IETF Logo Mail Archive

Re: [CFRG] Questions regarding draft-irtf-cfrg-hash-to-curve-10

Mike Hamburg <mike@shiftleft.org> Wed, 02 December 2020 13:37 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19CDF3A13DE for <cfrg@ietfa.amsl.com>; Wed, 2 Dec 2020 05:37:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.305
X-Spam-Level:
X-Spam-Status: No, score=-1.305 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PCpgRcGxy76u for <cfrg@ietfa.amsl.com>; Wed, 2 Dec 2020 05:36:57 -0800 (PST)
Received: from astral.shiftleft.org (unknown [54.219.126.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2B6A3A12BD for <cfrg@ietf.org>; Wed, 2 Dec 2020 05:36:57 -0800 (PST)
Received: from [192.168.0.13] (unknown [37.228.237.57]) (Authenticated sender: mike) by astral.shiftleft.org (Postfix) with ESMTPSA id 67096BB8F2; Wed, 2 Dec 2020 13:36:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1606916217; bh=vV31vJMJrVbxjMF6Vd4ORycRRp1uOJ/bcbt63pF6S9U=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=HAwWtmTW6KDhXsI30L2qWZ3J2xqCvsfSV9O+yHX/NGQnuPGJh1OnHrC7kdOFnDoEq ONul4oX2ZYxJW9QJutxgaYRSg2zg0r+mqicoA7GhUQXbOSIQv8880bRlSf7vxwtytm 9nELb44dKh1YPbtWFW9t/CksXupLN8KqwcRPrXMU=
From: Mike Hamburg <mike@shiftleft.org>
Message-Id: <3AE804FF-49CD-41C8-BBE8-138D167F8E92@shiftleft.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C5DE0376-3BE8-429E-908E-4A9D9FCAF552"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.20.0.2.21\))
Date: Wed, 02 Dec 2020 13:36:53 +0000
In-Reply-To: <VE1PR05MB7533515A32908677C520B48283F30@VE1PR05MB7533.eurprd05.prod.outlook.com>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
To: Björn Haase <bjoern.haase@endress.com>
References: <VE1PR05MB7533515A32908677C520B48283F30@VE1PR05MB7533.eurprd05.prod.outlook.com>
X-Mailer: Apple Mail (2.3654.20.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JdSzZFKtTiQ1cfGocmfIxEM3O4A>
Subject: Re: [CFRG] Questions regarding draft-irtf-cfrg-hash-to-curve-10
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 13:37:00 -0000

Hi Björn,

At some point (2013?) I wrote up an article on uniform hashing specifically for Elligator 2, but it got rejected for being too similar to previous work, and I never bothered to post it on ePrint.  I’ll do that now.  You can find proofs for two constructions in the paper cited below, one of which is hash-twice-and-add.

https://www.shiftleft.org/papers/indifferentiable/

It may also be possible to show that Elligator 2 is well-distributed, but this paper shows directly that hash-twice-and-add works.

Cheers,
— Mike

PS: Mods, feel free to reject my previous attempt at this message, which is held because it has a PDF attached to it.

> On Dec 2, 2020, at 11:58 AM, Björn Haase <bjoern.haase@endress.com> wrote:
> 
> Hello Riad, Hello Christopher,
>  
> As requested, I have filed an issue in the GIT draft regarding an update of our CPace security analysis.
>  
> I am currently reviewing one other aspect regarding the hash_to_curve construction, where the result of two mappings is added.
>  
> hash_to_curve(msg)
> Input: msg, an arbitrary-length byte string.
> Output: P, a point in G.
>  
> Steps: 
> 1. u = hash_to_field(msg, 2)
> 2. Q0 = map_to_curve(u[0])
> 3. Q1 = map_to_curve(u[1])
> 4. R = Q0 + Q1 # Point addition
> 5. P = clear_cofactor(R)
> 6. return P
>  
> The important aspect would be, that the result P comes from a uniform distribution.
>  
> I am aware of a result from Coron, Icart, brier and Madore “Efficient Indifferentiable Hashing into Ordinary Elliptic Curves.” where they saw the need for using rather something of the type of 
> P = Q0 + x * Q1.
>  
> In “Indifferentiable Deterministic Hashing to Elliptic and Hyperelliptic Curves” there is a discussion that, even if uniformity could not be guaranteed, at least some weaker property of “well-distributed encodings” holds, which they show for SWU.
>  
> https://eprint.iacr.org/2010/539.pdf <https://eprint.iacr.org/2010/539.pdf>
>  
> I am having now the questions: Are you aware of a result that extends this to Elligator2? If I understood the paper correctly, the case of SSWU should be covered as part of the general properties of SWU. The guarantees seem to be linked to the property of the map that it is “well distributed” (where I did not yet understand the full implication of the character sums definition …).
>  
> Yours,
>  
> Björn.
> Mit freundlichen Grüßen I Best Regards 
> 
> Dr. Björn Haase 
> 
> Senior Expert Electronics | TGREH Electronics Hardware
> 
> Endress+Hauser Liquid Analysis
> 
> Endress+Hauser Conducta GmbH+Co.KG | Dieselstrasse 24 | 70839 Gerlingen | Germany
> Phone: +49 7156 209 377 | Fax: +49 7156 209 221
> bjoern.haase@endress.com <mailto:bjoern.haase@endress.com> |  www.ehla.endress.com <http://www.ehla.endress.com/> 
> 
> Endress+Hauser Conducta GmbH+Co.KG
> Amtsgericht Stuttgart HRA 201908
> Sitz der Gesellschaft: Gerlingen
> Persönlich haftende Gesellschafterin:
> Endress+Hauser Conducta
> Verwaltungsgesellschaft mbH
> Sitz der Gesellschaft: Gerlingen
> Amtsgericht Stuttgart HRA 201929
> Geschäftsführer: Dr. Manfred Jagiella
> 
> Gemäss Datenschutzgrundverordnung sind wir verpflichtet, Sie zu informieren, wenn wir personenbezogene Daten von Ihnen erheben.
> 
> Dieser Informationspflicht kommen wir mit folgendem Datenschutzhinweis <https://www.de.endress.com/de/cookies-endress+hauser-website> nach.
> 
>  
> Disclaimer: 
> 
> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged
> material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities
> other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer.
> This e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer unless explicitly and conspicuously designated or stated as such.
> 
>  
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org <mailto:CFRG@irtf.org>
> https://www.irtf.org/mailman/listinfo/cfrg <https://www.irtf.org/mailman/listinfo/cfrg>

v2.23.0 | Report a Bug | By Email