IETF Logo Mail Archive

Re: [Cfrg] Recommended bit length before truncating a hash mod p

Michele Orrù <lists@tumbolandia.net> Tue, 02 April 2019 08:07 UTC

Return-Path: <lists@tumbolandia.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3A061200EB for <cfrg@ietfa.amsl.com>; Tue, 2 Apr 2019 01:07:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sV_lZ2nzFbbi for <cfrg@ietfa.amsl.com>; Tue, 2 Apr 2019 01:07:15 -0700 (PDT)
Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E88E512006B for <cfrg@irtf.org>; Tue, 2 Apr 2019 01:07:14 -0700 (PDT)
X-Originating-IP: 109.190.253.13
Received: from [10.9.0.47] (unknown [109.190.253.13]) (Authenticated sender: lists@tumbolandia.net) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id 36C8A240008; Tue, 2 Apr 2019 08:07:11 +0000 (UTC)
To: cfrg@irtf.org
Cc: Anita DURR <anita.durr@psl.eu>
From: Michele Orrù <lists@tumbolandia.net>
Message-ID: <1853a156-df76-7999-df2b-1ea120a85b40@tumbolandia.net>
Date: Tue, 02 Apr 2019 10:07:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EmJipeoNmXte64Vqz1YT_ECp6T4>
Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 08:07:18 -0000

Hi people,


I'm sorry if this reply comes out as a different thread - just subscribed.

Together with Anita (in Cc.) we independently thought that the draft 
could be a bit more precise about how many bits to take before reducing 
mod p. More specifically, the sentence:

```
To address this, our hash2base algorithm greedily takes as many bits as
possible before reducing mod p, in order to smooth out this bias. This is
preferable to an iterated procedure, such as rejection sampling, since 
this can be hard to reliably implement in constant time.
```

is imprecise: a developer should know exactly how many bits to add (for 
the current security level) in order to have a distribution 
indistinguishable from uniformly random mod p. Taking into account what 
has been said so far, we would like to change the above sentence to:

```
In order to smooth out this bias, our hash2base algorithm takes 64 + 
floor(log2(p)) + 1 bits in order to smooth out this bias. This is 
preferable to an iterated procedure, such as rejection sampling, since 
this can be hard to reliably implement in constant time.
```

This should at least give an intuition that adding 64 bits makes the 
difference of the two distributions statistically negligible.
What do you think? Is this relevant?

In case one wants to have a deeper look, I sketched a git patch here:
https://github.com/mmaker/draft-irtf-cfrg-hash-to-curve/commit/af0fd8f27f016a8cad1e61819a075eeacd2ebeae

Cheers,
-- 
μ.

v2.23.0 | Report a Bug | By Email