Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)
Squeamish Ossifrage <squeamishossifrage.se@protonmail.com> Sun, 11 April 2021 12:15 UTC
Return-Path: <squeamishossifrage.se@protonmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0475C3A39E5 for <cfrg@ietfa.amsl.com>; Sun, 11 Apr 2021 05:15:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.119
X-Spam-Level:
X-Spam-Status: No, score=-1.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AWfZA6DvYSDP for <cfrg@ietfa.amsl.com>; Sun, 11 Apr 2021 05:15:32 -0700 (PDT)
Received: from mail-40137.protonmail.ch (mail-40137.protonmail.ch [185.70.40.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E62CF3A39E4 for <cfrg@irtf.org>; Sun, 11 Apr 2021 05:15:31 -0700 (PDT)
Date: Sun, 11 Apr 2021 12:15:19 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1618143328; bh=ey/N56h/WvQZnrKv0C1iZkMGty+0GjT6eXNwNA2YZAc=; h=Date:To:From:Reply-To:Subject:From; b=A5Fso00QKwsJ4mz+OwoGzF+ljLqlyvyBUHZPQkzKj6X7j6iN6eiEUol3nbqAsLWuz lfiwH5NykkWVlU287SVj0vdAQFndOdcZDqvS6YYmBD6oDa9xKOrul+7s+ASu9WGgg2 ehzs0anO0W/cexVo0oSpREGok6LBs0FaAf1FUSgE=
To: "cfrg@irtf.org" <cfrg@irtf.org>
From: Squeamish Ossifrage <squeamishossifrage.se@protonmail.com>
Reply-To: Squeamish Ossifrage <squeamishossifrage.se@protonmail.com>
Message-ID: <5kNv_5tUGSftaikmVD_WOJNEXwJjdLV07YODBNFunXGvBKKTOJ2ytxrCKgsj9OgNK3fB_ofUTv7pYbKO-akAqXmhszP0-eYfzj8B6lCRuwg=@protonmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/U6nWo0nCqAlXuuWpSIuazkHRG4g>
Subject: Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 12:15:37 -0000
Hi "Rene" (if that is your real name): I would be curious to know how the quality of the research is different depending on whether it is signed ‘-=rsw’ or ‘Riad S. Wahby’. Can you expand on that? Shirley, using ‘real’ names would only make it easier to form preconceptions about the merit of an argument based on the name of who wrote it, no? For example, wouldn't you expect much stricter scrutiny on an argument made by a queer carrion fowl calling themself Squeamish Ossifrage? Nobody would give them a pass on the basis of nominal reputation! If I were a spook who wanted to slip a back door or shoddy design into a standard for something like a PRNG or a PAKE, I would probably choose a boring name and quietly maintain a plausible-looking CV at a cryptography or networking company that nobody would bat an eye at, and then write long-winded discursive emails on an intimidating mailing list that discourages newcomers who aren't comfortably established in the field with their ‘real’ names (whatever it is that makes one name ‘real’ and another name fake). Sincerely, —Squeamish Ossifrage P.S. To keep this on-topic: The probability of a hash falling into a small subgroup is so small (e.g., ~1/2^252 for Curve25519) that any attack involving it necessarily implies a remarkable structured preimage attack on the hash function—or that you should have bought some lotto tickets instead of spending your time crouched over a glowing rectangle faffing around with hashes and curves. If you chose a curve for which this probability was large enough to matter, you would be in serious trouble with rho anyway! Similarly, for example, in AES-GCM there is an almost unimaginably larger probability, 1/2^128, of choosing an all-zero GHASH evaluation point, under which the authenticator is independent of the message content. But the probability is so small that nobody cares. And ‘But what if you abuse map_to_curve on its own in a place where the adversary can manipulate the algebraic structure?’ is no more an argument against the complete hash_to_curve design than ‘But what if you abuse GHASH on its own in a place where the adversary can manipulate the algebraic structure?’ is an argument against the complete AES-GCM design. If you have a user who picks a password that hashes to a small subgroup, that's not a reason for failure—that's a reason to invite them to be coauthor on a paper (under a name they choose, which may not be the name a government has them under in a database that requires the help of a solicitor to change) in a flagship publication, about a novel attack on the hash function! > Hi "rsw": > > As a general courtesy, may I suggest that all communications use > people's real names and not some obscure acronym. > > The CFRG is supposed to be a research forum, where people do not hide > their identity. In fact, in my opinion, IETF should have no place for > communications by "anonymous". > > Rene > > On 2021-04-10 11:12 a.m., rsw@cs.stanford.edu wrote: >> Hello Feng, >> >> "Hao, Feng" <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org> wrote: >>> Rsw also gave a similar example of having all zeros for the hash. >>> Let me clarify that we are not – and shouldn’t be - concerned with >>> any of such cases since the values are uniformly distributed within >>> their respective range. >> Right. And the argument is precisely the same for hash-to-curve! >> >> Let me be perfectly clear: the property that hash_to_curve gives >> is that the output is a uniformly* distributed point in the (big) >> prime-order subgroup of the target elliptic curve. >> >> At the risk of seeming didactic (in which case, apologies): the >> identity element is indeed an element of the target group G. >> >> Put another way: fix a generator g of group G of prime order q. Then, >> hash_to_curve returns g^r in G, for r sampled uniformly* at random >> in 0 <= r < q. Under the assumption that discrete log is hard in G, >> hash_to_curve does not reveal r. Under the preimage and collision >> resistance of the underlying hash function, one cannot choose any >> particular r or find two inputs that hash to the same r. >> >> I hope this helps clarify the security properties, and why focus >> on low-order points at intermediate steps of the computation is not >> relevant to the security of hash_to_curve as specified. >> >> * uniformly except for some statistical distance less than 2^-100. >> >> Regards, >> >> -=rsw >> >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg > > > -- > email: rstruik.ext@gmail.com | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [CFRG] Comment on draft-irtf-cfrg-hash-to-curve-10 Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Christopher Wood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- [CFRG] Small subgroup question for draft-irtf-cfr… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Russ Housley
- Re: [CFRG] Small subgroup question for draft-irtf… Richard Outerbridge
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Armando Faz
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- [CFRG] please use real names (was: Re: Small subg… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Riad S. Wahby
- Re: [CFRG] please use real names (was: Re: Small … Filippo Valsorda
- Re: [CFRG] please use real names (was: Re: Small … Scott Arciszewski
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Watson Ladd
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] please use real names (was: Re: Small … Henry de Valence
- Re: [CFRG] please use real names (was: Re: Small … Dan Harkins
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Squeamish Ossifrage
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Small subgroup question for draft-irtf… Stanislav V. Smyshlyaev
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Colin Perkins
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Michael Sierchio
- [CFRG] Closure (was Re: Small subgroup question f… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Phillip Hallam-Baker
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] please use real names (was: Re: Small … David Jacobson
- Re: [CFRG] please use real names (was: Re: Small … Julia Hesse
- Re: [CFRG] Closure (was Re: Small subgroup questi… Armando Faz
- Re: [CFRG] Closure (was Re: Small subgroup questi… Hao, Feng
- Re: [CFRG] Closure (was Re: Small subgroup questi… Mike Hamburg
- Re: [CFRG] thoughts on clearing the cofactor in h… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Riad S. Wahby
- [CFRG] (suggested language re mixing square roots… Rene Struik
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Rene Struik
- Re: [CFRG] please use real names (was: Re: Small … isis agora lovecruft