Re: [Cfrg] Comments regarding draft-sullivan-cfrg-hash-to-curve
"Jason Resch" <jresch@us.ibm.com> Mon, 09 April 2018 17:28 UTC
Return-Path: <jresch@us.ibm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4C1C12702E for <cfrg@ietfa.amsl.com>; Mon, 9 Apr 2018 10:28:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.04
X-Spam-Level: *
X-Spam-Status: No, score=1.04 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.635, MIME_HTML_ONLY=1.105, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uyXKca3x5X9N for <cfrg@ietfa.amsl.com>; Mon, 9 Apr 2018 10:28:45 -0700 (PDT)
Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69F951200FC for <cfrg@irtf.org>; Mon, 9 Apr 2018 10:28:45 -0700 (PDT)
Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w39HPuHP030719 for <cfrg@irtf.org>; Mon, 9 Apr 2018 13:28:44 -0400
Received: from smtp.notes.na.collabserv.com (smtp.notes.na.collabserv.com [192.155.248.82]) by mx0b-001b2d01.pphosted.com with ESMTP id 2h89ggsr6h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <cfrg@irtf.org>; Mon, 09 Apr 2018 13:28:44 -0400
Received: from localhost by smtp.notes.na.collabserv.com with smtp.notes.na.collabserv.com ESMTP for <cfrg@irtf.org> from <jresch@us.ibm.com>; Mon, 9 Apr 2018 17:28:43 -0000
Received: from us1a3-smtp03.a3.dal06.isc4sb.com (10.106.154.98) by smtp.notes.na.collabserv.com (10.106.227.105) with smtp.notes.na.collabserv.com ESMTP; Mon, 9 Apr 2018 17:27:54 -0000
Received: from us1a3-mail154.a3.dal06.isc4sb.com ([10.146.38.91]) by us1a3-smtp03.a3.dal06.isc4sb.com with ESMTP id 2018040917275266-917548 ; Mon, 9 Apr 2018 17:27:52 +0000
In-Reply-To: <CAO8oSX=Pc3_pOZjre_p_0Z-RiY8ykt7EsF_4f1Dc4mHtSqTNBg@mail.gmail.com>
From: Jason Resch <jresch@us.ibm.com>
To: christopherwood07@gmail.com
Cc: cfrg@irtf.org
Date: Mon, 09 Apr 2018 17:27:53 +0000
Sensitivity:
MIME-Version: 1.0
References: <CAO8oSX=Pc3_pOZjre_p_0Z-RiY8ykt7EsF_4f1Dc4mHtSqTNBg@mail.gmail.com>, <OF6FFC9F11.340C9F5B-ON00258255.0080017E-00258256.0002E0C9@notes.na.collabserv.com> <CAO8oSXnxS4Ea89A3Yq46sPk2f8iYqiEsFwNALqAfb+2951NBsA@mail.gmail.com> <OF55990F4E.F8FD96E4-ON00258265.0015BD38-00258265.00193EC1@notes.na.collabserv.com>
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: IBM Verse Build 16007-1287 | IBM Domino Build SCN1806600_20180307T0022_FP2 March 30, 2018 at 22:22
X-LLNOutbound: False
X-Disclaimed: 39235
X-TNEFEvaluated: 1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
x-cbid: 18040917-5101-0000-0000-00000A025DD4
X-IBM-SpamModules-Scores: BY=0; FL=0; FP=0; FZ=0; HX=0; KW=0; PH=0; SC=0.373977; ST=0; TS=0; UL=0; ISC=; MB=0.018716
X-IBM-SpamModules-Versions: BY=3.00008825; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000256; SDB=6.01015472; UDB=6.00517777; IPR=6.00794722; BA=6.00005902; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00020488; XFM=3.00000015; UTC=2018-04-09 17:28:42
X-IBM-AV-DETECTION: SAVI=unsuspicious REMOTE=unsuspicious XFE=unused
X-IBM-AV-VERSION: SAVI=2018-04-09 16:55:57 - 6.00008310
x-cbparentid: 18040917-5102-0000-0000-00002A338AD4
Message-Id: <OF51F567B3.8A694C51-ON0025826A.005FA19D-0025826A.005FEFEA@notes.na.collabserv.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-04-09_08:, , signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/dEDEvC3_TstQwqxhFmo-tvfNp6k>
Subject: Re: [Cfrg] Comments regarding draft-sullivan-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2018 17:28:47 -0000
----- Original message -----
From: Christopher Wood <christopherwood07@gmail.com>
To: jresch@us.ibm.com
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Comments regarding draft-sullivan-cfrg-hash-to-curve
Date: Sun, Apr 8, 2018 11:30 PM
Hi Jason,Please see inline below.On Tue, Apr 3, 2018 at 9:36 PM Jason Resch <jresch@us.ibm.com> wrote:
I recently wrote some reference implementations of my suggestion below for implementing HashToBase() for any given input string and curve. It uses the left-most bits of HKDF applied to the input, where the number of total bits selected is determined by the size of the prime field. I have ensured consistency via some test vectors I defined and are included in this sample code. I tested both NIST P-256, and NIST P-521. Note that these examples only implement "Simplified SWU", but this can be easily extended to support the other algorithms.
I have attached the Python and Java implementations to this e-mail, the python one is a bit more concise and is self contained in one file, while the Java one is implemented across several files (in the zip file), but both produce consistent results as far as I have been able to test.Thanks for sharing the code. We're currently working to port all the algorithms to hacspec. This routine will certainly be part of that effort. When the time comes, I will use it to test against our own implementation.
Also, I found something interesting in regards to supporting Koblitz curves, or other curves where a = 0 (such as BN-254). By accident, I discovered that it didn't seem to matter whether I used "(-b / a)" or any other number. The Simplified SWU algorithm appeared to always map to a valid point. Does this make sense? Is there a special motivation for using (-b / a) as opposed to some other constant?Interesting. I don't know off hand. I'll have to investigate and get back to you.Best,Chris
- [Cfrg] Comments regarding draft-sullivan-cfrg-has… Jason Resch
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… David Núñez
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Tony Arcieri
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Christopher Wood
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Christopher Wood
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Jason Resch
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Christopher Wood
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Jason Resch