Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Watson Ladd <> Sat, 10 April 2021 18:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 309C23A0D5A for <>; Sat, 10 Apr 2021 11:27:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F2k4_1RN1w4V for <>; Sat, 10 Apr 2021 11:27:25 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E3FFA3A0D52 for <>; Sat, 10 Apr 2021 11:27:24 -0700 (PDT)
Received: by with SMTP id n2so13631039ejy.7 for <>; Sat, 10 Apr 2021 11:27:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=G7/d+eZApcXibBNKVTgGTp26J97OD7wCFn5QZC7oAEY=; b=KvfqWBJnVaxpAH5jOhsmsigWdUELh+/hPOsV98BL2nOcxtJdSUXugcQ2izwAke314K TZniZHeH3lKeTem84U3uKDETSbsiPP52Wq1q0kmUMTaMJb/MOIXcnyGKXERvpPjtzPRd rK9r5/kXwDR3fPzmru//y2bfZo6E295Y8jynl9ke9c3aXN2r/0/jP2KZMsjXxI+vymbh 8hlUTAgi/svEeDGoDf0Lqwkfk71QfhkrushFSIk+/C+bvyLMN/E5TylYnXYNv23KgDw9 YkM7zE2UpXO4zI/kas0YBfjcdVClWBuYGVW83IchWpLtoplfF3PmxykPjfMLABqaDybW agXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=G7/d+eZApcXibBNKVTgGTp26J97OD7wCFn5QZC7oAEY=; b=FW75CZron595/DiB6rcYGDhSIC7U+DcUSewOle1ZhCXgZYGeE6f4LoyaRWIMObFTC7 4v/CanXcTESLctVODdBh73G3Hyyq2sTkbhUe1ox+8ktadXlNq54zLTzSbGi0E6gyBT/j 8cLqIoo8H4OIi8cMUwjR9ASOhOkG3SOX1bPRE9Wl/Ok+pTXWAIzVcLAzcsOOK23e70I2 FDeP8r++3DVFyGtTxCPBhLtc9RSZkYxbiGMFFcHVy7JtSSiVF6BOqPPJ9hGTDfdwuczK JskUza+1Y0M15AqebLDMuZPA79t17ld7LMfDl/QibgcHPkjnPqMcHm47tyvBm01O7XnS /Glg==
X-Gm-Message-State: AOAM532E9ZyVauoReEF6hZFIrnYH9kgds19PMdHvobPdFcK+0wn1JICB mi6MZip0URnTDgqNcxvRLyihH550GopueOZh/54=
X-Google-Smtp-Source: ABdhPJy4rJGdemfbwjGpTHIxgeIVmYs/hdYMqWdXw4geW8+xp2zO+DEmRIu1zhpvMjtva/IzjisKxR7ybgAdbbZTkFY=
X-Received: by 2002:a17:906:6bd3:: with SMTP id t19mr2103900ejs.232.1618079241536; Sat, 10 Apr 2021 11:27:21 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <> <> <> <20210410151254.7ze5pt4lpvblhk3f@muon> <> <>
In-Reply-To: <>
From: Watson Ladd <>
Date: Sat, 10 Apr 2021 11:27:10 -0700
Message-ID: <>
To: Rene Struik <>
Cc: Hugo Krawczyk <>, CFRG <>, "Hao, Feng" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 10 Apr 2021 18:27:26 -0000

On Sat, Apr 10, 2021 at 10:52 AM Rene Struik <> wrote:
> Hi Hugo:
> It would be of interest what the impact of a "broken" hash function in the hash to curve construction on the security of password based schemes would be. In the case of mappings that always yield a high-order point, the impact may not immediately be obvious, while with mappings that do not preclude low-order points this might show more readily, also to offline observers. This may be an interesting addition to security proof papers that now focus mostly on idealized functionality (such as random oracles).
> As an aside, as I noted in my email of yesterday [1],  mappings that fix a particular image point for a specific input are trivial if the construction itself has "free variables" one could fix after the fact (e.g., pick delta such that delta*H("Hugo123")^2=t0), thereby yielding an immediate attack, irrespective of hash function functionality. See specific comment a) in [1].
> All in all, it seems that guaranteeing that curve mappings would never yield low-order points seems prudent, esp. if it comes at roughly the same computational cost as ones that do not give those assurances.

Good news: all the mappings we do provide that guarantee with the same
probability that we regard as negligible in cryptography.

> Best regards, Rene