Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Fri, 09 April 2021 18:01 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4A803A29CA for <cfrg@ietfa.amsl.com>; Fri, 9 Apr 2021 11:01:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id owigLUCLLJ2B for <cfrg@ietfa.amsl.com>; Fri, 9 Apr 2021 11:01:08 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130089.outbound.protection.outlook.com [40.107.13.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A20543A29DC for <cfrg@irtf.org>; Fri, 9 Apr 2021 11:01:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MnHLTARRINuPIVZyI5vOylzoW929uCXEATY3tt8SRWjf4RSbzhmJO7+SbkpW1zMqht8l1DhsmeA1mVvzmccrNriC4nkUdEdwcgZpCgFYjCD0oVmDvv0p35CbVya/D4egrh1x0eRQ7QKkDNgAQc1GGjbLbp5Ep9M5sNlKrn4iUvfLvP4Woe20e7FnFw689p/31uZDt2vJWuoBPvAmCvtVkLqoBtc9dgBuco9uYpF+B9S6GkhFZCzOQYR7cWKTw3mS3B6HKyLS9Dl7zBrjgdOiulPBlzpUAUyFPtjLNQo2DxM6rIcEfibgd1cId+tjJ4zIlE2YSRj2kl5Dyzc5kBcD1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nsGl4DFYPWDRcTFQTxR4kPAXg9LtQfshQowxCrQVBAg=; b=OEhVCNDTdM2pr1J/0Ce2ZPknojKzTJ0ZL8n48eSXJa8Nwt97hmj1nOEny9afRT1ZBXV+8ha71Y0cAwpuJLj28un28gHqntvhsit8MVesE6zVOhAfgfKm1WZxlrUWk8iilea9NuN4ma0czXxFV8VoQkAwA9PmvHa+ylQLG5Gw1wgHZyqKQt6bAbY5gf2Dnzd2mtbEuslLUaLNQtUGvrDrZQAdvxptCXwaQyGJz913RF0n+x3Ynp29fOGupZUt0yLlav93N/ne9NQmYuFi9Y/3jGTweM8mNOnvdcgiD88TN7FkOCpzGa2zjSC+e+DINivHb8s34/KgLjn4zfN8p9aS5w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from VI1SPR01MB0357.eurprd01.prod.exchangelabs.com (2603:10a6:803:8d::12) by VE1PR01MB6032.eurprd01.prod.exchangelabs.com (2603:10a6:803:109::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.27; Fri, 9 Apr 2021 18:00:56 +0000
Received: from VI1SPR01MB0357.eurprd01.prod.exchangelabs.com ([fe80::5865:9e5a:626f:8953]) by VI1SPR01MB0357.eurprd01.prod.exchangelabs.com ([fe80::5865:9e5a:626f:8953%4]) with mapi id 15.20.3999.032; Fri, 9 Apr 2021 18:00:53 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Russ Housley <housley@vigilsec.com>
CC: IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
Thread-Index: AQHXLUZyltFEkNrErU2XoZAaYPSJsKqsQ0gAgAADtICAAAg2loAAEBmAgAAFKqM=
Date: Fri, 09 Apr 2021 18:00:53 +0000
Message-ID: <VI1SPR01MB0357BA06CDB658736C1B378DD6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <4590aaa512acf5a482c9890ebe48f1760e5831a5.camel@loup-vaillant.fr> <F9593D27-3244-470E-89BE-85215B2DC9E7@shiftleft.org> <VI1SPR01MB0357AE729116A79C8DF70516D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>, <58DC133A-AD85-4A66-BD18-60974486DC6D@vigilsec.com>
In-Reply-To: <58DC133A-AD85-4A66-BD18-60974486DC6D@vigilsec.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none; vigilsec.com; dmarc=none action=none header.from=warwick.ac.uk;
x-originating-ip: [86.1.162.194]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 959d3e77-5368-42af-2db4-08d8fb816b13
x-ms-traffictypediagnostic: VE1PR01MB6032:
x-microsoft-antispam-prvs: <VE1PR01MB60324B57390D113BC36F6E57D6739@VE1PR01MB6032.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: V40irBbdVeZy/Y1aBu/9Q2rvCTaTcjr6r2/tL4aO6S68r8AvDIBKrSaegtzIcJ1eeL1xUEqoDph0aXhCBGD727YNI5WtVCpJPey6/Syc3bYXlxHbFS56MQUwnu1FfvNgswOUnwZDGBG7NM1VOASDcJ4OPdGKtn64yJg37+nQZGtA5hlmQDnxD7Fxh1MHBZBYvUvRydalnQW5LVPUOpFVp+mcU5zyJTKcMqHFpjt87Icmb6DvqKIFrKbkevv2/SdhG2uRzEwZ087wvuDshKnmOn03kAxZQMYdu/gM4pSZo1YDn4dlkuFnpoWzkrlQlOr+ulSOVgijZxwcI+P8jGi9gRhPZXMQnXlY+1nFsaKmqaagXYQtBKTsd6a96eU2Z0h0EnJKzx4GYpGIsOa1t4jWk/IbaJxYvm2T2FZbuU5hwsdzEiIa8G33W6XGxCY3brkJRh2rj03J7uhka0KPnctBHOH4JzV6OhYkAzz96o6Icenuug/RypI5ipt1RrvLV95ns3HdK0fWfw4yEZ8bY26dIqRN0gXPWLwsBrKrUrFpxYBQfESZqDQ3TInc73WBPJKiQjEKY5bHkXyNCHz8RUEwyrz0aXold/iJmuGJKJtMerKPafUJaz/nudUR8Psx9rx9953J91a2fHoU6MayzDV+SF1q8/Sw0VN8TM2q9EDcYDBB2pXF+MdRkVqW11fMI/OGdILaEaEW3UNWloza0rAJfnf+mUM3mZoTLts28xq/OEjKlIpD3YDe1KZ23h3UgHch
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1SPR01MB0357.eurprd01.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(346002)(136003)(39850400004)(396003)(52536014)(71200400001)(83380400001)(5660300002)(53546011)(6916009)(7696005)(6506007)(33656002)(478600001)(786003)(316002)(26005)(38100700001)(86362001)(8936002)(66476007)(2906002)(66946007)(66446008)(64756008)(4326008)(66556008)(91956017)(9686003)(966005)(186003)(166002)(55016002)(76116006)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: HUCtWZtLzjrUVHykVnKmdDSc9ZAyy1whO9/F8jSL4Yzg9FuL3FkBwGNjJtKW6Ay0mY1JV+UWIxAelTZ0Fh+lx41RDuBiTdyUuMQgQgbbwAaMcWuR3PH+lj/HPd0QDXLRmH9gbCZlVAuwJIgRzalJMtpkKSSNjqW+lpJnzho+h7KHneKJBNXrZCD9Qx1BESSOzLE3cEU3vvRvShsbRdCK5kFQvNyIG2M2lB0ehjeRhuqCvpRzBI0HP+kd83KAzVQHjnJ+4ed+PzSkrwt2BjfoP2JyXt5cZMLHpSU7UtSZPuXLaDU/oCKF6MYAAUuxxH8EnKkgBiBYGn+mQUdVFl9DGlyPXO1VuxUMt3pyQNa6w5Kmqh78+0Z3Yq4HIVM62qIkQX1bco6AnNyfQLdQ4ongMPYCBBS/QiRiaAzxY1Ynz2qbSH5vxi7C4S8XCo15FbASQWoI/RgqigJzOadnvxTg9RhTjDAThXTcQhMRpawwoK3IhkjY9IOG+FHjoP5HX9wzAHgWKeQ5XNxlAMbLDzYWAmFSebWQ3Gyiij40A6i5YRw04YeJHa8zghMpS87d1bxcIcCCefsDc1noSaygWqWSCt4ZwKC1LZYLBzqTkBmF38i8545cBN6kfjPbpuCz5Kp/xiQ6ixdMsDBz2fKpX//tQLWiY8aHy3VqtZU8ck6dHSxl26pw5hcOucXlDMoeyEkF2pr/l8M6UIp58mvrypzZFbTHZeEwiGX4MNNV46QimqDiUHvtCCBNhTXuNWMHrdTYxHIoxYXS/KPKExly/fpKj62fO/Kg7y8NALrrokXTd+11LmPeqykF5G0lYaPMYkWDW+TPe/11Fz7/zY5pQN6gQnPcmzwDs4oAj8ePIsdW1MO1YzN4zJDKe0yeMYUGPVXEFGQAWASwXOE+JJO6JzxCwxfRi1Eam9h45YqRkmSpShQLH/LmP7jv9SVT2xOmf3TEQPbVYuluFv9RrDCqFWBmS38AvGNCNP22CQlv97ZRI/k/mW2mviGgwT6pd11GPbCf/Sd5xiIcKgXXxbIsEfs9lCAKezor0cHc2em4ndn9FEQht/9UcI1TxKD33ntp4YIDcldxT2QE3XgxMJ+EJlocrMgINtRKWeocO9Z6XRnDyZLONLJBlA7n8S8RPDuISRKEPNCRSVUHthYFYIgd8/ADPkm4RfIl3M2xMhNAyIRb9CXgYpn+T9tMssVntUprZsLXdngrJDbPaLRTkuXhSTvAXi0V5/hDIjkwiUBO8EQvpA//HSdPByd/QbCatH4fH8pFc4rJ4I4RzuZXchuJOfLyblyXuBApJM7TcZZoNL7ak6zRtaLY8KXzx3QcUctPFX1SuPG9Gflh9cct+L+oqLCbwQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1SPR01MB0357BA06CDB658736C1B378DD6739VI1SPR01MB0357eu_"
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1SPR01MB0357.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 959d3e77-5368-42af-2db4-08d8fb816b13
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2021 18:00:53.7457 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lpCjCAnhdOyR1m3xPaYmC0V+PHW7tycL7hkLCHEycoSEorqb1TeceyR8o/fsB/ZxK1MCPpWQbpBpVdb86M7IM1y/5JNrRBP1ZpG0j827Z/8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR01MB6032
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/W2nxCYuYGUMEUCoTNi0STt0CzYY>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 18:01:17 -0000

That’s certainly a convenient solution. However, a proper one would be to preclude small subgroup points by design. The real problem here is to ensure mapping to points in the “correct” group on an elliptic curve, not just any point. The current draft doesn’t solve that real problem (yet). I don’t think this is impossible to solve, but it needs some more efforts.

Cheers,
Feng

From: Russ Housley <housley@vigilsec.com>
Date: Friday, 9 April 2021 at 17:25
To: Hao, Feng <Feng.Hao@warwick.ac.uk>
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
Isn't the best solution to talk about this in the Security Considerations?  This gives ample opportunity to describe the likelihood of landing in a small subgroup, and what, if any, actions an implementor wants to take.

Russ



On Apr 9, 2021, at 12:18 PM, Hao, Feng <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org<mailto:Feng.Hao=40warwick.ac.uk@dmarc.ietf.org>> wrote:

Hi Loup and Mike,

Thanks for the comments. As your arguments have something in common, so I will reply together.

First, let me re-iterate my two main questions:


  1.  Do we agree we need an algorithm specification be “complete”, covering all usual and edge cases? In the current hash-to-curve draft, there is a failure mode that is non-recoverable. I’m concerned about this as I haven’t come across something like this before. My question is not on the probability, but the “completeness” of an algorithm specification.
  2.  If a protocol is provably secure under some assumption, do we agree the assumption should be “precise”? There is a clear discrepancy in what’s assumed in the CPace, OPAQUE and maybe other protocols and what’s actually provided by the concrete construction. Either should the assumption in the security proof be modified to fit the real construction, or the construction modified to fit the actual assumption in the proof.

Both of you mention that the probability of falling into a small subgroup in common elliptic curves is negligible, and hence should be ignored. However, we should be aware of the function creep once the map-to-curve functions are deployed at scale. For example, if a user already has an input value in F_p, does he still have to go through the hash_to_field step (which is complex on its own)? A conscious implementer will quite likely skip this step. But that will give more freedom to an attacker to engineer the input such that the output falls into a small subgroup. The negligible probability in your analysis will no longer hold. For a safe implementation, precluding small-group points should be built into the map-to-curve function itself (in constant time of course). I know that’s hard, but that’s exactly why the hash-to-curve function has remained so tricky to get right in PAKE since early 2000s.

Cheers,
Feng

> My opinion as an implementer is two fold:
>
> 1. Excluding low-order points is quite the hassle, and it's not
>   clear how I could do it in constant time.
> 2. We never generate those points to begin with.
>
> I don't want to deal with (1), which makes (2) very convenient for me.
> So I'll just justify (2), using Curve25519 as an example:
>
> - The order of the prime subgroup is a little over 2^252.
> - The cofactor is 8.
> - Therefore, Curve25519 has a little over 2^255 points.
> - Selecting a point at random will give a low-order point about
>  once every 2^252 trials. That means never.
>
> The security of a curve is basically the square root of its prime
> order. Here, 2^125 or so. Breaking it with standard brute force methods
> is incommensurately easier than stumbling upon a low-order point by
> chance.
>
> In security parlance, a probability of 1/2^255 isn't just "extremely
> small", it's "flat out impossible". I can therefore justify my laziness
> and chose not to check for that event.
>
> ---
>
> Note that generating a small-subgroup point *on purpose* will not work
> either: Curve25519 has 8 low-order points, and a maximum of 16
> representatives for those points (maybe a couple more if we allow
> representatives over 2^255 - 19). The inputs are hashed before we map
> the hash to the curve. So it's not enough to pick a matching
> representative, we need to pick a hash whose image is one of those
> representatives.
>
> To do this, we need to conduct a multi-preimage attack on a 2^255-bit
> hash, with 16 images. The difficulty of that attack is roughly 2^251.
> Again, this is impossible if the hash is secure.
>
> As a consequence, I cannot generate test vectors that account for this
> edge case even if I wanted to. Even if I wasn't lazy, accounting for
> low-order points means writing code I cannot trigger even if I want to
> —dead code. That will only harm security in practice.
>
>
>> In CPace and OPAQUE, both protocols use the output of hash-to-curve
>> as a base generator. The implicit assumption is that the returned
>> value from hash-to-curve must be a non-identity point in a subgroup
>> of the large prime order.
>
> This assumption is correct as far as I can tell: yes, in *theory*, we
> have a couple exceptions. In *practice*, those exceptions will never
> occur. The probabilities are low enough to be considered negligible.
>
>
>> Has this issue been considered? Apologies if I missed any discussion
>> on this before.
>
> Likely. I haven't followed past discussions though, so I cannot say.
>
> Loup.

Yeah, the usual answer is: if an event happens with negligible probability,
and an adversary can’t cause it to happen more often, and it only breaks
one thing, then it doesn’t affect security.  Any reasonable adversarial
strategy has some chance to break the protocol anyway (e.g. just guess
someone’s private key), and this unlikely event doesn’t significantly
contribute to that chance.  I haven’t checked the details for CPace and
OPAQUE, but for cases I’ve looked at it’s been fine.

Of course, implementations will not be fully compliant with the spec
unless they can properly handle the identity point.  They would have to
do another analysis to see whether this sort of non-compliance is itself
a security issue, but the answer would probably again be: not unless
an adversary can cause it to happen.

Cheers,
— Mike
_______________________________________________
CFRG mailing list
CFRG@irtf.org<mailto:CFRG@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg