Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Loup Vaillant-David <> Fri, 09 April 2021 19:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 28DB53A09C3 for <>; Fri, 9 Apr 2021 12:54:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.618
X-Spam-Status: No, score=-2.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rBZvxEgMv2KX for <>; Fri, 9 Apr 2021 12:54:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 33EBF3A09BD for <>; Fri, 9 Apr 2021 12:54:49 -0700 (PDT)
Received: from grey-fade (unknown []) (Authenticated sender: by (Postfix) with ESMTPSA id C561D60005; Fri, 9 Apr 2021 19:54:45 +0000 (UTC)
Message-ID: <>
From: Loup Vaillant-David <>
To: Armando Faz <>, "Hao, Feng" <>
Date: Fri, 09 Apr 2021 21:54:44 +0200
In-Reply-To: <>
References: <>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 09 Apr 2021 19:54:54 -0000

> The concern is akin to the generation of keys. For example, calling a
> PRGN(seed) to get a key K. Of course, the key generation procedure
> must ban the case of K=0. […]

That is far from obvious to me. Banning a key just reduces the search
space. Should we ban 0 because the attacker is more likely to test it
first? Then what about 1? Or 37? Or 2^256 - 1? Any published number? In
my opinion, the best solution is a uniform RNG. If we really want to
maximise unpredictability, we must not ban any number. Not even zero.

At least in the case of elliptic curves, one may argue that we should
ban the identity point because its properties are observably different
from all other points. Not just the bit pattern, but the fact that it
has order 1. (And even then I'd be cautious.)