Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

["Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>]

Is this a nontrivial concern?

Both CPace and Opaque are PAKEs; what that means is that if the attacker has a guess to the password, he can verify (or refute) that guess by performing a single exchange with the honest server.

So, if the user selects a password with 128 bits of minentropy (which is a far better password than what almost any human would use), that gives a 2^-128 failure probability against an attacker that tries just one exchange.  This probability is inherent in the system, and (other than asking users to use even better passwords), there isn't anything we can do about it.

In contrast, what it the probability of a hash-to-curve generating a low-order point?  If it is (say) 2^-252 (I don't know the exact probability; that is the approximate probability of a random Curve25519 point being a low order one), then that is far smaller than the inherent failure probability already in the system.

For PAKE uses of hash-to-curve, that wouldn't appear (IMHO) to be worth worrying about.  Of course, this logic need not apply to other uses of hash-to-curve...

From: Hao, Feng <Feng.Hao@warwick.ac.uk>
Sent: Friday, April 9, 2021 3:01 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org>; Mike Hamburg <mike@shiftleft.org>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Hi Scott,

It's not a simple case of testing and aborting. Suppose in a system, hash-to-curve returns a low-order point to the higher protocol (say CPace/OPAQUE) that is calling it, you can't accept this value (insecure base generator) nor can you reject it (timing side channel will reveal the password). The failure mode here is non-recoverable.

Cheers,
Feng

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com<mailto:sfluhrer@cisco.com>>
Date: Friday, 9 April 2021 at 19:26
To: Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org<mailto:sfluhrer=40cisco.com@dmarc.ietf.org>>, Mike Hamburg <mike@shiftleft.org<mailto:mike@shiftleft.org>>, Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>>
Cc: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: RE: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
Correction: Opaque does use a hash-to-curve operation (used to translate the password into an elliptic curve point); if it happens to translate a specific password to a low order point, then that specific password is easy to test for; however there are no other implications...

From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Scott Fluhrer (sfluhrer)
Sent: Friday, April 9, 2021 2:17 PM
To: Mike Hamburg <mike@shiftleft.org<mailto:mike@shiftleft.org>>; Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>>
Cc: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Opaque doesn't use a hash-to-curve operation.

CPace does; it also automatically aborts (fails) if the hash-to-curve operation happens to return a low order point (that is, a point that, after multiplying by the cofactor, is the neutral element).

From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Mike Hamburg
Sent: Friday, April 9, 2021 1:00 PM
To: Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>>
Cc: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

I don't know if the same holds for OPAQUE or CPace: for all I know, they may have specification holes and/or end in failure in that case.