACA6HG5Q+n DE5M2/k5+s+AKrzs/EsqLn8jv8vdkofZJV17KBPe3MWR7qVR7mNmxdaNwdJqAWZHW8LQ LANAS7dxnKr1hPn8X4GAp3EWSNSmIHcqtBuJZXFXY7f7p2osHoNur/FIpiutGmWNUz3v YJy0ls/zdVw01Jz1L6gvwBYQa3XvsqXwQNqacsKG3ZkQGCac2oJ9t/xrhbYiYSWmnhGE XqzGI7FpV+7AesFbeyyLJkrdBb0KzViqyEPWU6AhGxkF7baQR+2SWaEYvJAfmOXF6Qht eW8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=1ODpvvJp2X4Lx3h2KTrBe/JBV4PMpVyWPby7oYStKC0=; b=hTmpvEVTwZk/g6pQAbBYVEHDOnrGUG9ymHyVEGj51y/DvUH/tBWKBy+NYnZw+h7QYu wMLb9Wro4Lw3m+ZgCTow2FXrx918vj3fUxEr+69uAi4YVuhPu0Y3C9QkrRXMRihKeB2O C5rbVtUiiOuEDLHa8ainT1vq/05+37fptUZmYASHkVioCARsOOKkWZAQKi8fVhpyreoO pIu19TGj4y/FQ/xAB1g7Zs+0vc3F2PExVtT4Fa1gcuVgbaHeQGXRwK9tBU/jrOBfvHry ZXdLfe+ffj2xVvoj2loYupo0ZG+BbJyX13u2Z0g13Ig+XWNcLBkGm/z3jEA3Igo5x9/U ZOAQ==
X-Gm-Message-State: AOAM530NWochrHsW6bGbCEZb1rf8AtZXKM8XWOuSUYtAd7yYBYJ1d1Bz TFf9wD/5RirHozkBtdYXPd6QgSZx+qylOw==
X-Google-Smtp-Source: ABdhPJxsJm+GCHKGycOwRZovKgRrkuYekiZFU5ay9d2G5RIvNTYaqH7KdyunZk9rSWNX0Wa2ZDPALw==
X-Received: by 2002:a05:6214:d47:: with SMTP id 7mr19752074qvr.48.1618068870822; Sat, 10 Apr 2021 08:34:30 -0700 (PDT)
Received: from ?IPv6:2607:fea8:8a0:1397:d5ce:5162:99f4:1aa? ([2607:fea8:8a0:1397:d5ce:5162:99f4:1aa]) by smtp.gmail.com with ESMTPSA id f25sm3330652qtm.49.2021.04.10.08.34.29 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 10 Apr 2021 08:34:30 -0700 (PDT)
To: rsw@cs.stanford.edu, "Hao, Feng" <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org>, CFRG <cfrg@irtf.org>
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <VI1SPR01MB035772443E4DA3206E4CD4D3D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <7944D4F1-81F8-44FC-95D1-45D47733B385@shiftleft.org> <VI1SPR01MB03574E592790FD59C1ACEB84D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <20210410151254.7ze5pt4lpvblhk3f@muon>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <fc33aa70-1723-7bc1-5a3e-6c58036ec766@gmail.com>
Date: Sat, 10 Apr 2021 11:34:27 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.1
MIME-Version: 1.0
In-Reply-To: <20210410151254.7ze5pt4lpvblhk3f@muon>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3_51DB-4D8Uc1M7ZQw74aDLUY5U>
Subject: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2021 15:34:38 -0000

Hi "rsw":

As a general courtesy, may I suggest that all communications use 
people's real names and not some obscure acronym.

The CFRG is supposed to be a research forum, where people do not hide 
their identity. In fact, in my opinion, IETF should have no place for 
communications by "anonymous".

Rene

On 2021-04-10 11:12 a.m., rsw@cs.stanford.edu wrote:
> Hello Feng,
>
> "Hao, Feng" <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org> wrote:
>> Rsw also gave a similar example of having all zeros for the hash.
>> Let me clarify that we are not – and shouldn’t be - concerned with
>> any of such cases since the values are uniformly distributed within
>> their respective range.
> Right. And the argument is precisely the same for hash-to-curve!
>
> Let me be perfectly clear: the property that hash_to_curve gives
> is that the output is a uniformly* distributed point in the (big)
> prime-order subgroup of the target elliptic curve.
>
> At the risk of seeming didactic (in which case, apologies): the
> identity element is indeed an element of the target group G.
>
> Put another way: fix a generator g of group G of prime order q. Then,
> hash_to_curve returns g^r in G, for r sampled uniformly* at random
> in 0 <= r < q. Under the assumption that discrete log is hard in G,
> hash_to_curve does not reveal r. Under the preimage and collision
> resistance of the underlying hash function, one cannot choose any
> particular r or find two inputs that hash to the same r.
>
> I hope this helps clarify the security properties, and why focus
> on low-order points at intermediate steps of the computation is not
> relevant to the security of hash_to_curve as specified.
>
> * uniformly except for some statistical distance less than 2^-100.
>
> Regards,
>
> -=rsw
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867