[CFRG] Re: [Technical Errata Reported] RFC9497 (7925)

Stefan Santesson <stefan@aaa-sec.com> Fri, 10 May 2024 06:18 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51863C15154D for <cfrg@ietfa.amsl.com>; Thu, 9 May 2024 23:18:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaa-sec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eHvhohNTxyTh for <cfrg@ietfa.amsl.com>; Thu, 9 May 2024 23:17:58 -0700 (PDT)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59F9EC151549 for <cfrg@irtf.org>; Thu, 9 May 2024 23:17:57 -0700 (PDT)
Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id DF1AE300F25A for <cfrg@irtf.org>; Fri, 10 May 2024 08:17:54 +0200 (CEST)
Received: from s981.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id CDFA82E27E3B; Fri, 10 May 2024 08:17:54 +0200 (CEST)
Received: from s470.loopia.se (unknown [172.22.191.5]) by s981.loopia.se (Postfix) with ESMTP id CB30522B17B7; Fri, 10 May 2024 08:17:54 +0200 (CEST)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Authentication-Results: s470.loopia.se (amavisd-new); dkim=pass (2048-bit key) header.d=aaa-sec.com
Received: from s979.loopia.se ([172.22.191.6]) by s470.loopia.se (s470.loopia.se [172.22.190.34]) (amavisd-new, port 10024) with UTF8LMTP id AGxwJWDuRYsc; Fri, 10 May 2024 08:17:54 +0200 (CEST)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 90.228.170.155
Received: from [10.10.0.158] (unknown [90.228.170.155]) (Authenticated sender: mailstore2@aaa-sec.com) by s979.loopia.se (Postfix) with ESMTPSA id AF5BC10BC4C7; Fri, 10 May 2024 08:17:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaa-sec.com; s=loopiadkim1707241022; t=1715321873; bh=+WYF2HAaqSXqLksNCO1R+vDwaO0PIFcheZMxe3rso6w=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=Q7UDWo7Br1rqRBMhhcsdbzBBsbsyQMGaFxPTka4i4vbLO26x3GUBYnHJJmPlDoWnP 6s+JYyOsZZH5yViTpV5ej5eqr/w3IJSunemnRSARv7m+wK1dyA8Yz5nd7bIF/OxY3K ZXSzBEZk5DQky1zLpN8XBEb5rBIv5WdVK6RztJ4yxYwFea/1yNO3zKUkOkDDjYtTH0 XQxk/fSJmWmPysmyxgaXi1XutqRG5kyImakwQdGNYl3Jv1c9BKGlQmORBM0rNKIYhe vp45AzivP4xrk+vJcnby7VpxEjlqckLDAv10l4j/6rWd0G4ADgkaZTCfCxpOZgaJmV jsSQAPfNJp9Yw==
Content-Type: multipart/alternative; boundary="------------gfOT5EI1ZG4QJY0jw9KaNOR2"
Message-ID: <983ad848-0225-4b48-a750-7eee186b1f48@aaa-sec.com>
Date: Fri, 10 May 2024 08:17:53 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird Beta
To: ietf@jackgrigg.com
References: <20240507133422.E6D1F1996069@rfcpa.amsl.com> <CAPC=aNVkP4apKAgvnhx-R3-9yotE3dBcxq4kN6R6nA7VmsgOtw@mail.gmail.com> <d3321ebf-743f-4923-acf1-f6d4cd2383c0@aaa-sec.com> <CAPC=aNVzrSS2S0PS0Fy3nzppYV0ykZ-m03-j2zdqDEfPk3j7QQ@mail.gmail.com>
Content-Language: sv-SE, en-GB
From: Stefan Santesson <stefan@aaa-sec.com>
Autocrypt: addr=stefan@aaa-sec.com; keydata= xsFNBGYnTogBEADN33JxQWktXOIQ3P3TF3vW60EMGJi/5Fhgh0KeanhvpjcCHd6uVanVUhKd bEmskm6fRVZ3+VBpYg/Z8WXrX8dqe6oHMtrRYS3h2tLPU2/WFHKmlmE0v06Z6BRmgaMKL4/G f6HX9xoevSOIKcE0P79euFF+L0Oi0ljToHZYd6pfrIie6bn1rDRoDmcsm4JSFVLc1+CmGsdL oObAJSxtrdhdkwHAo3/Kr9EB/IqPS9v6MGvtdQTJhH85rKnYHd7CmDGiyDJRg/RZfrNWtbdG BBJ3mX+lr+cXskkulvOM6flgrhvzT32R5ucY6s80Vm5aE4rsXa74+hcaxgI5rkdzq7bN4J3I n/rZbtFezyv/IHe5jNxPyCnJXRWkgOYCFT8uG0tZ+TM6N2HOxt09HHytQ2U1OD+sD1Eh2u99 b4q0qKLMtv1IT2fUM5khpeLodXalOXilZPMXyrXI0p+dpGaT58AOWhFDB2K/mQMvo4VfsKKd yalPU1h9Ry8D4yKiL9LBe//ngkCxRcXHOZQmdMzItCCB7XarydeOce5Wb3srp4UnLqVJ/vBC pmRCHabPqJTPRWHZOI1BVGQpYpphXOZB0HdQmkvF0nFPz83L74r1wjaXU97yEAQ5KFuzjl17 qkXFD4jbfJeF8oBxS9msMSrwZIpiybVbS9ddUdrx0jZEE63D1QARAQABzSVTdGVmYW4gU2Fu dGVzc29uIDxzdGVmYW5AYWFhLXNlYy5jb20+wsGUBBMBCAA+FiEENKl/rZDeOypKPgO+S2hB MAO4E9UFAmYnTogCGwMFCQeGHwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQS2hBMAO4 E9VwQBAAlYf6LRzyFA/1g3iompZMIfLCPzXDv2l6xgs263E9sI4FUpJqvj6NMZTIo1Kd90NY pH/8t5jzSrbhTvTSCsEsOHCEemI0qlTjmJnyvJWPJjp3+0WX3bpN2rwzwHs9eanukBGbNpR7 yG9FbSLUj3XHYUDu5siD32cgstTUDyNM9XuCuUOIWvEuF6U+fEN6VqDrgfCNVF6JI3bu76pn OpuFX0kE32njg0WKQXY7UlvGxlB572z/c1nOmGOk48iVEd3Co0oqzLxRVd8Bv4fD/mzQ7bDi RpNlCVXDuKLjjotRknoFotZPwqIbPe0J2ta6bwD0cGFG5F1yCmst6Vs24uTZuTF5uNMsZpKA kDZ1DKXxflHfHpVspt/2uNomCaoZZT989nwrGk61TYEJWSvd6j/sECRei7LUqYccwECgr5rV 2mW2qklDnH25qX5bbRnftyUjSWc6wmVnZU+ExZlYcctAZv/gxgTaSZLN1ag9xuRa2zDpoNvZ PVmJXRMQKBj/P1X94/GRjFbu0rICoVYJPWy2g4fo3LHo1sRd8jSudjO38t+c029epZ9pj5th mzvLlrcHC7ILEjtPhYPVtGvoM9VfSDsHbAKN/8sCNFVfQtsu9X3r6RIlUPDVE18qserI61R3 B+MeCqy9V1AyBySd3AL1R/YRnnrpJxu4BWdG2CmK+7TOwU0EZidOiAEQAOVTCk0NvN0KHpdU 6CbuABowc+H/ms4Iw4Rb4gObcPIThPitDcSu+cQ0ftCk2v34iezItBKbq0TphEdi4XAdBW8/ BSJzdDpGrlfgkmStOQataxH0mEUEhFBF49b23s13QdCToFTrGyGxlsaEk+wM+ouqHEPyE9JX loHKyV25mJ8zz2iXfgWp4K6Q4iEVC9TS6Rn962EvI/QLPTknrkhhYiMDfqyVlmmDdTZ4wHwu O9LvUeOshCVkIbZipwKygnQMoQCnlxL/Ek52O1rm5h3BYXtHN+zQDmA9AVG7cyScO7V8G5bG /0f/lRnWdw6VWwPn03qDx1/CoBshWzXiMQZIV7H+WYFvg9+ThQi9VNvymqMbEHxczVl1WMwT XTGgkOOwukkW6RHr8Hu8acRBRQ3B4l2LEWyyG6EDZXG+Rmbl8kC4CGp+NWkljAM98Sbvbkti Yz093Fykw5b+Wuf+QoWc7UvFkFLlFIruvy7ncnYJ9n6DaVPBXhB2BBfnXfIxZ1C/VFSO1N9h LgV2jvsY1XdBawIUa6Fr5/zAy0uoMpKEQQUsARvD1xOTNEKosjP5reI/vEf2IFSsN+3WEiec Bk9KtUkE6V3SRslO0cOF4qrX37YOpJ1kQzjUzLuFHQj3c+BMhqJcK97gZFqAuXS5UJZvMupK bg3ceTMGbkcozoibYRv3ABEBAAHCwXwEGAEIACYWIQQ0qX+tkN47Kko+A75LaEEwA7gT1QUC ZidOiAIbDAUJB4YfAAAKCRBLaEEwA7gT1Zp1D/sH4t36exI4YZoTASZi5jefVIGaZG4cOw0M uK8RO4MOL01IEVXu2cjpkPJFPK9h+i0zArDWMTgzVk9mYaFnU0EaZty+5dA4XlYMjg+VGm4f Za7H4YABOo0A4p2TMLuL+9Tq1kn37t8J+C/qLoNLyn1tc9D5IE5e2xXdwzJk+ZxJGvsSRxdL b6vCz/Vh8N9hSJ4dI6+GkjIoRc/261HzhRNNLtWIJGOuO4YLxqCwPZlZwo6UxCHmlOAHy5HW U2y/irkANd/7e/qUEmqMawdqDJaWDVndfMu+T3LumeP00aAHlKxitoqSa6H+a7XPBJJyuyNR saooou3Tx2Sys8ulT3LV7m56J6B3ueVhrxWDzIj0DEoG70c1TwIYjIHO5RE62xGG5nbFBkUc dx09AN3W56csxZ9aXMKc3fxrhdNuNqLD9cfUUCnxny3A7FAA7gzayIhSuy77t4NOZRz2SJVO bnPNlZaHfz00vkmmekosS4SQHMlfbk+ltT+ELCGX2+APTMG3WraTYasDdBSKUTLJyOgf3+pK s+rMgc1dvoTNZNgITYkLt/+np7Nx5BJWrvcFR2dznXIfF4VGNQ3UpZceXMFLYio+gLVh9gae yZbyT7jHqhFq9MbdAWKjyLYkNCykrpiCgbeG4PgiM5q6BtTF9FGG/uMrbdW5rmvz34T842+t UA==
Organization: 3xA Security AB
In-Reply-To: <CAPC=aNVzrSS2S0PS0Fy3nzppYV0ykZ-m03-j2zdqDEfPk3j7QQ@mail.gmail.com>
Message-ID-Hash: X3VROJHHA2B7QLNU7UNW6Y4HLKWA2R5N
X-Message-ID-Hash: X3VROJHHA2B7QLNU7UNW6Y4HLKWA2R5N
X-MailFrom: stefan@aaa-sec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: RFC Errata System <rfc-editor@rfc-editor.org>, alex.davidson92@gmail.com, armfazh@cloudflare.com, irsg@irtf.org, cfrg@irtf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: [Technical Errata Reported] RFC9497 (7925)
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/YLqRy76LFlVzeOofGyQiYeDhAuM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Thanks Jack for taking the time to explain.

I see now where I was thrown of the waggon. Yes, the collection of valid 
scalars is also a field GF(r).

Many descriptions of Elliptic Curve do not talk about this as a separate 
field, so when the standard talked about a field of characteristic p and 
order q = p^m, I falsely assumed that the base field was intended.

But as you point out. The text is there in section 5.


Perhaps it is just me, but I think this is an easy mistake to be made.

I no longer think that this is an error in the standard (I agree with 
your explanation). But I still think the proposed text would be better 
and more clear. It is more in line with how this is described for other 
curves, and it totally avoids any possible misunderstandings. Using 
expand_message_xmd mod group order does the job with identical result 
also for P-256. Invoking hash_to_filed is redundant.

I don't know if an editorial clarification would help. I leave that up 
to you.

/Stefan



On 2024-05-08 16:19, Jack Grigg wrote:
> Hi Stefan,
>
> On Wed, May 8, 2024 at 6:10 AM Stefan Santesson <stefan@aaa-sec.com> 
> wrote:
>
>     Your answer does not appear to match the literature or my
>     implementation experience.
>
>     The field order for P-256 is the field over which the curve is
>     defined and is 2^256 - 2^224 + 2^192 + 2^96 - 1, or in HEX
>     (0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff)
>     The group order (n) is the number of points on the curve and for
>     P-256 this is equal to
>     0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551.
>
> Indeed; for any elliptic curve, there are two fields:
> - The "base field", over which the curve is defined, which is used for 
> point coordinates. This is an implementation detail of elliptic curves.
> - The "scalar field", which is defined by the group order, and is an 
> inherent property of any group.
>
> (The fact that elliptic curves have two fields, and the ensuing 
> confusion this causes when using elliptic curves for their group 
> properties, is one of many reasons that I and my co-authors were very 
> specific about our wording describing ristretto255 and decaf448 in RFC 
> 9496; while it is specified using elliptic curve points as 
> representatives, ristretto255 elements themselves are not elliptic 
> curve points, and thus only have _one_ associated field - the scalar 
> field.)
>
>     When you use hash_to_field in an implementation that match the
>     test vectors of RFC 9380, then it will be reduced mod p (Field order).
>
> hash_to_field is not defined specifically over the base field of an 
> elliptic curve; it is defined over an arbitrary field. The algorithm 
> works with either the base field or scalar field of P-256.
>
> Section 5 of RFC 9380 makes this explicitly clear:
>
> > The hash_to_field function is also suitable for securely hashing to 
> scalars. For example, when hashing to the scalar field for an elliptic 
> curve (sub)group with prime order r, it suffices to instantiate 
> hash_to_field with target field GF(r).
>
> This is precisely what RFC 9497 is doing.
>
> The P-256 test vectors in Appendix J.1 of RFC 9380 are for the 
> hash_to_curve interface (as defined for P-256 in Section 8.2). 
> hash_to_field is used as an internal implementation detail of 
> hash_to_curve (in Section 3) with F implicitly set to the base field 
> of the elliptic curve (due to the output of hash_to_field being used 
> as the input of map_to_curve, which takes an element of the finite 
> field F over which E is defined). Thus while it may be the case that 
> some implementations have specialized hash_to_field to only work with 
> the P-256 base field, that is a limitation of the implementations, and 
> not of hash_to_field.
>
> That being said, given the confusion that the current wording of RFC 
> 9497 causes, an errata that clarifies the instantiation of 
> hash_to_field (and specifically distinguishes it from the inherent 
> specialization in Section 3 of RFC 9380) may make sense.
>
> Cheers,
> Jack
>
>
>     If you use that you will not match the test vectors of OPRF.
>
>     To match the test vectors of OPRF, you have to stop using
>     hath_to_field and just use expand_message_xmd and reduce the
>     result mod group order n.
>
>
>     We were 2 implementers implementing this (me in Java and the other
>     in Python). We both made the same mistake following the standard
>     and ended up not complying with the test vectors of OPRF.
>
>     It was first when we read the definition of HashToScalar for other
>     curves, that we saw the difference and figured out how to
>     implement this to match the test vectors. But it took some time
>     and effort.
>
>     /Stefan
>
>
>     On 2024-05-07 17:56, Jack Grigg wrote:
>>     Hi all,
>>
>>     On Tue, May 7, 2024 at 2:34 PM RFC Errata System
>>     <rfc-editor@rfc-editor.org> wrote:
>>
>>         The following errata report has been submitted for RFC9497,
>>         "Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order
>>         Groups".
>>
>>         --------------------------------------
>>         You may review the report below and at:
>>         https://www.rfc-editor.org/errata/eid7925
>>
>>         --------------------------------------
>>         Type: Technical
>>         Reported by: Stefan Santesson <stefan@aaa-sec.com>
>>
>>         Section: 4.3
>>
>>         Original Text
>>         -------------
>>         HashToScalar():  Use hash_to_field from [RFC9380] using L = 48,
>>                  expand_message_xmd with SHA-256, DST =
>>         "HashToScalar-" ||
>>                  contextString, and a prime modulus equal to
>>         Group.Order().
>>
>>         Corrected Text
>>         --------------
>>         HashToScalar():  Compute uniform_bytes using expand_message =
>>                  expand_message_xmd, DST = "HashToScalar-" ||
>>         contextString, and
>>                  an output length of 48 bytes, interpret
>>         uniform_bytes as a
>>                  384-bit integer in little-endian order, and reduce
>>         the integer
>>                  modulo Group.Order().
>>
>>         Notes
>>         -----
>>         It is incorrect to refer to the hash_to_filed operation of
>>         RFC 9380 because the implementation of hash_to_field, as
>>         described in section 5.2 of RFC 9380 reduces the result
>>         integer mod Field order (not Group order).
>>
>>
>>     This is a misreading of both RFC 9380 and RFC 9497.
>>
>>     RFC 9380 Section 5.2 defines the hash_to_field parameters. These
>>     parameters in particular are relevant:
>>
>>     > - F, a finite field of characteristic p and order q = p^m.
>>     > - p, the characteristic of F (see immediately above).
>>     > - m, the extension degree of F, m >= 1 (see immediately above).
>>
>>     I'll use F.p, F.q, and F.m to reference these below.
>>
>>     RFC 9497 Section 2.1 defines Group.Order() (somewhat
>>     tautologically) as the order of the group (p). It then defines
>>     scalars thusly:
>>
>>     > Scalar multiplication by r is equivalent to the repeated
>>     application of the group operation on an element A with itself r
>>     - 1 times; [..] The set of scalars corresponds to GF(p), a prime
>>     field of order p.
>>
>>     It is therefore correct to refer to hash_to_field in RFC 9497 in
>>     the context of producing a scalar of the Group. The Field order
>>     F.q of that scalar field is precisely Group.Order() by
>>     definition, and because it is also prime by definition (and thus
>>     has no factors), this forces F.m = 1 and thus F.p = F.q.
>>
>>
>>          7.     e_j = OS2IP(tv) mod p
>>
>>         Where p is the characteristic of field F.
>>
>>
>>     Per above, F.p here is precisely Group.Order().
>>
>>     Cheers,
>>     Jack
>>
>>
>>         The current text imply that the existing hash_to_field
>>         implementation for P-256 can be used. But using this will
>>         cause a false result due to the mod field order operation.
>>
>>         The a better, and accurate way to describe this is by using
>>         the same explanation as for other curve types and specify the
>>         use of expand_message_xmd directly modulus Group.Order().
>>
>>         Instructions:
>>         -------------
>>         This erratum is currently posted as "Reported". (If it is
>>         spam, it
>>         will be removed shortly by the RFC Production Center.) Please
>>         use "Reply All" to discuss whether it should be verified or
>>         rejected. When a decision is reached, the verifying party
>>         will log in to change the status and edit the report, if
>>         necessary.
>>
>>         --------------------------------------
>>         RFC9497 (draft-irtf-cfrg-voprf-21)
>>         --------------------------------------
>>         Title               : Oblivious Pseudorandom Functions
>>         (OPRFs) Using Prime-Order Groups
>>         Publication Date    : December 2023
>>         Author(s)           : A. Davidson, A. Faz-Hernandez, N.
>>         Sullivan, C. A. Wood
>>         Category            : INFORMATIONAL
>>         Source              : Crypto Forum Research Group
>>         Stream              : IRTF
>>         Verifying Party     : IRSG
>>
>>         _______________________________________________
>>         CFRG mailing list -- cfrg@irtf.org
>>         To unsubscribe send an email to cfrg-leave@irtf.org
>>
>>
>>     _______________________________________________
>>     CFRG mailing list --cfrg@irtf.org
>>     To unsubscribe send an email tocfrg-leave@irtf.org
>