[CFRG] Re: [Technical Errata Reported] RFC9497 (7925)
Jack Grigg <ietf@jackgrigg.com> Tue, 07 May 2024 15:57 UTC
Return-Path: <me@jackgrigg.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DBE7C14F6E8 for <cfrg@ietfa.amsl.com>; Tue, 7 May 2024 08:57:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zdS7AFmrS0lr for <cfrg@ietfa.amsl.com>; Tue, 7 May 2024 08:57:07 -0700 (PDT)
Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96134C14CE5F for <cfrg@irtf.org>; Tue, 7 May 2024 08:57:07 -0700 (PDT)
Received: by mail-lj1-f172.google.com with SMTP id 38308e7fff4ca-2e30c625178so30720691fa.1 for <cfrg@irtf.org>; Tue, 07 May 2024 08:57:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715097425; x=1715702225; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hUUVsRlc777SwcFwp2T+vsghzPg0roMPf4gjUnFnEF8=; b=b47e/FzJOtDgvajKFVGPK4h6RzLSa2KYFOhkm5YwtS/jbBZX0zh1qe4S4TSWTjKqq3 lDKRMZmN62gW9NU1FZoMr/58JslfpzGtEhdv9zlJSyi1Rfpa6HseIdtZVL7lXWVtFC00 DXrO3pKNH0EURxwKQJoosH8wgYbPyaktgivcPRU97kvSuZ88X87X/7fKJvEfRAyRzP4v UQpF965XQRDit9tSLkaGxtPJIoQHgUOV71No4hiFLj7w0PbWzrulobr4EaPQz/U8qucr LFsXT+cSnCfiOVlG+QG03Bix97kSMoeTMxz76YzyghAt4VRRdlJMvwNGVcQrs3pnEYdZ s/EA==
X-Forwarded-Encrypted: i=1; AJvYcCXFKePwkWhtOErNx5R2Ft3OQJ3HFrCHabJswmMIRjvSgmhG8bgDYBGgnJj1+PvXPNrhj2oesNiFRa62les5
X-Gm-Message-State: AOJu0YyiXK4CpdWnt4MkZOSkgLOjO9uxHseh/oc03mT030A+xMU4re3Y M/nPemppi6mCDbW43+dhfnjEs4MvfWo0uth543STd8bjrdc5gojMdoOr7eWAPRhLEsWBZuZcRTH F1IY8AT7as9YMawYlBqQdn6AMn13X8Oir5GmSGQ==
X-Google-Smtp-Source: AGHT+IH9kA2UjkJp6ehpO1EBrhoArj2dhEXhQ2tqtEP2lEZ65XGCCXnnLPEpTj2e3pQJJEA115lenj/km6thnFmEowU=
X-Received: by 2002:a2e:a37a:0:b0:2e2:1a8b:e29 with SMTP id 38308e7fff4ca-2e4476ad065mr41431fa.35.1715097425436; Tue, 07 May 2024 08:57:05 -0700 (PDT)
MIME-Version: 1.0
References: <20240507133422.E6D1F1996069@rfcpa.amsl.com>
In-Reply-To: <20240507133422.E6D1F1996069@rfcpa.amsl.com>
From: Jack Grigg <ietf@jackgrigg.com>
Date: Tue, 07 May 2024 16:56:53 +0100
Message-ID: <CAPC=aNVkP4apKAgvnhx-R3-9yotE3dBcxq4kN6R6nA7VmsgOtw@mail.gmail.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: multipart/alternative; boundary="000000000000cc7fd60617df3c3b"
Message-ID-Hash: JCXVDTITOKI7BCFVXKRRNPRAHUXPR2WZ
X-Message-ID-Hash: JCXVDTITOKI7BCFVXKRRNPRAHUXPR2WZ
X-MailFrom: me@jackgrigg.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: alex.davidson92@gmail.com, armfazh@cloudflare.com, irsg@irtf.org, cfrg@irtf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Reply-To: ietf@jackgrigg.com
Subject: [CFRG] Re: [Technical Errata Reported] RFC9497 (7925)
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/XJQiX6M0B6ub8C3_ZB_MTOyZGXU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
Hi all, On Tue, May 7, 2024 at 2:34 PM RFC Errata System <rfc-editor@rfc-editor.org> wrote: > The following errata report has been submitted for RFC9497, > "Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7925 > > -------------------------------------- > Type: Technical > Reported by: Stefan Santesson <stefan@aaa-sec.com> > > Section: 4.3 > > Original Text > ------------- > HashToScalar(): Use hash_to_field from [RFC9380] using L = 48, > expand_message_xmd with SHA-256, DST = "HashToScalar-" || > contextString, and a prime modulus equal to Group.Order(). > > Corrected Text > -------------- > HashToScalar(): Compute uniform_bytes using expand_message = > expand_message_xmd, DST = "HashToScalar-" || contextString, and > an output length of 48 bytes, interpret uniform_bytes as a > 384-bit integer in little-endian order, and reduce the integer > modulo Group.Order(). > > Notes > ----- > It is incorrect to refer to the hash_to_filed operation of RFC 9380 > because the implementation of hash_to_field, as described in section 5.2 of > RFC 9380 reduces the result integer mod Field order (not Group order). > This is a misreading of both RFC 9380 and RFC 9497. RFC 9380 Section 5.2 defines the hash_to_field parameters. These parameters in particular are relevant: > - F, a finite field of characteristic p and order q = p^m. > - p, the characteristic of F (see immediately above). > - m, the extension degree of F, m >= 1 (see immediately above). I'll use F.p, F.q, and F.m to reference these below. RFC 9497 Section 2.1 defines Group.Order() (somewhat tautologically) as the order of the group (p). It then defines scalars thusly: > Scalar multiplication by r is equivalent to the repeated application of the group operation on an element A with itself r - 1 times; [..] The set of scalars corresponds to GF(p), a prime field of order p. It is therefore correct to refer to hash_to_field in RFC 9497 in the context of producing a scalar of the Group. The Field order F.q of that scalar field is precisely Group.Order() by definition, and because it is also prime by definition (and thus has no factors), this forces F.m = 1 and thus F.p = F.q. > 7. e_j = OS2IP(tv) mod p > > Where p is the characteristic of field F. > Per above, F.p here is precisely Group.Order(). Cheers, Jack > > The current text imply that the existing hash_to_field implementation for > P-256 can be used. But using this will cause a false result due to the mod > field order operation. > > The a better, and accurate way to describe this is by using the same > explanation as for other curve types and specify the use of > expand_message_xmd directly modulus Group.Order(). > > Instructions: > ------------- > This erratum is currently posted as "Reported". (If it is spam, it > will be removed shortly by the RFC Production Center.) Please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > will log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC9497 (draft-irtf-cfrg-voprf-21) > -------------------------------------- > Title : Oblivious Pseudorandom Functions (OPRFs) Using > Prime-Order Groups > Publication Date : December 2023 > Author(s) : A. Davidson, A. Faz-Hernandez, N. Sullivan, C. A. > Wood > Category : INFORMATIONAL > Source : Crypto Forum Research Group > Stream : IRTF > Verifying Party : IRSG > > _______________________________________________ > CFRG mailing list -- cfrg@irtf.org > To unsubscribe send an email to cfrg-leave@irtf.org >
- [CFRG] [Technical Errata Reported] RFC9497 (7925) RFC Errata System
- [CFRG] Re: [Technical Errata Reported] RFC9497 (7… Jack Grigg
- [CFRG] Re: [Technical Errata Reported] RFC9497 (7… Jack Grigg
- [CFRG] Re: [Technical Errata Reported] RFC9497 (7… Stefan Santesson
- [CFRG] Re: [Technical Errata Reported] RFC9497 (7… Stefan Santesson