Re: [Cfrg] Recommended bit length before truncating a hash mod p
Michele Orrù <lists@tumbolandia.net> Tue, 02 April 2019 08:07 UTC
Return-Path: <lists@tumbolandia.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3A061200EB for <cfrg@ietfa.amsl.com>; Tue, 2 Apr 2019 01:07:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sV_lZ2nzFbbi for <cfrg@ietfa.amsl.com>; Tue, 2 Apr 2019 01:07:15 -0700 (PDT)
Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E88E512006B for <cfrg@irtf.org>; Tue, 2 Apr 2019 01:07:14 -0700 (PDT)
X-Originating-IP: 109.190.253.13
Received: from [10.9.0.47] (unknown [109.190.253.13]) (Authenticated sender: lists@tumbolandia.net) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id 36C8A240008; Tue, 2 Apr 2019 08:07:11 +0000 (UTC)
To: cfrg@irtf.org
Cc: Anita DURR <anita.durr@psl.eu>
From: Michele Orrù <lists@tumbolandia.net>
Message-ID: <1853a156-df76-7999-df2b-1ea120a85b40@tumbolandia.net>
Date: Tue, 02 Apr 2019 10:07:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EmJipeoNmXte64Vqz1YT_ECp6T4>
Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 08:07:18 -0000
Hi people, I'm sorry if this reply comes out as a different thread - just subscribed. Together with Anita (in Cc.) we independently thought that the draft could be a bit more precise about how many bits to take before reducing mod p. More specifically, the sentence: ``` To address this, our hash2base algorithm greedily takes as many bits as possible before reducing mod p, in order to smooth out this bias. This is preferable to an iterated procedure, such as rejection sampling, since this can be hard to reliably implement in constant time. ``` is imprecise: a developer should know exactly how many bits to add (for the current security level) in order to have a distribution indistinguishable from uniformly random mod p. Taking into account what has been said so far, we would like to change the above sentence to: ``` In order to smooth out this bias, our hash2base algorithm takes 64 + floor(log2(p)) + 1 bits in order to smooth out this bias. This is preferable to an iterated procedure, such as rejection sampling, since this can be hard to reliably implement in constant time. ``` This should at least give an intuition that adding 64 bits makes the difference of the two distributions statistically negligible. What do you think? Is this relevant? In case one wants to have a deeper look, I sketched a git patch here: https://github.com/mmaker/draft-irtf-cfrg-hash-to-curve/commit/af0fd8f27f016a8cad1e61819a075eeacd2ebeae Cheers, -- μ.
- [Cfrg] Recommended bit length before truncating a… Christopher Wood
- Re: [Cfrg] Recommended bit length before truncati… Mehmet Adalier
- Re: [Cfrg] Recommended bit length before truncati… David Núñez
- Re: [Cfrg] Recommended bit length before truncati… Markku-Juhani Olavi Saarinen
- Re: [Cfrg] Recommended bit length before truncati… David Núñez
- Re: [Cfrg] Recommended bit length before truncati… Gilles Van Assche
- Re: [Cfrg] Recommended bit length before truncati… Sam Scott
- Re: [Cfrg] Recommended bit length before truncati… Markku-Juhani Olavi Saarinen
- Re: [Cfrg] Recommended bit length before truncati… Dan Brown
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù
- Re: [Cfrg] Recommended bit length before truncati… Ilari Liusvaara
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù