IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-08.txt

Michael Scott <mike.scott@miracl.com> Wed, 03 June 2020 13:03 UTC

Return-Path: <mike.scott@miracl.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB0623A0831 for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2020 06:03:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=miracl.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ED6LQdAEFqML for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2020 06:03:18 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B952A3A082B for <cfrg@irtf.org>; Wed, 3 Jun 2020 06:03:18 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id y18so2129533iow.3 for <cfrg@irtf.org>; Wed, 03 Jun 2020 06:03:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=miracl.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=91CgYyDzS0z+Q3SxFaNEg9AtrDK7/ySZG4FSNpezvoY=; b=B3rbWh20RNKbKsN8dE4FYTF5YE0/zuDou6+1qZ7x3hTWb6vh2lz/61x+0UAi2KYHnd N/6pUZ90fbKAvGdEgEDpH049DkHDoDnNwIuSr8pHwGWxUKFX0nuPNJkewQro+0N2a5pK TnSmUj1b1hwAGza46QgDUszNbf22SOmLO0SrLaTUYP7t5W5x3XekyIbArpu/mWtVb96w 0xIVCYjHNx9LOSXN4z4SiWbjIutVyrnkLdQcjdN5y586Py+o7kG5P4VwDhbpveArEYav BnYZek05sZgpcXdyJemXx7TlHFOuC2dKiZmijTNciTqVyGIgR08eFzwkmLQ9LCSL1pi7 6h0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=91CgYyDzS0z+Q3SxFaNEg9AtrDK7/ySZG4FSNpezvoY=; b=JBq3affS/rwguIGOp1XicLNQkur+FlV0COwT50iPUVaInonDWnUfmju9OfEf/D0HSJ 0qwmoRTpHapmYnWKT1x0wQvdMOEA0IcuwN0Cgu1FT5LLhMJeclaSJBbKyvnL+rWw5MKn FFPSybeqUxomJCWY9X24rugLPClyTHKPFgwAUa1SxMfw3WCeVw7Ozbvxwodo2kCCeo+h /ICob0HM3Ti9PcjVMHE0G0kgXmVaw7cH24vU8EnsCWrkVh8fdfMsGi/fHS4bKr1cxTtm 1gTD42eiHevOlpoODOiVr3kHihtyxSKnpQfZrtL1UpYGOvLVp/Bkp+VzJ1AAsI+1fROm iKiQ==
X-Gm-Message-State: AOAM533DmFJ97MY0qk5VXKmaIKv82uSEHNAeo8vbcswAaqdUTGOW5xax BCoV5HxvktLdTkLnWkwXoldo3FATMT6Vmny5RTnlfjkF
X-Google-Smtp-Source: ABdhPJzoyHBu/CErBRaF8h0pFpeFJ+bcRhMYm71/GUXcSdtB5Sc01MDac9A3+rPi29D18ncfng3d+V6DG7y2OlQmihk=
X-Received: by 2002:a6b:7b4a:: with SMTP id m10mr3445420iop.55.1591189397407; Wed, 03 Jun 2020 06:03:17 -0700 (PDT)
MIME-Version: 1.0
References: <159105346858.24004.14161783051029023247@ietfa.amsl.com> <ac8f59fe-a82b-4cef-9b05-dd617625df64@www.fastmail.com>
In-Reply-To: <ac8f59fe-a82b-4cef-9b05-dd617625df64@www.fastmail.com>
From: Michael Scott <mike.scott@miracl.com>
Date: Wed, 03 Jun 2020 14:04:51 +0100
Message-ID: <CAEseHRrrOFCczuDzavM=aG5rsDgEpn+QnqH3WuC1C1VfpwjBmw@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000cda82205a72da645"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Kcp0Chvy8R-ZJrVZVZnxeanxs0w>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-08.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2020 13:03:21 -0000

Hello Chris,

I have a few remarks about this. The changes I noted were a minor change to
ELL2, some sensible updating to the Domain Separation Tag formats, and that
the SVDW method seems to now be deprecated (or at least not recommended)
for curves with AB=0 in favour of the isogeny map based method.

I was puzzled that the suite for edwards25519 uses SHA-512, whereas surely
SHA-256 would be a better fit?

On a very mundane issue, in section 8.1 hash-to-field should be
hash_to_field.

My major concern is about the Isogeny map vs SVDW issue. It is not clear to
me that suitable isogeny mappings can be found for all potential
pairing-friendly curves of interest. Indeed for the well-known BN254 curve,
and adapting the sage script from https://eprint.iacr.org/2019/403, I was
unable to find any isogeny map of degree less than 64 for the G2 group. And
for another BLS12 curve I could find no isogeny of degree less than 100 for
G1 (although one of degree 3 existed for G2). The method already seems
unwieldy with its multiple constants, compared with SVDW.

It would be a useful exercise to provide isogeny maps for all of the
pairing-friendly curves under active consideration for standardisation by
CFRG, to confirm the general applicability of the method. It seems to me
that the isogeny map method may have been rather lucky with BLS12-381 !

Personally, I would support SVDW being reinstated as an equally recommended
alternative option.

Mike



On Tue, Jun 2, 2020 at 12:32 AM Christopher Wood <caw@heapingbits.net>
wrote:

> This update carries a number of important changes, including, though not
> limited to:
>
> - Domain separation mitigations for expand_message_xmd (as part of
> hash-to-field).
> - Mapping function fixes and clarifications. Elligator 2 alignment is one
> such update.
> - An overall reduction in suites. There is now one recommended RO and NU
> suite per target curve.
> - Expanded test vectors, including those for expand_message.
> - Much improved security considerations text, particularly around domain
> separation guarantees.
> - Alignment with the VRF specification [1].
>
> We believe the document is now ready for RGLC, and would appreciate
> reviews and feedback to help get it across the finish line.
>
> Thanks!
> Chris
>
> [1] https://github.com/fcelda/nsec5-draft/pull/35
>
> On Mon, Jun 1, 2020, at 4:17 PM, internet-drafts@ietf.org wrote:
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> > This draft is a work item of the Crypto Forum RG of the IRTF.
> >
> >         Title           : Hashing to Elliptic Curves
> >         Authors         : Armando Faz-Hernandez
> >                           Sam Scott
> >                           Nick Sullivan
> >                           Riad S. Wahby
> >                           Christopher A. Wood
> >       Filename        : draft-irtf-cfrg-hash-to-curve-08.txt
> >       Pages           : 156
> >       Date            : 2020-06-01
> >
> > Abstract:
> >    This document specifies a number of algorithms for encoding or
> >    hashing an arbitrary string to a point on an elliptic curve.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/
> >
> > There are also htmlized versions available at:
> > https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-08
> > https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-08
> >
> > A diff from the previous version is available at:
> > https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-hash-to-curve-08
> >
> >
> > Please note that it may take a couple of minutes from the time of
> submission
> > until the htmlized version and diff are available at tools.ietf.org.
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> >
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email