IETF Logo Mail Archive

Re: [Cfrg] Comments regarding draft-sullivan-cfrg-hash-to-curve

David Núñez <dnunez@lcc.uma.es> Wed, 21 March 2018 09:57 UTC

Return-Path: <dnunez@lcc.uma.es>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 241D112DA07 for <cfrg@ietfa.amsl.com>; Wed, 21 Mar 2018 02:57:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H8aoWRg-4FRV for <cfrg@ietfa.amsl.com>; Wed, 21 Mar 2018 02:57:09 -0700 (PDT)
Received: from correo2.satd.uma.es (correo.satd.uma.es [150.214.57.2]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D46712DA00 for <cfrg@irtf.org>; Wed, 21 Mar 2018 02:57:07 -0700 (PDT)
Received: from sol10.lcc.uma.es (sol10.lcc.uma.es [150.214.108.1]) by correo2.satd.uma.es (Postfix) with ESMTP id 7D37B11858E for <cfrg@irtf.org>; Wed, 21 Mar 2018 10:56:58 +0100 (CET)
Received: from pdi-122-190.wifi.uma.es (unknown [192.168.122.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sol10.lcc.uma.es (Postfix) with ESMTP id 6424C4B0079 for <cfrg@irtf.org>; Wed, 21 Mar 2018 10:56:58 +0100 (CET)
From: David Núñez <dnunez@lcc.uma.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6E0E1E42-7236-47AF-B2BE-700AB9EAC77A"
Message-Id: <055815DC-693F-4A3B-AE99-60263FC43563@lcc.uma.es>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Date: Wed, 21 Mar 2018 10:57:06 +0100
References: <mailman.35.1521572405.28738.cfrg@irtf.org>
To: cfrg@irtf.org
In-Reply-To: <mailman.35.1521572405.28738.cfrg@irtf.org>
X-Mailer: Apple Mail (2.2104)
X-SATD-MailScanner-Information: Please contact the ISP for more information
X-SATD-MailScanner-ID: 7D37B11858E.AE3CC
X-SATD-MailScanner: Found to be clean
X-SATD-MailScanner-SpamCheck: no es spam, SpamAssassin (no almacenado, puntos=-1.676, requerido 6, autolearn=not spam, AWL 0.23, BAYES_00 -1.90, HTML_MESSAGE 0.00, SPF_PASS -0.00, T_RP_MATCHES_RCVD -0.01)
X-SATD-MailScanner-From: dnunez@lcc.uma.es
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/WXCNLRrzRNPdpK_PZP21HWRbsXY>
Subject: Re: [Cfrg] Comments regarding draft-sullivan-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 09:57:13 -0000

Hi all,
I am too very interested in supporting this RFC, I think it’s very necessary. Apart from the good points raised by Jason in the previous mail, I have some comments for the Try-and-increment method in Appendix A. Although it is an appendix, I believe special care should be taken into this function too, since it’s very attractive due its simplicity and generality (of course, when timing attacks are not a concern).  

Comments:
- Current pseudocode relies on I2OSP failing to avoid looping forever when ctr > 256^4. Although this only happens with probability 2^-32, perhaps it should be an explicit condition for the loop. This should also be acknowledged in the introduction, since the size of this counter determines the probability of failure, as in the MapToGroup approach.
- Clarify the meaning of "2n-octet string” when introducing RS2ECP. Also, RS2ECP is not explicitly defined in RFC8032, but in https://tools.ietf.org/id/draft-goldbe-vrf-01.html#suites <https://tools.ietf.org/id/draft-goldbe-vrf-01.html#suites>. According to that, only when curve is Ed25519, RS2ECP is defined in Section 5.1.3 of [RFC8032].

Regards,
David

v2.23.0 | Report a Bug | By Email