Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 09 April 2021 19:23 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 432CA3A2BCE for <cfrg@ietfa.amsl.com>; Fri, 9 Apr 2021 12:23:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.616
X-Spam-Level:
X-Spam-Status: No, score=-9.616 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=OXomjvA0; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=yaMCi1rN
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46qFb3PsTKIU for <cfrg@ietfa.amsl.com>; Fri, 9 Apr 2021 12:23:24 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C2DB3A2BCF for <cfrg@irtf.org>; Fri, 9 Apr 2021 12:23:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12788; q=dns/txt; s=iport; t=1617996204; x=1619205804; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=3FjyGdYktBa2QNuE6Oy0IeNW9lx90S2DNRMKhwjfDS4=; b=OXomjvA0gT7w58YZ/h/23KhG8RihPEII2uAbNu8Zk/qAE0qpQrGyUklV eM+cg2EJcjh1SyIYKHQOE2wuN4KjVi2sSl0HiTTB3cWXsHE6zafDZeDav rSGlLXOAFpuqtpWDMSHF9h3+yhswzofOWiJ8p2Kn++3KpJd9UKnnpyq1M k=;
IronPort-PHdr: A9a23:sq2m4hdEIZvM5Ve5ynrJhk3BlGM/SYqcDmYuwpM6l7JDdLii9J3+PUvZoO9gl0LNQZ6zw+1NkfXXuKOmUGdG/JXS+HwBcZkZURgDhI1WmgE7G8eKBAX9K+KidC01GslOFToHt3G2OERYAoDyMlvVpHDh8jcIBRT0Nkx8LaLoGd2ag8G+zevn/ZrVbk1Bjya8ZrUnKhKwoE3Ru8AajJEkJLw2z07Co2BDfKJdwmY7TW8=
IronPort-HdrOrdr: A9a23:uhpM36urypZL0GRVgGAtpH9m7skCJIcji2hD6mlwRA09T+WxrOrrtOgH1BPylTYaUGwhn9fFA6WbXXbA7/dOgLU5FYyJGC3ronGhIo0n14vtxDX8Bzbzn9Qy6Y5JSII7MtH5CDFB4vrSyAOzH888hPyO9661jenTpk0dMj1CQYsI1XYfNi+wFEpqSA5aQb8wE5SB7sRKzgDQB0g/RMK9G3UDQqz/t8TG/aiWLyIuKjwGzE21jT2u4KPnCBTw5Hcjeh5G3LtKyxm/ryXX/aOm2svLryP092iW1JhOncuk990rPr3xtuEwChHBzjmlf55gXbrqhkF1nMiK5EwxmNfB5zcMVv4DkU/5RW2+rRvz1wSI6l9HgBWOpS768BneiPf0Sz4gB81KiZgxSGql12MboNp+3KhXtljp0aZ/MBLakCzxo/jOWh16/3DE2UYKrO8Jg3RTFbYZcb9axLZvhX99LZFoJlOf1KkXVM1VSO3M7vdfdl2XK1rDuHN0/dCqVnMvWj+bX0kroKWuonhrtUE863Fd6N0Un38G+p54YYJD/f74PqNhk6wLZtMKbJh6GPwKTaKMey/waCOJFFjXDUXsFakBNX6IgYXw+q8J6Oajf4FN65cuhpLbUhd9uXQpc0zjTe2Ctac7sCzlcSGYZ3DA28te7592tvnXX7zwKxCOT1gojo+uuPMaDsrHW+uiOZ5fDvP5RFGeXbph7knbYd1/OHMeWMoatpIQQFSVuP/GLYXsq6jafZ/oVf3QOAdhflm6LmoIXTD1KskFxFusQGXEjB/YXG6ofkT++Jl3AbXL5uR78vlKCqR89iwuzXip7MCCLjNP9oYselFlHb/hmqSn4W+s/WjJ6G1tMgFHDllc5ajhV38in35OD2rENZI4//mPc2Fb23WKYjVlSdnNLQJZr1Nrvb6sI4eI3iAkAdK/Omech38ezUj6Fqs0q+mm34PIa5k4BpEpVOhNDg3NDQVyghsvgnxEchU4SkjWES7Oha2pgIcPPvzWc8BxjW6QUJZpgEOakX/ZhMk0AlMHQjalUKes8HcTbgsRomc0zogyr/6rny21JW42neIiWWc8GFi/MfZhFwSKZIJdh7bxXhp/JF363gCyulUUZnfg8VkUiyjHKyCZEMu7X2Z1izR/zrvg9k9yeyGmW39ILlp+sYF7CA39yyxO+OeWe6u+1HaQYFMewucbdCrIeycWPxkG/aHF6DeF3DmFDnko3ZMoI6jUC6kiaaja3je3JJSPjrxuJY4YwL91cNTvuPQMS+SRZkucKy75Efog32Wu1z0YETgxrHkvivXz3hL5qGC+wX4kGPLXZFBrXasSLd3Z72/qQZ+zod9EpMNwueu7KWPqbNGajanRcj5YMxvW5XesUPtAk+EjgYsi8L9oW5XLWzrB039KmB04McfvjUsbBKB2+qrININjd9EbEhgpsmYBhZCKNg8mowb2CugxcRU2g3jXM8iA7rDIpbAsa3fx7DfYKB2a6WlQ7v3FVyyM2foGEKo2O31Rc1V553J4/u+OHregRzmCZqVG5h69PXC8erMGF/TAFrUUsxpg49aH2+WQbDH13QjMvT19ZqJCmlzXNf+aEUaJA6pP9df/JFGHxq2t68S3hC3sSTS6Z18D7Lc1PHA4f4BGkH06kIYz0iKuUaT5rUIujktG7Vhc5yvQ85nj5H2eAFpPPgLYiIhHRDVfMnCHisLe7OiTvU6NlwRtyN3ED0dfftZHBtgWQMz2Nk5VWLotgII=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CyAAA0qXBg/4UNJK1aDgwBAQEBAQEBAQEBAwEBAQESAQEBAQICAQEBAUCBUoEjMFEHd1o2MQqIAAOFOYhUA4EJkzyEdoJTA1QLAQEBDQEBMgIEAQGEUAKBdwIlOBMCAwEBDAEBBQEBAQIBBgRxE4VQDYZEAQEBAQMtEwEBNwEPAgEIEQMBAQEZDwcyFAkIAgQBDQUIgmqBflcDLwGgdwKKH3WBNIEBggQBAQaFMBiCEwmBOQGCdYQHglyDdCccgUlCgRNDgik2PoJgBIFGGgwSFhmCfYIrghctbh2CE2gCHJwDnlkKgwuRAIwfpHGVFaMpAgQCBAUCDgEBBoFrI4FZcBWDJFAXAg6OHwsXg06KGEFzAjYCBgoBAQMJfIl2gRABgQ4BAQ
X-IronPort-AV: E=Sophos;i="5.82,210,1613433600"; d="scan'208,217";a="873579892"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Apr 2021 19:23:22 +0000
Received: from mail.cisco.com (xbe-rcd-003.cisco.com [173.37.102.18]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 139JNMYJ003139 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 9 Apr 2021 19:23:22 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xbe-rcd-003.cisco.com (173.37.102.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Fri, 9 Apr 2021 14:23:22 -0500
Received: from xfe-aln-001.cisco.com (173.37.135.121) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Fri, 9 Apr 2021 14:23:21 -0500
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-001.cisco.com (173.37.135.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Fri, 9 Apr 2021 14:23:21 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SqD1hCl9NI2BQLeB7q3HXyHpcwanzhr0oGTimUZvHJ7AYvMOQoSO3zaanxesxe+PUhJ/d/5UielkM2QyY/UV+ZYsE8HVJJE74b2WdY9pQe9qmqcipPLuiNDpOrwWnZIRRJbicSmn2OCGBwhMnUJrngX54UV7s47o5smM3ixfsXgegZ67oxlK5l+/jTE12+40p99PDgHnw8PWpb1D035cInGxI8JBLVzC57mpOk8WCcuKMpteEUoCHyEw2FiK85/ynrTf9c18Km9PxHAGAHMPTb7D5bbUbmNw8OeeWx7DoFx/55MoVyZSyhD9h6nQ+YuFyd/QiNnj0dDXoOOMbxEUWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g4R7cBxQKfxxbLAwkyfBV7ERX6HeeHE+dFVJcr+4C4k=; b=DZQlEsyBuhtcBrs+Tcf+tA8EeGxz30Ulk+tlDymzEpPBSTmfRjmyRgF0i4nhT1MaLlewTQ25D1qc9W7kL2MWOsl/oZA9MPf1JlYiKBXTg+w92ChRZNnmrXxQkdN0ojZC/Y8qxewN2icDE2G/RHpC6MSQXVokxqSht81B+x2FDSlwZroWVYlXB2xSxCq2d8VlfD/AEUS9JqulXrMKMT6CFhtAXLDcDyOpioOl+nchHUQyFYZIGRF4UtFadxoXUxuG2mqqBaPyXxDTx8zwu1OPQQy2HBhCT2XbW4cAu9RpW+2h1dxVQ8p+GbZXjeE4AVUSrViRTxzJzcFj+FbZeyfnYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g4R7cBxQKfxxbLAwkyfBV7ERX6HeeHE+dFVJcr+4C4k=; b=yaMCi1rN4Ck5fy2+N1CHAno2NdSSJxx3+ZwCgXX3XTjhvVShO4pL1rTBOrOam+ur6X6/pOCWehMHzNjQ5W36phSTzlilLCp7cKL/C5KKKnqpKBgzKvjotTnGS5bwy6ENWuSEnVyIOHiqhiYIv6GqhBz9JlhIhHGaGoaA0hMnh1E=
Received: from BN7PR11MB2641.namprd11.prod.outlook.com (2603:10b6:406:b1::25) by BN6PR11MB1650.namprd11.prod.outlook.com (2603:10b6:405:11::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.29; Fri, 9 Apr 2021 19:23:20 +0000
Received: from BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::4543:b45a:9f32:bde0]) by BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::4543:b45a:9f32:bde0%7]) with mapi id 15.20.3977.038; Fri, 9 Apr 2021 19:23:20 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>, "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>, Mike Hamburg <mike@shiftleft.org>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
Thread-Index: AQHXLUacM7sBZ3ZdE0a+hIjdr1H+CqqsQ0gAgAADtICAABZvgIAAC3EAgAATDWCAAARIcIAACsCAgAAC/xA=
Date: Fri, 09 Apr 2021 19:23:20 +0000
Message-ID: <BN7PR11MB26412EA5842D1B166C1F740DC1739@BN7PR11MB2641.namprd11.prod.outlook.com>
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <4590aaa512acf5a482c9890ebe48f1760e5831a5.camel@loup-vaillant.fr> <F9593D27-3244-470E-89BE-85215B2DC9E7@shiftleft.org> <VI1SPR01MB0357AE729116A79C8DF70516D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <6F4F0566-3465-4C9C-8993-1B3FDFDDD792@shiftleft.org> <BN7PR11MB26410E0EB14DFE5DFB4B4F6EC1739@BN7PR11MB2641.namprd11.prod.outlook.com>, <BN7PR11MB264116DF63B9930B6C421DEEC1739@BN7PR11MB2641.namprd11.prod.outlook.com> <VI1SPR01MB03579AD8C245CD62078DF831D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>
In-Reply-To: <VI1SPR01MB03579AD8C245CD62078DF831D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: warwick.ac.uk; dkim=none (message not signed) header.d=none;warwick.ac.uk; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.73]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9d907151-1abc-4311-d79f-08d8fb8cefad
x-ms-traffictypediagnostic: BN6PR11MB1650:
x-microsoft-antispam-prvs: <BN6PR11MB1650B9995A443480150752E1C1739@BN6PR11MB1650.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oBlPJ8sltYaviryQ8wyc7FRCa4khDZxHd7SBG6mVAmdkBdQh1CMTLXGqqqZOoLAmObVF7ZvrvXT94CWvlIi4aASFnDJjHL0MYPgptjjgIqSKjLc/rG6D7Yez2yTbUC3WWa59OMR3zZP9bqPJ9fg5WeUzy028IEWPysC7toG3RAAZZCu3C8iQQ9QU6q92bDkYuvRSvojcbkkbZHsc7JQkeT7xYEbNHFjWTfDj+PSIaceUbN1BDB5cj5KPMfQmjyWQg+42jgEEnOoQNH/UmzNjeEFz/Kz1IEgrtiLEhC1u7WH4l9c7bjjfPYCAO4fc670/fIPcQt4DH3RHqRu3znho9Upyi5gGCeQxdaoXz8SO04CPbWRbXzke0MrKi1L/zHL0Wy34vNf1kgBkf1jr+/wa7qtyqtHoIemeaw7RPnKbr2j+FhJuzaXqvz9L6tJrfO7CCnRBfTS51X0VsbfSSEgYXOgrioD6EznYQ6cQEJxYHh3vVz7EITRnzFJhrifp79gr14Y372fN+vH2EFYcxTUWx6IVhzdwT7XF+zqj8mFfiu5TZTEmJ0HqXZPtC4JLJXjYDI0kxX7PW6SuXLX0a6Srdrxkj0wCG03w87zgeeQFNDc0TN4o5dzspdShDFqB6/+VUNdbr5rAO44Uz3CilGEjDjPryFGUTuAUQv8abTgkv2Q=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2641.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(376002)(346002)(136003)(396003)(39860400002)(8676002)(86362001)(26005)(66476007)(52536014)(4326008)(2906002)(5660300002)(53546011)(55016002)(83380400001)(71200400001)(7696005)(66446008)(6506007)(8936002)(66946007)(33656002)(66556008)(64756008)(9686003)(478600001)(76116006)(38100700001)(316002)(110136005)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: dJSY5iuNQ/sD8ykbhpRHRhhPTPwqFttKMnWYhdVq4NxQR60rg/8hTAWFdH3YM9zoRVa0bPi8vV/3zk8CAjAfrocylPhRBzQCaEWsVqMDVdXQWjSfCP5f4EwQN5lFxrIWyGL6OQqxd7y9NbybgtRl8cBZqmu0vkmb6Ws6XJ5bCUDwCO6+WNX5PtJ+hSbdmnVcBwWIwbHxOud40ibL6dEBW8QRdpV3FgsSLekz+ATqS/2NrAxWhfLPeMb3UoAlvM3ijCfpr+MzOaroVgLA1EiGBNX6H1nB4fn+iZBrE0Cxumeeeh+6dYsWx9/qDjRQMf6s5J5umc5kDxP8jZDaENH8pYt4C6Jm5RBxiT1/xfstl+QPdmJmglF+QVf7J30y/4N6/qVNFVLVUsZTSjFkU8N9FWkgjEii8DuKhZ9ZZwJ1IOV82E4H42WmQdyEaiyCcb66MNiG2LDK82ItL2nGhgNtzJL1xvoQTgVQU5RMsivyK3ra7pKkMpL63Rp9aMWYcMXTUC0X80t1hAmRDbWAq0DyP1SyvICqSaJZdHBgHJ9RRefaEmxE1rP3YiMnXeDsRsq0JYOl8f4lsygi/2OOhA36OY5d1phhXHvbJ9xtOR5zEs3QWxDUYCUFeAdi8ZFXyOj/z4tHD0M8F2obi6/4HGv6COWKAglRIgUSXwKg6qW97KXbhEc/iLfrFq9/sAHKqzE9+TYpKIkDsKgmOQ0kaT3VMAuljn2l7TCijLq+83OV6vqjk+FhMCnKFawZlUWnSD0548kwdUB2zbUTUi6clNVngqe/rOWiwZ7WB8rz44Oj2vSZ2PQ/xx3lJhySOGyxiAal8ou8iF6H++m3jnEILHKKSYCrqJqxQJsZVuUqBPMs9RQSaoiP7BucgOlnE3GY3xeXVHZD7sGl8KABgmFBoZLpvZNj6W6PdnhEGLNBuuPx/CcRm8RsQ6iEhPrcg5YkKvdxpRmtUIKFqMoI5ZP2PHEyhOcUxn1k21cc5FjEkfpBhZscZr8c3zD2z3SAN/CFRQ+b4iOJT1Mrtcf/gjJE00dcwzu7xpvsFJR1HUTHhMW1KsCKtuEg0IrmFVXrR/wt/73K/TDmkiCmwlG7HkB4gw/9ORHrD4/YfLF/mLV0tcT883r81VnSAcEMKWEpPbihPnSgCmYQM3EHIrJB5jgqYL4QLoHnv9Me+9q+mV3yB7cNsgiz5Txu/IMLpU19iHRna4wfAzScOe3TTiLb8W+dqQ3d8uzf2ntRt7V+VEMN3g7fv6VUiAVHN8rJvHeaQ22WTnc8L3RwNBrh0ke4bf3RUOODe2iMhEqNKuLYx9pVkQFunRZq4QOjU02Rfv7R28kbwBJ1
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN7PR11MB26412EA5842D1B166C1F740DC1739BN7PR11MB2641namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2641.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9d907151-1abc-4311-d79f-08d8fb8cefad
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2021 19:23:20.6936 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PzZSSn7mg4e/8uLYs8ivU2fTCmKZe1V52sZQXeY72pFCjo/O5pJiH6z/N7esMhYiLNJz2uwMxlnssr0rHQ7Kkg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB1650
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.18, xbe-rcd-003.cisco.com
X-Outbound-Node: alln-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/K1d5cYAoyeUGxJQhlLSyMq6pvlw>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 19:23:30 -0000
Is this a nontrivial concern? Both CPace and Opaque are PAKEs; what that means is that if the attacker has a guess to the password, he can verify (or refute) that guess by performing a single exchange with the honest server. So, if the user selects a password with 128 bits of minentropy (which is a far better password than what almost any human would use), that gives a 2^-128 failure probability against an attacker that tries just one exchange. This probability is inherent in the system, and (other than asking users to use even better passwords), there isn't anything we can do about it. In contrast, what it the probability of a hash-to-curve generating a low-order point? If it is (say) 2^-252 (I don't know the exact probability; that is the approximate probability of a random Curve25519 point being a low order one), then that is far smaller than the inherent failure probability already in the system. For PAKE uses of hash-to-curve, that wouldn't appear (IMHO) to be worth worrying about. Of course, this logic need not apply to other uses of hash-to-curve... From: Hao, Feng <Feng.Hao@warwick.ac.uk> Sent: Friday, April 9, 2021 3:01 PM To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org>; Mike Hamburg <mike@shiftleft.org> Cc: CFRG <cfrg@irtf.org> Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve Hi Scott, It's not a simple case of testing and aborting. Suppose in a system, hash-to-curve returns a low-order point to the higher protocol (say CPace/OPAQUE) that is calling it, you can't accept this value (insecure base generator) nor can you reject it (timing side channel will reveal the password). The failure mode here is non-recoverable. Cheers, Feng From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com<mailto:sfluhrer@cisco.com>> Date: Friday, 9 April 2021 at 19:26 To: Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org<mailto:sfluhrer=40cisco.com@dmarc.ietf.org>>, Mike Hamburg <mike@shiftleft.org<mailto:mike@shiftleft.org>>, Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>> Cc: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>> Subject: RE: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve Correction: Opaque does use a hash-to-curve operation (used to translate the password into an elliptic curve point); if it happens to translate a specific password to a low order point, then that specific password is easy to test for; however there are no other implications... From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Scott Fluhrer (sfluhrer) Sent: Friday, April 9, 2021 2:17 PM To: Mike Hamburg <mike@shiftleft.org<mailto:mike@shiftleft.org>>; Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>> Cc: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>> Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve Opaque doesn't use a hash-to-curve operation. CPace does; it also automatically aborts (fails) if the hash-to-curve operation happens to return a low order point (that is, a point that, after multiplying by the cofactor, is the neutral element). From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Mike Hamburg Sent: Friday, April 9, 2021 1:00 PM To: Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>> Cc: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>> Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve I don't know if the same holds for OPAQUE or CPace: for all I know, they may have specification holes and/or end in failure in that case.
- [CFRG] Comment on draft-irtf-cfrg-hash-to-curve-10 Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Christopher Wood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- [CFRG] Small subgroup question for draft-irtf-cfr… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Russ Housley
- Re: [CFRG] Small subgroup question for draft-irtf… Richard Outerbridge
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Armando Faz
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- [CFRG] please use real names (was: Re: Small subg… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Riad S. Wahby
- Re: [CFRG] please use real names (was: Re: Small … Filippo Valsorda
- Re: [CFRG] please use real names (was: Re: Small … Scott Arciszewski
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Watson Ladd
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] please use real names (was: Re: Small … Henry de Valence
- Re: [CFRG] please use real names (was: Re: Small … Dan Harkins
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Squeamish Ossifrage
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Small subgroup question for draft-irtf… Stanislav V. Smyshlyaev
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Colin Perkins
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Michael Sierchio
- [CFRG] Closure (was Re: Small subgroup question f… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Phillip Hallam-Baker
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] please use real names (was: Re: Small … David Jacobson
- Re: [CFRG] please use real names (was: Re: Small … Julia Hesse
- Re: [CFRG] Closure (was Re: Small subgroup questi… Armando Faz
- Re: [CFRG] Closure (was Re: Small subgroup questi… Hao, Feng
- Re: [CFRG] Closure (was Re: Small subgroup questi… Mike Hamburg
- Re: [CFRG] thoughts on clearing the cofactor in h… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Riad S. Wahby
- [CFRG] (suggested language re mixing square roots… Rene Struik
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Rene Struik
- Re: [CFRG] please use real names (was: Re: Small … isis agora lovecruft