Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
Mike Hamburg <mike@shiftleft.org> Sat, 10 April 2021 14:52 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89DB63A0C29 for <cfrg@ietfa.amsl.com>; Sat, 10 Apr 2021 07:52:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.305
X-Spam-Level:
X-Spam-Status: No, score=-1.305 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lprHmyp_LJET for <cfrg@ietfa.amsl.com>; Sat, 10 Apr 2021 07:52:15 -0700 (PDT)
Received: from doomsayer.shiftleft.org (unknown [54.219.126.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 843A93A0C18 for <cfrg@irtf.org>; Sat, 10 Apr 2021 07:52:15 -0700 (PDT)
Received: from [192.168.7.53] (unknown [198.207.18.242]) (Authenticated sender: mike) by doomsayer.shiftleft.org (Postfix) with ESMTPSA id 75D6ABB869; Sat, 10 Apr 2021 14:52:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1618066334; bh=ReDC7lQFWaj/60LK3XYNQ4BVdaRIr2vELbJKdLMldRY=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=Y3pL/MOR35+qE4p1r6P5GOBSquHUMdNLKTofK7zwxtrDQdCPNSi01XZ+vwWRSqRbt 0+yEd7AxFtYjc9ZBq0IGciCaAHl3o7dobFHn87bYhTcqmP6gDVV92ZyFOWz255IZMS hFF0nHBRo7Yx7+jbmsLeBycmEI3Zbx/HfVPa3Akk=
From: Mike Hamburg <mike@shiftleft.org>
Message-Id: <A1BFD5D1-00E2-4ACB-B55A-D18033229FF6@shiftleft.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B84AAEBB-2E95-46DB-B627-CFDB0CCBD5AD"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Sat, 10 Apr 2021 11:52:11 -0300
In-Reply-To: <VI1SPR01MB03574E592790FD59C1ACEB84D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>
Cc: CFRG <cfrg@irtf.org>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <VI1SPR01MB035772443E4DA3206E4CD4D3D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <7944D4F1-81F8-44FC-95D1-45D47733B385@shiftleft.org> <VI1SPR01MB03574E592790FD59C1ACEB84D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/AIUu9nQGw7Y-noKKvn2FWeK96Rg>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2021 14:52:21 -0000
> On Apr 10, 2021, at 6:32 AM, Hao, Feng <Feng.Hao@warwick.ac.uk> wrote: > > Hi Mike, > > Have you considered what happens in CPace if Alice’s SampleScalar() function returns 7? I’m following the notation of https://eprint.iacr.org/2021/114.pdf <https://eprint.iacr.org/2021/114.pdf>. In this case, the password will be vulnerable to a dictionary attack: the key K will be 7*Y_b, which an attacker can quickly detect by checking whether > > Rsw also gave a similar example of having all zeros for the hash. Let me clarify that we are not – and shouldn’t be - concerned with any of such cases since the values are uniformly distributed within their respective range. Hi Feng, hash_to_curve is (epsilon-close to) uniformly distributed within its range, which is the prime-order group of points on the curve, which is also the range specified by these schemes in the literature. > As I explained, as soon as map-to-curve returns a small subgroup point, it will instantly cause the password in CPace/OPAQUE (PAK as well) to be compromised by offline dictionary attacks. There is nothing you can do at the protocol level to save it. No, not PAK. PAK uses the hash output as an additive blinding factor, so it ideally wants the value to be uniform in the group, non uniform among non-identity elements. Of course, removing the identity won’t harm it, since again, that’s a negligible change. > I think a major misconception here is that many people may think the use of clearing-the-co-factor step has resolved the small sub-group issue. But that is not true. The clear-the-co-factor step merely changes small subgroup points to infinity points. For the simplicity of discussion, we can remove this step without affecting our analysis at all. > > On a theoretical note, be reminded that DDH only holds for non-identity elements in a designated prime-order group on an elliptic curve. When you have small subgroup elements mixed, DDH doesn’t hold. It’s a tiny difference in the group definition, but it can have a significant theoretical effect. No, it’s pretty much the exact opposite of that. DDH is usually written as distinguishing (G, aG, bG, abG) from (G, aG, bG, cG) where g is a generator and (a,b,c) are uniformly random mod the group order. See eg http://theory.stanford.edu/~dabo/papers/DDH.pdf <http://theory.stanford.edu/~dabo/papers/DDH.pdf> (which uses exponential notation but is otherwise the same), though variants (such as c != ab) are sometimes used instead. Here aG, bG and cG can be the identity. In this formulation, G cannot be the identity: it’s defined as a generator. But if it were the identity then the two distributions would be identical — they would each be 4 copies of the identity — so DDH would still hold. DDH does not hold in a group with a small cofactor h. The problem is not that you might choose a small-order element by chance, but that the attacker can project to the subgroup by multiplying everything by p. Clearing the cofactor resolves this issue. So removing that step does affect the analysis, at least if you’re assuming DDH. > Furthermore, while your proposal is arguably a tiny improvement for SPEKE / CPace, and perhaps even for OPAQUE, it’s also a negligible step backwards for PAK and its variants (if I recall correctly), since their proof uses the uniformity of the hash-to-curve map. The same likely holds for other systems. And it complicates the definition and implementation of hash_to_curve. > > About “uniformity”, I think we can try to be more precise: uniformity in what group? With the current map-to-curve functions, the uniformity of the output covers the whole curve, including small subgroup elements. It’s exactly the mixing up with such elements that complicates things. In many cases things are cleaner if indeed you achieve uniformity in a group, which is why hash_to_curve does this. You are suggesting uniformity in G \ {0}, which is not a group. > So I would prefer that we stick here with something that’s been studied and which is already built. > > Suppose we keep the draft as it is and only add a note in the security consideration to explain this. What can we possibly say? A negligible probability of the adversary getting your key is not a security consideration, as explained above. The only security consideration is “don’t screw up the error handling”, or maybe a note to say why we aren’t worried about the identity. > One might add a warning to say map-to-curve returns uniformly distributed points on the curve, including small subgroup points. The mapping to small subgroup points is theoretically possible, but statistically unlikely. We don’t know how to remove these points in constant time. If you’re using my library, libdecaf, then you can use decaf_point_eq and decaf_point_cond_sel to remove the identity in constant time. Similar functions are likely available in other libraries. > Moving forward, I think the best solution is to preclude the small subgroup elements from the map-to-curve function by design. If this can’t be done, or people don’t want to spend efforts to change the current draft, one solution might be to say only the functions defined for certain elliptic curves where co-factor = 1 should be used for PAKE. However, that will significantly limit the usefulness of this draft for the PAKE use case. No, hash_to_curve on curves with cofactor = 1 can also return the identity point, because it adds two map_to_curve results together. That case is arguably harder, because there are very simple complete addition laws for Edwards curves with cofactor 4, but the complete addition laws for Short Weierstrass curves with cofactor 1 are more complex. Regards, — Mike
- [CFRG] Comment on draft-irtf-cfrg-hash-to-curve-10 Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Christopher Wood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- [CFRG] Small subgroup question for draft-irtf-cfr… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Russ Housley
- Re: [CFRG] Small subgroup question for draft-irtf… Richard Outerbridge
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Armando Faz
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- [CFRG] please use real names (was: Re: Small subg… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Riad S. Wahby
- Re: [CFRG] please use real names (was: Re: Small … Filippo Valsorda
- Re: [CFRG] please use real names (was: Re: Small … Scott Arciszewski
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Watson Ladd
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] please use real names (was: Re: Small … Henry de Valence
- Re: [CFRG] please use real names (was: Re: Small … Dan Harkins
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Squeamish Ossifrage
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Small subgroup question for draft-irtf… Stanislav V. Smyshlyaev
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Colin Perkins
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Michael Sierchio
- [CFRG] Closure (was Re: Small subgroup question f… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Phillip Hallam-Baker
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] please use real names (was: Re: Small … David Jacobson
- Re: [CFRG] please use real names (was: Re: Small … Julia Hesse
- Re: [CFRG] Closure (was Re: Small subgroup questi… Armando Faz
- Re: [CFRG] Closure (was Re: Small subgroup questi… Hao, Feng
- Re: [CFRG] Closure (was Re: Small subgroup questi… Mike Hamburg
- Re: [CFRG] thoughts on clearing the cofactor in h… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Riad S. Wahby
- [CFRG] (suggested language re mixing square roots… Rene Struik
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Rene Struik
- Re: [CFRG] please use real names (was: Re: Small … isis agora lovecruft