Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 09 April 2021 19:23 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 432CA3A2BCE for <cfrg@ietfa.amsl.com>; Fri, 9 Apr 2021 12:23:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.616
X-Spam-Level:
X-Spam-Status: No, score=-9.616 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=OXomjvA0; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=yaMCi1rN
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46qFb3PsTKIU for <cfrg@ietfa.amsl.com>; Fri, 9 Apr 2021 12:23:24 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C2DB3A2BCF for <cfrg@irtf.org>; Fri, 9 Apr 2021 12:23:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12788; q=dns/txt; s=iport; t=1617996204; x=1619205804; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=3FjyGdYktBa2QNuE6Oy0IeNW9lx90S2DNRMKhwjfDS4=; b=OXomjvA0gT7w58YZ/h/23KhG8RihPEII2uAbNu8Zk/qAE0qpQrGyUklV eM+cg2EJcjh1SyIYKHQOE2wuN4KjVi2sSl0HiTTB3cWXsHE6zafDZeDav rSGlLXOAFpuqtpWDMSHF9h3+yhswzofOWiJ8p2Kn++3KpJd9UKnnpyq1M k=;
IronPort-PHdr: =?us-ascii?q?A9a23=3Asq2m4hdEIZvM5Ve5ynrJhk3BlGM/SYqcDmYuw?= =?us-ascii?q?pM6l7JDdLii9J3+PUvZoO9gl0LNQZ6zw+1NkfXXuKOmUGdG/JXS+HwBcZkZU?= =?us-ascii?q?RgDhI1WmgE7G8eKBAX9K+KidC01GslOFToHt3G2OERYAoDyMlvVpHDh8jcIB?= =?us-ascii?q?RT0Nkx8LaLoGd2ag8G+zevn/ZrVbk1Bjya8ZrUnKhKwoE3Ru8AajJEkJLw2z?= =?us-ascii?q?07Co2BDfKJdwmY7TW8=3D?=
IronPort-HdrOrdr: =?us-ascii?q?A9a23=3AuhpM36urypZL0GRVgGAtpH9m7skCJIcji2?= =?us-ascii?q?hD6mlwRA09T+WxrOrrtOgH1BPylTYaUGwhn9fFA6WbXXbA7/dOgLU5FYyJGC?= =?us-ascii?q?3ronGhIo0n14vtxDX8Bzbzn9Qy6Y5JSII7MtH5CDFB4vrSyAOzH888hPyO96?= =?us-ascii?q?61jenTpk0dMj1CQYsI1XYfNi+wFEpqSA5aQb8wE5SB7sRKzgDQB0g/RMK9G3?= =?us-ascii?q?UDQqz/t8TG/aiWLyIuKjwGzE21jT2u4KPnCBTw5Hcjeh5G3LtKyxm/ryXX/a?= =?us-ascii?q?Om2svLryP092iW1JhOncuk990rPr3xtuEwChHBzjmlf55gXbrqhkF1nMiK5E?= =?us-ascii?q?wxmNfB5zcMVv4DkU/5RW2+rRvz1wSI6l9HgBWOpS768BneiPf0Sz4gB81KiZ?= =?us-ascii?q?gxSGql12MboNp+3KhXtljp0aZ/MBLakCzxo/jOWh16/3DE2UYKrO8Jg3RTFb?= =?us-ascii?q?YZcb9axLZvhX99LZFoJlOf1KkXVM1VSO3M7vdfdl2XK1rDuHN0/dCqVnMvWj?= =?us-ascii?q?+bX0kroKWuonhrtUE863Fd6N0Un38G+p54YYJD/f74PqNhk6wLZtMKbJh6GP?= =?us-ascii?q?wKTaKMey/waCOJFFjXDUXsFakBNX6IgYXw+q8J6Oajf4FN65cuhpLbUhd9uX?= =?us-ascii?q?Qpc0zjTe2Ctac7sCzlcSGYZ3DA28te7592tvnXX7zwKxCOT1gojo+uuPMaDs?= =?us-ascii?q?rHW+uiOZ5fDvP5RFGeXbph7knbYd1/OHMeWMoatpIQQFSVuP/GLYXsq6jafZ?= =?us-ascii?q?/oVf3QOAdhflm6LmoIXTD1KskFxFusQGXEjB/YXG6ofkT++Jl3AbXL5uR78v?= =?us-ascii?q?lKCqR89iwuzXip7MCCLjNP9oYselFlHb/hmqSn4W+s/WjJ6G1tMgFHDllc5a?= =?us-ascii?q?jhV38in35OD2rENZI4//mPc2Fb23WKYjVlSdnNLQJZr1Nrvb6sI4eI3iAkAd?= =?us-ascii?q?K/Omech38ezUj6Fqs0q+mm34PIa5k4BpEpVOhNDg3NDQVyghsvgnxEchU4Sk?= =?us-ascii?q?jWES7Oha2pgIcPPvzWc8BxjW6QUJZpgEOakX/ZhMk0AlMHQjalUKes8HcTbg?= =?us-ascii?q?sRomc0zogyr/6rny21JW42neIiWWc8GFi/MfZhFwSKZIJdh7bxXhp/JF363g?= =?us-ascii?q?CyulUUZnfg8VkUiyjHKyCZEMu7X2Z1izR/zrvg9k9yeyGmW39ILlp+sYF7CA?= =?us-ascii?q?39yyxO+OeWe6u+1HaQYFMewucbdCrIeycWPxkG/aHF6DeF3DmFDnko3ZMoI6?= =?us-ascii?q?jUC6kiaaja3je3JJSPjrxuJY4YwL91cNTvuPQMS+SRZkucKy75Efog32Wu1z?= =?us-ascii?q?0YETgxrHkvivXz3hL5qGC+wX4kGPLXZFBrXasSLd3Z72/qQZ+zod9EpMNwue?= =?us-ascii?q?u7KWPqbNGajanRcj5YMxvW5XesUPtAk+EjgYsi8L9oW5XLWzrB039KmB04Mc?= =?us-ascii?q?fvjUsbBKB2+qrININjd9EbEhgpsmYBhZCKNg8mowb2CugxcRU2g3jXM8iA7r?= =?us-ascii?q?DIpbAsa3fx7DfYKB2a6WlQ7v3FVyyM2foGEKo2O31Rc1V553J4/u+OHregRz?= =?us-ascii?q?mCZqVG5h69PXC8erMGF/TAFrUUsxpg49aH2+WQbDH13QjMvT19ZqJCmlzXNf?= =?us-ascii?q?+aEUaJA6pP9df/JFGHxq2t68S3hC3sSTS6Z18D7Lc1PHA4f4BGkH06kIYz0i?= =?us-ascii?q?KuUaT5rUIujktG7Vhc5yvQ85nj5H2eAFpPPgLYiIhHRDVfMnCHisLe7OiTvU?= =?us-ascii?q?6NlwRtyN3ED0dfftZHBtgWQMz2Nk5VWLotgII=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CyAAA0qXBg/4UNJK1aDgwBAQEBAQE?= =?us-ascii?q?BAQEBAwEBAQESAQEBAQICAQEBAUCBUoEjMFEHd1o2MQqIAAOFOYhUA4EJkzy?= =?us-ascii?q?EdoJTA1QLAQEBDQEBMgIEAQGEUAKBdwIlOBMCAwEBDAEBBQEBAQIBBgRxE4V?= =?us-ascii?q?QDYZEAQEBAQMtEwEBNwEPAgEIEQMBAQEZDwcyFAkIAgQBDQUIgmqBflcDLwG?= =?us-ascii?q?gdwKKH3WBNIEBggQBAQaFMBiCEwmBOQGCdYQHglyDdCccgUlCgRNDgik2PoJ?= =?us-ascii?q?gBIFGGgwSFhmCfYIrghctbh2CE2gCHJwDnlkKgwuRAIwfpHGVFaMpAgQCBAU?= =?us-ascii?q?CDgEBBoFrI4FZcBWDJFAXAg6OHwsXg06KGEFzAjYCBgoBAQMJfIl2gRABgQ4?= =?us-ascii?q?BAQ?=
X-IronPort-AV: E=Sophos;i="5.82,210,1613433600"; d="scan'208,217";a="873579892"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Apr 2021 19:23:22 +0000
Received: from mail.cisco.com (xbe-rcd-003.cisco.com [173.37.102.18]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 139JNMYJ003139 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 9 Apr 2021 19:23:22 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xbe-rcd-003.cisco.com (173.37.102.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Fri, 9 Apr 2021 14:23:22 -0500
Received: from xfe-aln-001.cisco.com (173.37.135.121) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Fri, 9 Apr 2021 14:23:21 -0500
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-001.cisco.com (173.37.135.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Fri, 9 Apr 2021 14:23:21 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SqD1hCl9NI2BQLeB7q3HXyHpcwanzhr0oGTimUZvHJ7AYvMOQoSO3zaanxesxe+PUhJ/d/5UielkM2QyY/UV+ZYsE8HVJJE74b2WdY9pQe9qmqcipPLuiNDpOrwWnZIRRJbicSmn2OCGBwhMnUJrngX54UV7s47o5smM3ixfsXgegZ67oxlK5l+/jTE12+40p99PDgHnw8PWpb1D035cInGxI8JBLVzC57mpOk8WCcuKMpteEUoCHyEw2FiK85/ynrTf9c18Km9PxHAGAHMPTb7D5bbUbmNw8OeeWx7DoFx/55MoVyZSyhD9h6nQ+YuFyd/QiNnj0dDXoOOMbxEUWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g4R7cBxQKfxxbLAwkyfBV7ERX6HeeHE+dFVJcr+4C4k=; b=DZQlEsyBuhtcBrs+Tcf+tA8EeGxz30Ulk+tlDymzEpPBSTmfRjmyRgF0i4nhT1MaLlewTQ25D1qc9W7kL2MWOsl/oZA9MPf1JlYiKBXTg+w92ChRZNnmrXxQkdN0ojZC/Y8qxewN2icDE2G/RHpC6MSQXVokxqSht81B+x2FDSlwZroWVYlXB2xSxCq2d8VlfD/AEUS9JqulXrMKMT6CFhtAXLDcDyOpioOl+nchHUQyFYZIGRF4UtFadxoXUxuG2mqqBaPyXxDTx8zwu1OPQQy2HBhCT2XbW4cAu9RpW+2h1dxVQ8p+GbZXjeE4AVUSrViRTxzJzcFj+FbZeyfnYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g4R7cBxQKfxxbLAwkyfBV7ERX6HeeHE+dFVJcr+4C4k=; b=yaMCi1rN4Ck5fy2+N1CHAno2NdSSJxx3+ZwCgXX3XTjhvVShO4pL1rTBOrOam+ur6X6/pOCWehMHzNjQ5W36phSTzlilLCp7cKL/C5KKKnqpKBgzKvjotTnGS5bwy6ENWuSEnVyIOHiqhiYIv6GqhBz9JlhIhHGaGoaA0hMnh1E=
Received: from BN7PR11MB2641.namprd11.prod.outlook.com (2603:10b6:406:b1::25) by BN6PR11MB1650.namprd11.prod.outlook.com (2603:10b6:405:11::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.29; Fri, 9 Apr 2021 19:23:20 +0000
Received: from BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::4543:b45a:9f32:bde0]) by BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::4543:b45a:9f32:bde0%7]) with mapi id 15.20.3977.038; Fri, 9 Apr 2021 19:23:20 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>, "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>, Mike Hamburg <mike@shiftleft.org>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
Thread-Index: AQHXLUacM7sBZ3ZdE0a+hIjdr1H+CqqsQ0gAgAADtICAABZvgIAAC3EAgAATDWCAAARIcIAACsCAgAAC/xA=
Date: Fri, 9 Apr 2021 19:23:20 +0000
Message-ID: <BN7PR11MB26412EA5842D1B166C1F740DC1739@BN7PR11MB2641.namprd11.prod.outlook.com>
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <4590aaa512acf5a482c9890ebe48f1760e5831a5.camel@loup-vaillant.fr> <F9593D27-3244-470E-89BE-85215B2DC9E7@shiftleft.org> <VI1SPR01MB0357AE729116A79C8DF70516D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <6F4F0566-3465-4C9C-8993-1B3FDFDDD792@shiftleft.org> <BN7PR11MB26410E0EB14DFE5DFB4B4F6EC1739@BN7PR11MB2641.namprd11.prod.outlook.com>, <BN7PR11MB264116DF63B9930B6C421DEEC1739@BN7PR11MB2641.namprd11.prod.outlook.com> <VI1SPR01MB03579AD8C245CD62078DF831D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>
In-Reply-To: <VI1SPR01MB03579AD8C245CD62078DF831D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: warwick.ac.uk; dkim=none (message not signed) header.d=none;warwick.ac.uk; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.73]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9d907151-1abc-4311-d79f-08d8fb8cefad
x-ms-traffictypediagnostic: BN6PR11MB1650:
x-microsoft-antispam-prvs: <BN6PR11MB1650B9995A443480150752E1C1739@BN6PR11MB1650.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oBlPJ8sltYaviryQ8wyc7FRCa4khDZxHd7SBG6mVAmdkBdQh1CMTLXGqqqZOoLAmObVF7ZvrvXT94CWvlIi4aASFnDJjHL0MYPgptjjgIqSKjLc/rG6D7Yez2yTbUC3WWa59OMR3zZP9bqPJ9fg5WeUzy028IEWPysC7toG3RAAZZCu3C8iQQ9QU6q92bDkYuvRSvojcbkkbZHsc7JQkeT7xYEbNHFjWTfDj+PSIaceUbN1BDB5cj5KPMfQmjyWQg+42jgEEnOoQNH/UmzNjeEFz/Kz1IEgrtiLEhC1u7WH4l9c7bjjfPYCAO4fc670/fIPcQt4DH3RHqRu3znho9Upyi5gGCeQxdaoXz8SO04CPbWRbXzke0MrKi1L/zHL0Wy34vNf1kgBkf1jr+/wa7qtyqtHoIemeaw7RPnKbr2j+FhJuzaXqvz9L6tJrfO7CCnRBfTS51X0VsbfSSEgYXOgrioD6EznYQ6cQEJxYHh3vVz7EITRnzFJhrifp79gr14Y372fN+vH2EFYcxTUWx6IVhzdwT7XF+zqj8mFfiu5TZTEmJ0HqXZPtC4JLJXjYDI0kxX7PW6SuXLX0a6Srdrxkj0wCG03w87zgeeQFNDc0TN4o5dzspdShDFqB6/+VUNdbr5rAO44Uz3CilGEjDjPryFGUTuAUQv8abTgkv2Q=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2641.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(376002)(346002)(136003)(396003)(39860400002)(8676002)(86362001)(26005)(66476007)(52536014)(4326008)(2906002)(5660300002)(53546011)(55016002)(83380400001)(71200400001)(7696005)(66446008)(6506007)(8936002)(66946007)(33656002)(66556008)(64756008)(9686003)(478600001)(76116006)(38100700001)(316002)(110136005)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?dJSY5iuNQ/sD8ykbhpRHRhhPTPwqFttKMnWYhdVq4NxQR60rg/8hTAWFdH3Y?= =?us-ascii?Q?M9zoRVa0bPi8vV/3zk8CAjAfrocylPhRBzQCaEWsVqMDVdXQWjSfCP5f4EwQ?= =?us-ascii?Q?N5lFxrIWyGL6OQqxd7y9NbybgtRl8cBZqmu0vkmb6Ws6XJ5bCUDwCO6+WNX5?= =?us-ascii?Q?PtJ+hSbdmnVcBwWIwbHxOud40ibL6dEBW8QRdpV3FgsSLekz+ATqS/2NrAxW?= =?us-ascii?Q?hfLPeMb3UoAlvM3ijCfpr+MzOaroVgLA1EiGBNX6H1nB4fn+iZBrE0Cxumee?= =?us-ascii?Q?eh+6dYsWx9/qDjRQMf6s5J5umc5kDxP8jZDaENH8pYt4C6Jm5RBxiT1/xfst?= =?us-ascii?Q?l+QPdmJmglF+QVf7J30y/4N6/qVNFVLVUsZTSjFkU8N9FWkgjEii8DuKhZ9Z?= =?us-ascii?Q?ZwJ1IOV82E4H42WmQdyEaiyCcb66MNiG2LDK82ItL2nGhgNtzJL1xvoQTgVQ?= =?us-ascii?Q?U5RMsivyK3ra7pKkMpL63Rp9aMWYcMXTUC0X80t1hAmRDbWAq0DyP1SyvICq?= =?us-ascii?Q?SaJZdHBgHJ9RRefaEmxE1rP3YiMnXeDsRsq0JYOl8f4lsygi/2OOhA36OY5d?= =?us-ascii?Q?1phhXHvbJ9xtOR5zEs3QWxDUYCUFeAdi8ZFXyOj/z4tHD0M8F2obi6/4HGv6?= =?us-ascii?Q?COWKAglRIgUSXwKg6qW97KXbhEc/iLfrFq9/sAHKqzE9+TYpKIkDsKgmOQ0k?= =?us-ascii?Q?aT3VMAuljn2l7TCijLq+83OV6vqjk+FhMCnKFawZlUWnSD0548kwdUB2zbUT?= =?us-ascii?Q?Ui6clNVngqe/rOWiwZ7WB8rz44Oj2vSZ2PQ/xx3lJhySOGyxiAal8ou8iF6H?= =?us-ascii?Q?++m3jnEILHKKSYCrqJqxQJsZVuUqBPMs9RQSaoiP7BucgOlnE3GY3xeXVHZD?= =?us-ascii?Q?7sGl8KABgmFBoZLpvZNj6W6PdnhEGLNBuuPx/CcRm8RsQ6iEhPrcg5YkKvdx?= =?us-ascii?Q?pRmtUIKFqMoI5ZP2PHEyhOcUxn1k21cc5FjEkfpBhZscZr8c3zD2z3SAN/CF?= =?us-ascii?Q?RQ+b4iOJT1Mrtcf/gjJE00dcwzu7xpvsFJR1HUTHhMW1KsCKtuEg0IrmFVXr?= =?us-ascii?Q?R/wt/73K/TDmkiCmwlG7HkB4gw/9ORHrD4/YfLF/mLV0tcT883r81VnSAcEM?= =?us-ascii?Q?KWEpPbihPnSgCmYQM3EHIrJB5jgqYL4QLoHnv9Me+9q+mV3yB7cNsgiz5Txu?= =?us-ascii?Q?/IMLpU19iHRna4wfAzScOe3TTiLb8W+dqQ3d8uzf2ntRt7V+VEMN3g7fv6VU?= =?us-ascii?Q?iAVHN8rJvHeaQ22WTnc8L3RwNBrh0ke4bf3RUOODe2iMhEqNKuLYx9pVkQFu?= =?us-ascii?Q?nRZq4QOjU02Rfv7R28kbwBJ1?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN7PR11MB26412EA5842D1B166C1F740DC1739BN7PR11MB2641namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2641.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9d907151-1abc-4311-d79f-08d8fb8cefad
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2021 19:23:20.6936 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PzZSSn7mg4e/8uLYs8ivU2fTCmKZe1V52sZQXeY72pFCjo/O5pJiH6z/N7esMhYiLNJz2uwMxlnssr0rHQ7Kkg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB1650
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.18, xbe-rcd-003.cisco.com
X-Outbound-Node: alln-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/K1d5cYAoyeUGxJQhlLSyMq6pvlw>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 19:23:30 -0000

Is this a nontrivial concern?

Both CPace and Opaque are PAKEs; what that means is that if the attacker has a guess to the password, he can verify (or refute) that guess by performing a single exchange with the honest server.

So, if the user selects a password with 128 bits of minentropy (which is a far better password than what almost any human would use), that gives a 2^-128 failure probability against an attacker that tries just one exchange.  This probability is inherent in the system, and (other than asking users to use even better passwords), there isn't anything we can do about it.

In contrast, what it the probability of a hash-to-curve generating a low-order point?  If it is (say) 2^-252 (I don't know the exact probability; that is the approximate probability of a random Curve25519 point being a low order one), then that is far smaller than the inherent failure probability already in the system.

For PAKE uses of hash-to-curve, that wouldn't appear (IMHO) to be worth worrying about.  Of course, this logic need not apply to other uses of hash-to-curve...

From: Hao, Feng <Feng.Hao@warwick.ac.uk>
Sent: Friday, April 9, 2021 3:01 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>om>; Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org>rg>; Mike Hamburg <mike@shiftleft.org>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Hi Scott,

It's not a simple case of testing and aborting. Suppose in a system, hash-to-curve returns a low-order point to the higher protocol (say CPace/OPAQUE) that is calling it, you can't accept this value (insecure base generator) nor can you reject it (timing side channel will reveal the password). The failure mode here is non-recoverable.

Cheers,
Feng

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com<mailto:sfluhrer@cisco.com>>
Date: Friday, 9 April 2021 at 19:26
To: Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org<mailto:sfluhrer=40cisco.com@dmarc.ietf.org>>, Mike Hamburg <mike@shiftleft.org<mailto:mike@shiftleft.org>>, Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>>
Cc: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: RE: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
Correction: Opaque does use a hash-to-curve operation (used to translate the password into an elliptic curve point); if it happens to translate a specific password to a low order point, then that specific password is easy to test for; however there are no other implications...

From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Scott Fluhrer (sfluhrer)
Sent: Friday, April 9, 2021 2:17 PM
To: Mike Hamburg <mike@shiftleft.org<mailto:mike@shiftleft.org>>; Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>>
Cc: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Opaque doesn't use a hash-to-curve operation.

CPace does; it also automatically aborts (fails) if the hash-to-curve operation happens to return a low order point (that is, a point that, after multiplying by the cofactor, is the neutral element).

From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Mike Hamburg
Sent: Friday, April 9, 2021 1:00 PM
To: Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>>
Cc: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

I don't know if the same holds for OPAQUE or CPace: for all I know, they may have specification holes and/or end in failure in that case.