IETF Logo Mail Archive

Re: [Cfrg] patent situation regarding hash2curve as used in some PAKE nominations

"Riad S. Wahby" <rsw@jfet.org> Thu, 17 October 2019 13:26 UTC

Return-Path: <rswatjfet.org@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58907120800 for <cfrg@ietfa.amsl.com>; Thu, 17 Oct 2019 06:26:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.474
X-Spam-Level:
X-Spam-Status: No, score=-1.474 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.172, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6zyqwKYvqEpy for <cfrg@ietfa.amsl.com>; Thu, 17 Oct 2019 06:26:38 -0700 (PDT)
Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 294AA12022C for <cfrg@irtf.org>; Thu, 17 Oct 2019 06:26:38 -0700 (PDT)
Received: by mail-pf1-f173.google.com with SMTP id q12so1660013pff.9 for <cfrg@irtf.org>; Thu, 17 Oct 2019 06:26:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=kmBATpS3Kuma70/Hqg6WaBHPdVqXCWzcsmBB9CLORFs=; b=bNnWghNqF1RfeNVjqmpefp43se0Ix5WzFg49RhZHx0eOOHCo5UHvEs5lzRd3/Y0c1j LF3qeZQB2oXnB7KMtAgweM7JBTuZuV3L8wAwm2feFchDCJ5JVocOcpPufER3rffrug1Z b1j0GWi9icGmEws3lyFTdkzxLTNTJvO9FAXe2GoOyC4x1TiLXscSQadpQHxpDgoUk0/Z qO39dtLBY/udPJ/i32AcAGjczeOFadQiHGYuSnwMoWgsPiba+k77dq8slmtSOCQgS2Rr 1SqI0NRr9BfR0+no8z81doQYZgJMA7PltoQbNhgV4EiE/Y86UgxRrlhAFqhWprrkT1lb ogLw==
X-Gm-Message-State: APjAAAXJnOh+1DLrQOfV0XARg43GW7K2APjB7d2XhV8ALWEB239znrqO b11FDcdtbTKDv5DFenmkcydtHhZa
X-Google-Smtp-Source: APXvYqxpY0hOdnkgdyOvBoQxXLE6KDQMq2dgiP96vn5U5/AvzUJdzKJlH3aD4s8pxxbiQVDVbyN0nA==
X-Received: by 2002:aa7:8583:: with SMTP id w3mr132566pfn.182.1571318797620; Thu, 17 Oct 2019 06:26:37 -0700 (PDT)
Received: from localhost (positron.stanford.edu. [171.67.76.114]) by smtp.gmail.com with ESMTPSA id d10sm2875171pfh.8.2019.10.17.06.26.35 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 17 Oct 2019 06:26:36 -0700 (PDT)
Date: Thu, 17 Oct 2019 06:26:34 -0700
From: "Riad S. Wahby" <rsw@jfet.org>
To: Björn Haase <bjoern.haase@endress.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <20191017132634.u65kczpcdcvet4uv@positron.jfet.org>
References: <5e1610c6-2038-31ce-6bb8-a6e18f40434d@web.de> <ac0ed5bf-cc4b-14e6-59c6-f24c7cb43f1a@web.de> <20191016202223.lbuavuery4yj6qib@positron.jfet.org> <trinity-77782fb3-2939-452c-85d8-95592c7829b8-1571301291317@3c-app-webde-bs25> <VI1PR0501MB22556D3FA849989AAFFFD1FA836D0@VI1PR0501MB2255.eurprd05.prod.outlook.com> <VI1PR0501MB22555DA1CD400E64259EA39D836D0@VI1PR0501MB2255.eurprd05.prod.outlook.com> <VI1PR0501MB2255C90CDB1AA88516A1CFDC836D0@VI1PR0501MB2255.eurprd05.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <VI1PR0501MB2255C90CDB1AA88516A1CFDC836D0@VI1PR0501MB2255.eurprd05.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/DxtOz19B8hLoAT_HajOi7FXaaGA>
Subject: Re: [Cfrg] patent situation regarding hash2curve as used in some PAKE nominations
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2019 13:26:48 -0000

Hi Bjorn,

Thank you for the detailed analysis. One small comment:

Björn Haase <bjoern.haase@endress.com> wrote:
> Also for p != 3 mod 4  (e.g. P-384) when using generic simplified
> SWU we have differences between the patent and draft 04, but it’s
> still somewhat similar. We probably might be better off with avoid
> simplified SWU for P-384.

I might be missing something, but I believe P-384 is over GF(p) for
    p = 2**384-2**128-2**96+2**32-1
which is congruent to 3 mod 4, so the same method should work.

For curves where p = 5 mod 8, a similar process works:

- Compute x1 = X1(t), x2 = X2(t), and g(x1) in the usual way
- Compute tmp = g(x1) ** ((p + 3) / 8) and tmp2 = tmp * sqrt(-1)
- If tmp ** 2 == g(x1), return (x1, tmp)
- If tmp2 ** 2 == g(x1), return (x1, tmp2)
- Let tmp = tmp * t ** 3 and tmp2 = tmp * sqrt(-1)
- If tmp ** 2 == g(x2), return (x2, tmp)
- Else return (x2, tmp2)

One can keep generalizing for p = 9 mod 16, 17 mod 32, etc. Eventually
it gets unwieldy, but most of the time one chooses a prime where p - 1
is divisible by only a small power of 2 to avoid this (and there exist
methods that handle ugly cases: http://cr.yp.to/papers.html#sqroot).

Regards,

-=rsw

v2.23.0 | Report a Bug | By Email