Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Sun, 11 April 2021 12:42 UTC

Return-Path: <prvs=373585548c=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F3143A097E for <cfrg@ietfa.amsl.com>; Sun, 11 Apr 2021 05:42:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Level:
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aUHqKFADJcNX for <cfrg@ietfa.amsl.com>; Sun, 11 Apr 2021 05:42:38 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82BD63A097D for <cfrg@irtf.org>; Sun, 11 Apr 2021 05:42:38 -0700 (PDT)
Received: from LLE2K16-HYBRD01.mitll.ad.local (LLE2K16-HYBRD01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTPS id 13BCgZXL038885 for <cfrg@irtf.org>; Sun, 11 Apr 2021 08:42:35 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=HLxctaHASJ+aocbzAfIC/Bcy6TyFKKmNMKnqnF/XXnGoyu9bzcUy9PgZUUgWpqhZEh9AMBPwEYcvxqJuhWgI/RSj/rAqy+8EywG2/Y/xrjQBwZqgY7Wn+RhXvuh2UQac07/rf1ZKjWWUEQF4kKO0Oz0cXDqetZEiWoeOaZClFPjyV8a5bFxYuKTQecEZInTiYIw8X0RkMS+RcMb/EpMuf6qw1m2QKy6k2ZweqGlCLtb6iqLsM8N3OBptzFuqMnxwrGjUw1FSs+TWYykZBhx68Ayab5bvK4RKX1+HIqePrfmDMLDr2U6Eqf/3OgsgE+g/Xyp+vI+p+/mVXuVZWELY2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/ZdYHaBxmaq7ctzl3vINbPP4hGf6KRt4LRZ8TYbq0ug=; b=Ik8ncIvWhBILOQlOR9JWfxseplKp4BuCaH4ly79vQw7855/3hIA5cPMkfl/LeFtU1BMCipbbFdRPb/Vl99KQHDBURsROm7C1iwgMZUg53EwJq/DBuqNhrig8probFAwC4OIop1bbfraGaEl6ggpaV02P0AkPcTYEv3JSDF+KJK7Vbtk3VJWJZlpCNi6bTR5BzQMSV0JWvtkB7CminlHMpG0hNUX/408wtRygzQxPwN4LffxXkUtKzfIUkruaaDkDyrGDpnh0gersHBl+QHAv2up9F8mS0LaDPsqnY4uNAjmqxfRIVX9KHL4jtNdQUzq4tOriO7yQWTMsEDq3oez3/A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)
Thread-Index: AQHXLsx7ijHF4j3Idk6aMEuebHO/Laqu/5WA
Date: Sun, 11 Apr 2021 12:42:26 +0000
Message-ID: <257ACF02-54CF-4038-B1E2-DD886EB27F27@ll.mit.edu>
References: <5kNv_5tUGSftaikmVD_WOJNEXwJjdLV07YODBNFunXGvBKKTOJ2ytxrCKgsj9OgNK3fB_ofUTv7pYbKO-akAqXmhszP0-eYfzj8B6lCRuwg=@protonmail.com>
In-Reply-To: <5kNv_5tUGSftaikmVD_WOJNEXwJjdLV07YODBNFunXGvBKKTOJ2ytxrCKgsj9OgNK3fB_ofUTv7pYbKO-akAqXmhszP0-eYfzj8B6lCRuwg=@protonmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21031401
authentication-results: irtf.org; dkim=none (message not signed) header.d=none;irtf.org; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 22f672b5-42ee-4930-d85c-08d8fce742c8
x-ms-traffictypediagnostic: DM3P110MB0443:
x-microsoft-antispam-prvs: <DM3P110MB04434A3720B54A52580BF56590719@DM3P110MB0443.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: C9fyi+gy2GIW6dXQaCtgoQTophlamilSCmqDwfzm7yDxviXUbL1sQueLP1ZJaHR1o96uQ3o5rMFlnC7YRQLuRKlKou/U+ux/64OAUfpEHbgczY+4F/0+ZMzHnZlY61sAyiiC6aK8YQUHzI4hurtCbRcIzjCGsF+3gly6hEaeWoKpZk/lKzxOkict7U5s+Ij5ntnSfCN5qO7xBYk1yuS4/vsGKqblwu48GNrqYGaOovRUQvtugdZ3AIRmELZhY6ZRItqvmwCAylcvgL3TDE+6ahXzXSlqOv7nAIejspa8vKbGUVnX9JuyP0rL6DiBDpg4hhlKOgkEpfaGAtkk0sZGj7wa3asfETPSKfxYB+mpxrKqgIfaMNXeJiaZ2dKgikRIbZOKiw9fiVFrwE/gxsMC6Mmo0a4KRdbLY4/4fe/5iG6DJ4iUQzsNCWn+3l9PTPvJRgpj+W4K2B85TVWa6seZ3dwG84KPoSAtTFE1GP9WK4814omtuLGP0SJ667iO+onFHBHoDyyVBCoaSUV3c+3yxD22XFZwnRPQ4OX1XVv0aKZkhgelmNQ8Eq4nK3QitqLYldTUCPjTYkhzthXN0Rm5Ibj2sTzNIzbPoAz/xH52lEIiq9EMxqLocAWICtVn0uQbqPxcOmK5PVc+uK6vW8TkCjYrN10H2TDhgdLh1RzYWrV+ksaVT4QSdD2mLAVG6jfT+PV8cRgQLn57LLqKHBBsDxvCE+jxd2082GPwQXlCUec=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM3P110MB0475.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(376002)(396003)(346002)(136003)(39850400004)(366004)(99936003)(316002)(75432002)(6512007)(6486002)(66946007)(2616005)(66556008)(83380400001)(64756008)(6506007)(966005)(38100700002)(76116006)(8936002)(71200400001)(86362001)(53546011)(478600001)(2906002)(33656002)(8676002)(26005)(6916009)(186003)(66446008)(66476007)(66616009)(5660300002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?MjExUkw1c2hHUTdKR1NBaXV3ZzFPdDVOZDRwUHVqU1BjR1c2NVJlbVBIN2NV?= =?utf-8?B?S3hzRGFGQXphanV3T3V0bUZIK1QwSUVaT1BsUm1hdmxsZm9KVjdCeGdqTVh6?= =?utf-8?B?aUpRek1LUDIzbnFuVVhRdzZWb2JGTHY3L3h1eks1Y285ZFRJMDlnVmRpZjRx?= =?utf-8?B?RHV4WmtsUEh3RjdrbXEzOTBKMWFoMzdIV09ldHlZRGVNOWc4ZlNNdEhGblhB?= =?utf-8?B?S2dEL2pRb2JmS0Mxb1BOVzhsVzA5T3dWL1ZhNEcxV2svUDM0V21tb1pER3Uy?= =?utf-8?B?TGNzYm1iWlU3U3hudjFUOGNKdS9EaGVTclYvcVpPSlg3VnRkWkUrVWFtamVK?= =?utf-8?B?djMzazc1bkpjdzFiVFlubjNiVW5YNGFoTDVSdmxiM3QyeU1iczRnTjErclk1?= =?utf-8?B?WnFyNldpcHovaTE2cE1lcXJYTHFkUU5NaHpUU2diQWdzNXlvaHg2bHIzMEpi?= =?utf-8?B?SzlGc21vTTh1RFBPOW51N3dDQUUrWWZJVkMzTmtLa05IM3ErTEJiSytiVE9U?= =?utf-8?B?L1MyRU5VTTAwbDU3N293TUtCUHhDdnpPcHkyMlB4cE1wR09RUWlYaFN3cGwv?= =?utf-8?B?WmlXcWg4eUtiUzFFQ0FOTFc2TFBhbXlsRm1uMzVqcW5lald1UDJRWUZEbG5q?= =?utf-8?B?SkNQemZmMHVDdzZsbjFZS2loaURHTGphTFczQktNWUpMYThtWVV1MUJ3VWcw?= =?utf-8?B?RXdtZnhBcnV3MEdQcXd0a0U1WEtRQWM5YmNqbXJKclR4Y2lXcVluaklEQ1Fs?= =?utf-8?B?d3B5L1QzYngzb3dXa3U5WFI3dGRTSjlrcGcvTlZyZU9sekJ5eHErTlhza0pR?= =?utf-8?B?dmg3YS9WNEg3OHhZSkg5RWlwZUxRYWhkRlczQjZ3Mm1zTmVoV1hUNmEvTnFI?= =?utf-8?B?SDU2R1JBZVI1c2lhK0hJd1MyWmxkdUJEQlMzODZVQ0V0YVIvTGYwc0FwL3JD?= =?utf-8?B?MC83WXkzV2FmajZTbUtXOElGdHlFcHgyT2l2VDRmMUlKT2V2bFlEaTdFLzlH?= =?utf-8?B?WVljenJDRXp1d0FJeFZLcXZMUGpGUHdSSzN1Um13amtmcXFvM0sydEFSeTZU?= =?utf-8?B?RDc2dUVwSmxtN3U5OGtINWpLb2JpZDJ3V21XcHRNSTJPMXowS3FqS2cvUkty?= =?utf-8?B?czVGeXo5Z2dKQlUxSVU2czkvbmRHM0s3amRxMGRVb1RaT0p6a3NXdDZ0eWdj?= =?utf-8?B?d3lEdHlYT09TMTlQOFcyazRZd2RqbkV4Rk9rMXloVWMvRmVFVVFpNG5lajNY?= =?utf-8?B?OVc2OWRGTXZobjc1TFpIaEFGR1NTckRnQkx2MXVEcFkwNmJnUXE5dDdzZHlF?= =?utf-8?B?VDNhYW5yNUJIS1NvZ1FkcEJLTGpQemdZWlo0NFMzdmNCTGxFUG13Wk9ibnpV?= =?utf-8?B?b2dwVnBLc1NabThGYjFPZ3F1bnlKdXF5K3FrRGk2enNjSUdPNGROK2o1WnBn?= =?utf-8?B?UXpET0s0M2Njb3NXUzYvSk4vaHlCaXFiZUNPRkE5S3ZPT0ZKZ3UxQTBkZlhz?= =?utf-8?B?dWVqM1VsT2IzdXpadm94WjlpbmpsMjkyaHdGMytVeHVwREdROHgwTkdsdDZy?= =?utf-8?B?V0V5SVVQaGFoQ2xyZU9QeVdXRjJtaFpPdzhjam5GQWJ5N0JlYWozOG9YUmxV?= =?utf-8?B?YW95ZVR0K3IrejQydktwUEYrd2xkSEUyU1puY1pHNElIYmFWQllPeXl4V25S?= =?utf-8?Q?cApx+TwJ1lM/V7uxgj32?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3700975344_889111150"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM3P110MB0475.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 22f672b5-42ee-4930-d85c-08d8fce742c8
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Apr 2021 12:42:26.0579 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3P110MB0443
X-OriginatorOrg: ll.mit.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-11_05:2021-04-09, 2021-04-11 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=986 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2103310000 definitions=main-2104110097
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/HN52UPHYAt-pzQ6vIbfA61lUY74>
Subject: Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 12:42:43 -0000

For mere courtesy (besides, the "big" players tend to know each other, believe it or not), I too prefer that people use their real names, or at least those they're known under by their colleagues. 

Though I confess I pay more attention to something posted by, e.g., Hugo (as, regardless of whether I agree with his point or not, I found that it makes sense to consider what he says), than to something, e.g., posted by Squeamish (no offense meant): time is limited, flood of incoming email is out of control, some prioritization is a-must, and known correspondents do take precedence (obviously).

Critical? No. Fool-proof? No. Convenient? Heck, yes.

Oh, and I don't care who "Squeamish Ossifrage" is in real life, so no worries here. ;-)
--
Regards,
Uri
 
There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                     -  C. A. R. Hoare
 

On 4/11/21, 08:16, "CFRG on behalf of Squeamish Ossifrage" <cfrg-bounces@irtf.org on behalf of squeamishossifrage.se=40protonmail.com@dmarc.ietf.org> wrote:

    Hi "Rene" (if that is your real name):

    I would be curious to know how the quality of the research is different depending on whether it is signed ‘-=rsw’ or ‘Riad S. Wahby’.  Can you expand on that?

    Shirley, using ‘real’ names would only make it easier to form preconceptions about the merit of an argument based on the name of who wrote it, no?  For example, wouldn't you expect much stricter scrutiny on an argument made by a queer carrion fowl calling themself Squeamish Ossifrage?  Nobody would give them a pass on the basis of nominal reputation!

    If I were a spook who wanted to slip a back door or shoddy design into a standard for something like a PRNG or a PAKE, I would probably choose a boring name and quietly maintain a plausible-looking CV at a cryptography or networking company that nobody would bat an eye at, and then write long-winded discursive emails on an intimidating mailing list that discourages newcomers who aren't comfortably established in the field with their ‘real’ names (whatever it is that makes one name ‘real’ and another name fake).

    Sincerely,
    —Squeamish Ossifrage


    P.S.  To keep this on-topic: The probability of a hash falling into a small subgroup is so small (e.g., ~1/2^252 for Curve25519) that any attack involving it necessarily implies a remarkable structured preimage attack on the hash function—or that you should have bought some lotto tickets instead of spending your time crouched over a glowing rectangle faffing around with hashes and curves.  If you chose a curve for which this probability was large enough to matter, you would be in serious trouble with rho anyway!

    Similarly, for example, in AES-GCM there is an almost unimaginably larger probability, 1/2^128, of choosing an all-zero GHASH evaluation point, under which the authenticator is independent of the message content.  But the probability is so small that nobody cares.  And ‘But what if you abuse map_to_curve on its own in a place where the adversary can manipulate the algebraic structure?’ is no more an argument against the complete hash_to_curve design than ‘But what if you abuse GHASH on its own in a place where the adversary can manipulate the algebraic structure?’ is an argument against the complete AES-GCM design.

    If you have a user who picks a password that hashes to a small subgroup, that's not a reason for failure—that's a reason to invite them to be coauthor on a paper (under a name they choose, which may not be the name a government has them under in a database that requires the help of a solicitor to change) in a flagship publication, about a novel attack on the hash function!


    > Hi "rsw":
    >
    > As a general courtesy, may I suggest that all communications use
    > people's real names and not some obscure acronym.
    >
    > The CFRG is supposed to be a research forum, where people do not hide
    > their identity. In fact, in my opinion, IETF should have no place for
    > communications by "anonymous".
    >
    > Rene
    >
    > On 2021-04-10 11:12 a.m., rsw@cs.stanford.edu wrote:
    >> Hello Feng,
    >>
    >> "Hao, Feng" <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org> wrote:
    >>> Rsw also gave a similar example of having all zeros for the hash.
    >>> Let me clarify that we are not – and shouldn’t be - concerned with
    >>> any of such cases since the values are uniformly distributed within
    >>> their respective range.
    >> Right. And the argument is precisely the same for hash-to-curve!
    >>
    >> Let me be perfectly clear: the property that hash_to_curve gives
    >> is that the output is a uniformly* distributed point in the (big)
    >> prime-order subgroup of the target elliptic curve.
    >>
    >> At the risk of seeming didactic (in which case, apologies): the
    >> identity element is indeed an element of the target group G.
    >>
    >> Put another way: fix a generator g of group G of prime order q. Then,
    >> hash_to_curve returns g^r in G, for r sampled uniformly* at random
    >> in 0 <= r < q. Under the assumption that discrete log is hard in G,
    >> hash_to_curve does not reveal r. Under the preimage and collision
    >> resistance of the underlying hash function, one cannot choose any
    >> particular r or find two inputs that hash to the same r.
    >>
    >> I hope this helps clarify the security properties, and why focus
    >> on low-order points at intermediate steps of the computation is not
    >> relevant to the security of hash_to_curve as specified.
    >>
    >> * uniformly except for some statistical distance less than 2^-100.
    >>
    >> Regards,
    >>
    >> -=rsw
    >>
    >> _______________________________________________
    >> CFRG mailing list
    >> CFRG@irtf.org
    >> https://www.irtf.org/mailman/listinfo/cfrg
    >
    >
    > --
    > email: rstruik.ext@gmail.com | Skype: rstruik
    > cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
    >
    > _______________________________________________
    > CFRG mailing list
    > CFRG@irtf.org
    > https://www.irtf.org/mailman/listinfo/cfrg

    _______________________________________________
    CFRG mailing list
    CFRG@irtf.org
    https://www.irtf.org/mailman/listinfo/cfrg