Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Mike Hamburg <> Sat, 10 April 2021 00:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 93A2A3A184A for <>; Fri, 9 Apr 2021 17:06:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.305
X-Spam-Status: No, score=-1.305 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vVydIXRgMNrU for <>; Fri, 9 Apr 2021 17:06:44 -0700 (PDT)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 106A43A184D for <>; Fri, 9 Apr 2021 17:06:44 -0700 (PDT)
Received: from [] (unknown []) (Authenticated sender: mike) by (Postfix) with ESMTPSA id 0C5BBBB868; Sat, 10 Apr 2021 00:06:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=sldo; t=1618013201; bh=I8KUU3OKz09okDLqZd56m1D/UFF/me5YM+k60bJkuIU=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=JxISYl/3jROw3AK9M6LwkmQlhs78g57rKVHZ3yWlzT/p4A8D241kPvDMMjzvY3cRe rfQaHSg31xP67A9XW9soLdm7xcCDAdDXtHxA1aYxYlJWwEgdZqfAIsHReotNH0NkrV MWovzsKwa57AEZ98c7NFZqzv74a1lsuBL3x4hTtk=
From: Mike Hamburg <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5615E61E-0514-4BEB-A2FC-970CFB537BDD"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Fri, 9 Apr 2021 21:06:38 -0300
In-Reply-To: <>
Cc: =?utf-8?Q?Bj=C3=B6rn_Haase?= <>, CFRG <>
To: "Hao, Feng" <>
References: <> <> <> <> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 10 Apr 2021 00:06:49 -0000

> On Apr 9, 2021, at 7:25 PM, Hao, Feng 
> So far hash2curve and CPace/OPQUE have been developed separately with the former being largely assumed as an idealized function. I think now is a good time to look at the integration of the two in a system context. With the current hash2curve draft, as long as map-to-curve returns a low-order point, the user’s password will be inevitably broken by offline dictionary attacks based on the side-channel information. There is nothing the protocol can do (rejecting the point gives away the exact side-channel information needed for offline dictionary attacks). However, one can argue that the chance of this “really bad event” happening is L/q where L is the size of the small sub-group. It’s too small to be of any concern over common elliptic curves, and we hope that never happens. I think this is a perfectly sensible argument from a practical point of view. From a theoretical point of view, the argument is not appealing or neat. Hence, my question is why the small subgroup points can’t be precluded from the map-to-curve function? 

Hello Feng,

Have you considered what happens in CPace if Alice’s SampleScalar() function returns 7?  I’m following the notation of <>. In this case, the password will be vulnerable to a dictionary attack: the key K will be 7*Y_b, which an attacker can quickly detect by checking whether

ISK == H2(sid || 7*Y_b || oc(Y_a, Y_b))

(If ISK is not available, then some hash or encryption with it surely will be.)

Then the adversary will know that G = Map2Point(H_1(sid || oc(P, P’) || pw)) = Y_a / 7, which enables an offline dictionary attack.

Of course, the same consideration applies to every other scalar Alice could sample: if an adversary looks for that event, which occurs with probability 1/p, then Alice will be hacked: her password will be subject to an offline dictionary attack, and her session key will also be compromised.  At first blush, to me anyway, this looks quite similar to what happens if hash_to_curve outputs the identity.  And there’s an independent chance of that happening once per connection, because the sid should be unique.

In other words, the security risk introduced by the point at infinity is on the same order as the most trivial other attack on the protocol.

Nor is the possibility of failure a meaningful concern in practice.  A 2^-256 probability is ridiculously small: it stacks up against events like "Alice and Bob fail to exchange keys because they both get struck by lightning simultaneously, while also being hit by meteors simultaneously”.

The only meaningful concern here is the much greater risk that someone would somehow screw up the failure detection code in a way that introduces an exploitable flaw.

On a more theoretical note, the hash_to_curve function aims to implement an object which has been studied in the literature, and which is used by several cryptosystems and protocols: for some serializable set S, a function S -> G which acts as closely as possible to a random oracle.  In particular, hash_to_curve is designed to be epsilon-indifferentiable from a random oracle with that signature, in the model that the underlying hash is a random oracle.

This is the standard object that has been studied, and which protocols are built around.  You are proposing that we change it to a negligibly different object.  I’m sympathetic to this, but ultimately it is similar to an argument that we should replace pi with tau := 2*pi in mathematical analysis.  It’s extra work for essentially no gain, it requires redoing work that’s been done and will work fine.  There just isn’t enough time in the day for this kind of thing.

Furthermore, while your proposal is arguably a tiny improvement for SPEKE / CPace, and perhaps even for OPAQUE, it’s also a negligible step backwards for PAK and its variants  (if I recall correctly), since their proof uses the uniformity of the hash-to-curve map.  The same likely holds for other systems.  And it complicates the definition and implementation of hash_to_curve.

So I would prefer that we stick here with something that’s been studied and which is already built.

— Mike