Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Mike Hamburg <> Sat, 10 April 2021 20:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9EA413A1A0E for <>; Sat, 10 Apr 2021 13:19:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.305
X-Spam-Status: No, score=-1.305 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uYrt11dAedmw for <>; Sat, 10 Apr 2021 13:19:07 -0700 (PDT)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DE3EF3A1A0C for <>; Sat, 10 Apr 2021 13:19:07 -0700 (PDT)
Received: from [] (unknown []) (Authenticated sender: mike) by (Postfix) with ESMTPSA id 29B8BBB869; Sat, 10 Apr 2021 20:19:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=sldo; t=1618085945; bh=MANcbIzjTCUbU0ydXMhCcIWyl43kdsg5QjccxhQZ314=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=AW1PtdfF6wbngXmbGUzKPrhhEZK5GbbnMpjcBLnE3fnGJswiYTDrar0R3GojJGh3L apTN0s6WEt4/xVxCLkDmuUoCJ8vttHh1o8C+IUondiy6wgSvCShNsbG3TT2aZpIHSv dpgIJhdFUfdSGCc21pD6ekpk0OKOPxSRLRzerDjY=
From: Mike Hamburg <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D36D9517-3A49-4C4A-9231-A1ED8740CD00"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Sat, 10 Apr 2021 17:19:03 -0300
In-Reply-To: <>
Cc: CFRG <>
To: "Hao, Feng" <>
References: <> <> <> <> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <> <> <> <> <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 10 Apr 2021 20:19:13 -0000

Hi Feng,

> On Apr 10, 2021, at 4:20 PM, Hao, Feng <> wrote:
> hash_to_curve is (epsilon-close to) uniformly distributed within its range, which is the prime-order group of points on the curve, which is also the range specified by these schemes in the literature.
> Please kindly note that I explicitly refer to map_to_curve, which can return low-order points.

Ah, sorry, I thought we were still talking about hash_to_curve.

> No, not PAK.  PAK uses the hash output as an additive blinding factor, so it ideally wants the value to be uniform in the group, non uniform among non-identity elements.  Of course, removing the identity won’t harm it, since again, that’s a negligible change.
> Please See Figure 1 on p. 11 in [1]. PAK uses the result from H1 as a base generator before being raised to the power of r. The follows the same idea as SPEKE.

I was insufficiently precise.  I’d forgotten that PAK refers to several PAKE algorithms; I was thinking of some of the elliptic curve versions, such as PAK-EC from "More efficient password-authenticated key exchange" by Philip MacKenzie, CT-RSA 2001.  I re-proposed a variant of this protocol, not knowing that it had been done before, as "SPAKE2: Elligator Edition”.  This design is slightly slower than SPEKE, but it has a simpler security analysis than SPEKE.  It sends something very roughly of the form aG + hash_to_curve(password), so you want hash_to_curve to be uniform.  Security follows by a very simple argument (compared to most other PAKEs) under ROM + strong DH.

> No, it’s pretty much the exact opposite of that.
> DDH is usually written as distinguishing (G, aG, bG, abG) from (G, aG, bG, cG) where g is a generator and (a,b,c) are uniformly random mod the group order.  See eg <> (which uses exponential notation but is otherwise the same), though variants (such as c != ab) are sometimes used instead.  Here aG, bG and cG can be the identity.  In this formulation, G cannot be the identity: it’s defined as a generator.  But if it were the identity then the two distributions would be identical — they would each be 4 copies of the identity — so DDH would still hold.
> Sorry, that can’t be right. if you want uniform distribution of values in Gq, the items in DDH can’t be identity elements.

The DDH assumption is that those two distributions are hard to distinguish, not that they’re uniform.  And it is indeed hard to distinguish (Id, Id, Id, Id) from (Id, Id, Id, Id).

> They should have the prime order q. Please see the explicit definition of Decision Diffie-Hellman (Problem 6.4 in Section 6.7.3) In Stinson’s book [2].

I don’t have this book.  Is Stinson's definition different from Boneh’s?

Even if you ask for it to be hard to distinguish (G, aG, bG, abG) from (random, random, random, random), this is still hard if G is a uniformly random element of the group, because with overwhelming probability G will not actually be the identity.
> If you’re using my library, libdecaf, then you can use decaf_point_eq and decaf_point_cond_sel to remove the identity in constant time.  Similar functions are likely available in other libraries.
> That’s interesting. Why not integrate it into the hash-to-curve draft?

Because, as I have been arguing, it’s not necessary and is only negligibly useful.  I guess it could be a note or security consideration?

> That current map-to-curve functions don’t preclude low-order points is a known fact, and acknowledged by the authors in their papers. This is also clear from the hash-to-curve draft.
> What people have tried (so far) to address this issue is by using the clearing-the-co-factor trick. But as explained, this trick doesn’t do any help to address the small subgroup issue in the use case of PAKE. Here, we are talking about a theoretical flaw not a practical attack. The practical effect of this flaw varies according to the underlying groups – if it were in MODP, the effect will be very severe, but the effect has been vastly reduced on elliptic curve due to the size of the small subgroup being small. Ideally, these effects should be removed by design. The security of a protocol shouldn’t depend so much on the choices of the underlying groups.

But as I have already explained, clearing the cofactor isn’t to get rid of low-order points.  It would be required even if the hash cannot return low-order points.  The problem also isn’t more severe for Fp* groups, so long as there is a large prime-order subgroup (and if not, the scheme is insecure anyway, because discrete log is easy).

— Mike