Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-00.txt
Christopher Wood <christopherwood07@gmail.com> Mon, 02 April 2018 19:58 UTC
Return-Path: <christopherwood07@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 531B312D879 for <cfrg@ietfa.amsl.com>; Mon, 2 Apr 2018 12:58:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qnrKBsIp95iz for <cfrg@ietfa.amsl.com>; Mon, 2 Apr 2018 12:58:41 -0700 (PDT)
Received: from mail-pl0-x229.google.com (mail-pl0-x229.google.com [IPv6:2607:f8b0:400e:c01::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAEF812706D for <cfrg@irtf.org>; Mon, 2 Apr 2018 12:58:41 -0700 (PDT)
Received: by mail-pl0-x229.google.com with SMTP id v5-v6so3555412plo.4 for <cfrg@irtf.org>; Mon, 02 Apr 2018 12:58:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=WR4Aeyq8BRWX1s6zGuVZDbJifU9fIs1pxkQOpWAIUHA=; b=TQvP4WUtcCPkbvmlbEaRQY65CUCyYiu/JBMwLGYzIaE7DIPNFX0WF0nihrEWpdUlLU iKAJJIny460eghNhqeGmix8l8rlZz62UFySZxhEm8uOJZXb9A7an20TXSyWnQW34F4qT A0OCI85OH6oCw2zx1yR7zURFHH7R2OGX8rtOLYtm+I3YZP3aVsWAPfZ04THJjFIkHY8h k+AZ2o3pd9VD4z9yFofPCktAPGYRqp8r7YNYRZLDTdKP7mPo5UlHblkgzZAmB/w0wEtv AZDjD+0JycCridZgz5uNgVjOmoa2QIKF1Iaj+X53ab08ijdJizQ1vm7g/NDymtNrl1jC 47jA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=WR4Aeyq8BRWX1s6zGuVZDbJifU9fIs1pxkQOpWAIUHA=; b=LN61Do+zkIc1F1t+a3+nreqdkzMylQVbJ5aF30qp7c9UORqCFuhACgXxynwKBZVNmb 8TTH6Tv8xGmXDmZserPPZTJ4cr5UfNAvw6w9NV58b4zyGRKJ2Oe8KX99u5Dh0UnB9tJO AGEC7QK3uG00x4x1LjbJZYqQmQMYX4bO423J7jzi84lMrdyH4e4/1loUPBvIOBEj9sGW 0crV5Itp4A4YYrR2e9cAsaPbw68Kekmwkx+IeN2aq1yt5g3AHfmKFYPCEe0CIwu8aqyV 2JZRnuiPvGyK4JrSO12MsnuoRD7KS9jdaLeh4HybkuPywFTd0hskiqbrs2Rj4Uk7gnSc wyNw==
X-Gm-Message-State: AElRT7FFlyOvt75Ma0AykBuiPiING//qoQCDAZU6FrrvA7Tq947UkEiU XfGIH49oGEfoEr0b1crGUfvojXCU
X-Google-Smtp-Source: AIpwx4+UXFj/2izIEWSYsGbeGyMr46MI0Lh6QnT5aXgwEsXfA1ZhNeummZ0praiL+2tJkVzfJ9xYJA==
X-Received: by 2002:a17:902:8bc1:: with SMTP id r1-v6mr11115470plo.310.1522699120988; Mon, 02 Apr 2018 12:58:40 -0700 (PDT)
Received: from [172.16.99.199] ([144.178.28.7]) by smtp.gmail.com with ESMTPSA id v62sm1917498pfv.141.2018.04.02.12.58.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Apr 2018 12:58:40 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-AD530C3D-6728-4E2B-BF58-79EE7C60F4E6"
Mime-Version: 1.0 (1.0)
From: Christopher Wood <christopherwood07@gmail.com>
X-Mailer: iPad Mail (15D100)
In-Reply-To: <75666677-260d-fff5-33de-1aebbed7df5a@gmail.com>
Date: Mon, 02 Apr 2018 12:58:39 -0700
Cc: cfrg@irtf.org
Content-Transfer-Encoding: 7bit
Message-Id: <F60AF640-2CA5-4669-8B9C-0FF7F9B68DA7@gmail.com>
References: <152179999076.17610.14543047719044617731@ietfa.amsl.com> <810C31990B57ED40B2062BA10D43FBF501C4724B@XMB116CNC.rim.net> <CAO8oSXkNg7GJsZDv0Rw6WhmET=cYKD_TFy7p-Nja0cyYA4t4dw@mail.gmail.com> <75666677-260d-fff5-33de-1aebbed7df5a@gmail.com>
To: Sam Scott <sam.scott89@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6V9_Fcg8KO7dikhBILL9FkF_wgc>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2018 19:58:44 -0000
Hi Sam, Many thanks for your feedback! Please see inline below for comments. > On Mar 29, 2018, at 12:07 PM, Sam Scott <sam.scott89@gmail.com> wrote: > > First of all, this thread shows exactly why a good standard would be useful, the current terminology is a bit confusing. So thank you for the effort in putting this together, and I hope the following can be useful. > > In my opinion, the distinction should be made as follows: > > Point -> bitstring is serialisation. Includes concepts such as compression of points, cofactor eliminating (e.g. Decaf) and indifferentiability (e.g. Elligator). Interestingly the latter of these doesn't necessarily apply to all curve points. Serialisation is generally only used for transport, or producing a canonical version of a point for further processing (input to hash function or kdf) and should be fast. > > Bitstring -> points is encoding. Main use case is for turning plaintext messages into curve points. Potentially needs to be constant time if input is private, e.g. a message, password or key. Decoding needed when input is a message, in encryption for example. > Thanks for the suggestion. I am not opposed to this terminology. It seems to better capture the intent of each algorithm. > Of course, in some cases deserialisation is equivalent to encoding, or decoding to serialisation. > > It would be interesting to outline what the current encoding examples give you over, for example, scalar multiplication (x -> xG for some generator G). Or when using Montgomery x-only scalar multiplication, you can basically skip encoding all together (if your application permits using the twisted curve as well). > Indeed. Prior to its initial publication, we discussed this topic, though we never got around to including it. I will try include it in the next revision. > So where does hashing come into it? Well it depends on the purpose. Arguably for "hashing onto the curve" people usually require a random oracle onto the curve. Which is then instantiated via a hash function modelled as a ROM, plus an encoding. But for this to actually be a RO, the encoding function better be full domain (otherwise need additional proof to show this is okay). Brier et al's paper [1] makes a succinct point on this in 5.2, and is overall a great read on the topic. > Good point. The scenarios and use cases in which RO properties from the “hashing” operation are not well articulated. Also, as currently written, it seems we (implicitly) assume each variant is a hash function. This is clearly an error. For example, Elligator2 is both invertible and not a FDH. (Though, following your suggestion below, we can make it one.) > Given this, I would argue that this document in its current format is misleading, verging on dangerous... One might infer that any encoding function is okay, and end up using x -> h(x)G. Which will probably break most applications. > Some areas which I think need to be covered: > > - A description of different forms of encoding, and properties associated with them. Including the additional encoding methods I mentioned above. If this is deemed too much or out of scope, I think it should at least refer to these as unsuitable encoding methods for constructing a RO. > I believe this is in scope. I filed: https://github.com/chris-wood/draft-sullivan-cfrg-hash-to-curve/issues/17 > - What properties can be achieved by hashing to the curve. As far as I'm aware most applications need a random oracle? I would be interested to know about requirements for other applications. > Likewise! If there are applications that do not need a RO, I would be inclined to include them with accompanying discussion text. > - If you want to construct a RO into the curve, then an explanation that this either requires: (a) using a full domain hash as in [1], or (b) a proof showing that a random oracle over the subset of points is okay, in which case you have Icart's method, SWU or Elligator. > For example, (a) can be constructed using Elligator (as f) in the form of f(h(x)) + h(x)*G, which is reasonably performant, and close to just using Elligator when using precomputation for the h(x)*G part. > This is cute. I’m not sure if spelling out such techniques are in scope or not. We could, for example, simply state that a FDH is required. I’d be curious to hear what others think. > As it turns out, we used pretty much all of the above for our updatable encryption scheme [2]. We needed message encoding/decoding for the plaintext, a RO from a counter, and de/serialisation for storage/transport. I think I got pretty much every single part wrong in every possible combination before arriving at the above. > I was not aware of this paper — thanks for sharing! > This ended up being a much longer email than I intended! Hope it helps. > It was very helpful. Thanks again for taking the time to share your thoughts. I will do my best to integrate them into the draft. Best, Chris
- [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-… internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Dan Brown
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Christopher Wood
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Sam Scott
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Christopher Wood