Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Björn Haase <Bjoern.M.Haase@web.de> Sun, 11 April 2021 13:43 UTC

Return-Path: <Bjoern.M.Haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B005E3A0866; Sun, 11 Apr 2021 06:43:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.017
X-Spam-Level:
X-Spam-Status: No, score=-2.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJjdiowVdtS2; Sun, 11 Apr 2021 06:43:42 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.17.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B93973A0853; Sun, 11 Apr 2021 06:43:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1618148619; bh=qqCDsNcFrEKYc8qzubs2RFyt8vXl/aHWgjqUL+uYTXo=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=EDmQ4HUsnxwpM6CjS6nPxH3hlwi0hFCaidpnbkr2I3nn0oxgSHAUm5x+BnSfMk5ah PMezWKVXCuunMw69Ja1wyj1aHbFSNRbiuxX2Ho7esA11UqP1AwnjaPZftutjWc72S7 DZIJsto7xhvNjUEM1MClvcXbK8fn63uagEowOXdQ=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [109.90.104.251] ([109.90.104.251]) by web-mail.web.de (3c-app-webde-bap18.server.lan [172.19.172.18]) (via HTTP); Sun, 11 Apr 2021 15:38:26 +0200
MIME-Version: 1.0
Message-ID: <trinity-d2a9d991-f7cc-4510-a5da-5df48f4ae3b1-1618148306960@3c-app-webde-bap18>
From: =?UTF-8?Q?Bj=C3=B6rn_Haase?= <Bjoern.M.Haase@web.de>
To: "Hao, Feng" <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org>
Cc: Hugo Krawczyk <hugo@ee.technion.ac.il>, CFRG <cfrg@irtf.org>
Content-Type: text/html; charset=UTF-8
Date: Sun, 11 Apr 2021 15:38:26 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <AM6PR01MB427851BEC3094FB01902DA1DD6719@AM6PR01MB4278.eurprd01.prod.exchangelabs.com>
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <VI1SPR01MB035772443E4DA3206E4CD4D3D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <7944D4F1-81F8-44FC-95D1-45D47733B385@shiftleft.org> <VI1SPR01MB03574E592790FD59C1ACEB84D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <20210410151254.7ze5pt4lpvblhk3f@muon> <CADi0yUNo7o07qM2Qw8yd_eVw_-cM-9wNy3CrLw_Pif79oD_+Og@mail.gmail.com> <VI1SPR01MB0357253A9BA2C2544D6B3F51D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <CADi0yUP-Q-bjmDn-RpiVkns4c8ruK97SidFycg1cPVPJvdFB4w@mail.gmail.com> <AM6PR01MB427851BEC3094FB01902DA1DD6719@AM6PR01MB4278.eurprd01.prod.exchangelabs.com>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K1:HWMXrBgX3ugEGlou1XDhcxPq8BElg/bpKRSHiSGSYxMLjJRC8x+ryfQj/m3Gn2UyrC8cM LyUMXvuc24Fo/rY35Djoxxt4FrYf0InxP/8KYR6lCMfiWD/8ovcMfMTXn3mdvbXVhWFMOQsNHBcY RaColGZ+Xm5WORkYBClr+E0aTXcfzzT7LCbpY3THqMrLUsA37HAzKIRntvVXqzFvkGjcW6B3EZiU wFjstssb7+Sq7a9alUdposQdcAElWZnh86m8UIx+2vv/feC+1oIcStMrkJ6Ud68gr2jKxr9LiynG sA=
X-UI-Out-Filterresults: notjunk:1;V03:K0:tYjaTAUrTfU=:WCq8og4cQ3uDEiUnWnMOfF u1NW8YYJ8T0miY4sAWwS0DbYji/kEvwDVa9bLZyDejaUQ5QnPDAWKXvfkI7c890c8WygPcVpl vgYOlP9THAb9vqVIc1N92p9t1bUnkqqmNOjYkl4rqerx6CUzQ+eWd+uylRjONOm/JMTHVgFYt qe0y1TBDC6PEgagffrK7L5Nz8LBTGCAYwAB+JhfSVmiKNt/s69FGENJptm/vN0vPDd6//H+uT hs+QJT+HomXs6s6NledtA7nizwesvIjv+sgZNqoHiUbBnWZNYLSWl7pG11bz6Sni/Z1tJEGYw L0Cc/3WG8nsE92vqc62z5ntDceS0PrQFtG3S8plZVqeR6nGCudQAHKifOvHopiaxvpv3VdIz8 xSfY6XjkVeu6wEsqSFYrDMuAl4GnjasL0Po/4oH2Vp9h1yt/mUQaecNzOuXXCwSTBAPhSDCYy 3SVdWEz4IXmAvUqK0H2vZH/yhllw987puw+SFBd4XBMK93wFvuSVn8q1H1w8tklUfBKElGuQw EVGN04SFTfOjNrY852EVev25qYrW/MPiUMHHFiUafhLxFFzSQD4NcDlOn/7O9O6AGqOAo+Tuc OMTKGV7kG5nWANC++fHi6Lk4suTbYJt+kc2P6QuIUEokctD2WY3/GZGZ86cMlgC4Z4/4SsnXp y4D/9dFUBpPosyEGVR38f/u0fspEYspk9EfYN696Wt6sngbkmS/eODHHri73anrffAXVi/3eF 0afCnUXHDzar3WbWk4qkCY36983utiQ3T3WgVQ2C8Fj+vCft1AngoUHvQVevifLg6f45dFDVR vEI4ZWMgPmQTdfA1HjEOuUylDPi8U6Bhf0LB8vMSivL9Hv6bBaNzbuiHXimcpeOHB3dv3tX2V rjWaBQ9tX8mX1kFG5iR6oOuClEavKD/5bAUWviRbbNAXZsT0HZVGWVQIBGyfs1
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/HIc7AvlUf3sHwnh8WvtDK4Nml9s>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 13:43:47 -0000

Dear Hao,
 
I would kindly request you in case that you actually really happen to question the security guarantees of the currently proposed CPace and OPAQUE designs as specified in the latest draft versions -- which does not actually happen to be the case after reading the last lengthy posts -- to clearly show up the aspects where the existing security analysis needs to be complemented/extended or corrected according to your assessment.
 
For CPace you find this analysis in https://eprint.iacr.org/2021/114 and this analysis covers all of: treatment of low-order points and identity elements produced by the map. I.e. both aspects that you seem to be concerned of have extensively been considered and the impact on the security bounds has been quantified.
 
Note that we explicitly spent the significant effort of incorporating all of the artifacts that could be generated by maps, hash2curve and encode2curve primitives in the above paper in tiny individual steps as to be able to facilitate review. IMO, it should be straight forward for you to pinpoint any aspect in the analysis that has not been correctly assessed in your opinion -- if there actually is any. This would also allow you to make more transparent at which point exactly you identify problems, a topic which is not clear to me even after reading your recent posts several times.
 
I think that structuring the discussion along the lines of the existing security analysis papers might help avoiding emotional discussion and might help to get things further in a more constructive way.
 
So far after reading all comments explicitly including yours I conclude that there happens to be consensus in that there is actually 1) neither a security problem with the current draft specifications for hash2curve nor 2) for OPAQUE and CPace regarding identity- and low-order points produced by the various maps, encode2curve constructions and hash2curve constructions as presented in the hash2curve draft.
 
Yours,
 
Björn.
 
P.S.: Please feel also free to contact me directly in order to speed-up discussions and resolve simple misunderstandings earlier. IMO this might also help for getting things further in a constructive way and could possibly avoid some unnecessary confusion of the other the readers on the list.