Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)

Squeamish Ossifrage <> Sun, 11 April 2021 12:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0475C3A39E5 for <>; Sun, 11 Apr 2021 05:15:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.119
X-Spam-Status: No, score=-1.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO=1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AWfZA6DvYSDP for <>; Sun, 11 Apr 2021 05:15:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E62CF3A39E4 for <>; Sun, 11 Apr 2021 05:15:31 -0700 (PDT)
Date: Sun, 11 Apr 2021 12:15:19 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=protonmail; t=1618143328; bh=ey/N56h/WvQZnrKv0C1iZkMGty+0GjT6eXNwNA2YZAc=; h=Date:To:From:Reply-To:Subject:From; b=A5Fso00QKwsJ4mz+OwoGzF+ljLqlyvyBUHZPQkzKj6X7j6iN6eiEUol3nbqAsLWuz lfiwH5NykkWVlU287SVj0vdAQFndOdcZDqvS6YYmBD6oDa9xKOrul+7s+ASu9WGgg2 ehzs0anO0W/cexVo0oSpREGok6LBs0FaAf1FUSgE=
To: "" <>
From: Squeamish Ossifrage <>
Reply-To: Squeamish Ossifrage <>
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 11 Apr 2021 12:15:37 -0000

Hi "Rene" (if that is your real name):

I would be curious to know how the quality of the research is different depending on whether it is signed ‘-=rsw’ or ‘Riad S. Wahby’.  Can you expand on that?

Shirley, using ‘real’ names would only make it easier to form preconceptions about the merit of an argument based on the name of who wrote it, no?  For example, wouldn't you expect much stricter scrutiny on an argument made by a queer carrion fowl calling themself Squeamish Ossifrage?  Nobody would give them a pass on the basis of nominal reputation!

If I were a spook who wanted to slip a back door or shoddy design into a standard for something like a PRNG or a PAKE, I would probably choose a boring name and quietly maintain a plausible-looking CV at a cryptography or networking company that nobody would bat an eye at, and then write long-winded discursive emails on an intimidating mailing list that discourages newcomers who aren't comfortably established in the field with their ‘real’ names (whatever it is that makes one name ‘real’ and another name fake).

—Squeamish Ossifrage

P.S.  To keep this on-topic: The probability of a hash falling into a small subgroup is so small (e.g., ~1/2^252 for Curve25519) that any attack involving it necessarily implies a remarkable structured preimage attack on the hash function—or that you should have bought some lotto tickets instead of spending your time crouched over a glowing rectangle faffing around with hashes and curves.  If you chose a curve for which this probability was large enough to matter, you would be in serious trouble with rho anyway!

Similarly, for example, in AES-GCM there is an almost unimaginably larger probability, 1/2^128, of choosing an all-zero GHASH evaluation point, under which the authenticator is independent of the message content.  But the probability is so small that nobody cares.  And ‘But what if you abuse map_to_curve on its own in a place where the adversary can manipulate the algebraic structure?’ is no more an argument against the complete hash_to_curve design than ‘But what if you abuse GHASH on its own in a place where the adversary can manipulate the algebraic structure?’ is an argument against the complete AES-GCM design.

If you have a user who picks a password that hashes to a small subgroup, that's not a reason for failure—that's a reason to invite them to be coauthor on a paper (under a name they choose, which may not be the name a government has them under in a database that requires the help of a solicitor to change) in a flagship publication, about a novel attack on the hash function!

> Hi "rsw":
> As a general courtesy, may I suggest that all communications use
> people's real names and not some obscure acronym.
> The CFRG is supposed to be a research forum, where people do not hide
> their identity. In fact, in my opinion, IETF should have no place for
> communications by "anonymous".
> Rene
> On 2021-04-10 11:12 a.m., wrote:
>> Hello Feng,
>> "Hao, Feng" <> wrote:
>>> Rsw also gave a similar example of having all zeros for the hash.
>>> Let me clarify that we are not – and shouldn’t be - concerned with
>>> any of such cases since the values are uniformly distributed within
>>> their respective range.
>> Right. And the argument is precisely the same for hash-to-curve!
>> Let me be perfectly clear: the property that hash_to_curve gives
>> is that the output is a uniformly* distributed point in the (big)
>> prime-order subgroup of the target elliptic curve.
>> At the risk of seeming didactic (in which case, apologies): the
>> identity element is indeed an element of the target group G.
>> Put another way: fix a generator g of group G of prime order q. Then,
>> hash_to_curve returns g^r in G, for r sampled uniformly* at random
>> in 0 <= r < q. Under the assumption that discrete log is hard in G,
>> hash_to_curve does not reveal r. Under the preimage and collision
>> resistance of the underlying hash function, one cannot choose any
>> particular r or find two inputs that hash to the same r.
>> I hope this helps clarify the security properties, and why focus
>> on low-order points at intermediate steps of the computation is not
>> relevant to the security of hash_to_curve as specified.
>> * uniformly except for some statistical distance less than 2^-100.
>> Regards,
>> -=rsw
>> _______________________________________________
>> CFRG mailing list
> --
> email: | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
> _______________________________________________
> CFRG mailing list