Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-04.txt

Dan Harkins <> Mon, 22 July 2019 21:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CEB651200B9 for <>; Mon, 22 Jul 2019 14:10:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZLWaPXZ_RT8c for <>; Mon, 22 Jul 2019 14:10:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4387712001B for <>; Mon, 22 Jul 2019 14:10:07 -0700 (PDT)
Received: from ( []) by (PMDF V6.8-0 #1001) with ESMTP id <> for; Mon, 22 Jul 2019 16:10:06 -0500 (CDT)
Received: from ([]) by (PMDF V6.7-x01 #1001) with ESMTPSA id <> for; Mon, 22 Jul 2019 14:09:24 -0700 (PDT)
Received: from ([] EXTERNAL) (EHLO with TLS/SSL by ([]) (PreciseMail V3.3); Mon, 22 Jul 2019 14:09:23 -0700
Date: Mon, 22 Jul 2019 14:10:00 -0700
From: Dan Harkins <>
In-reply-to: <>
Message-id: <>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8; format=flowed
Content-language: en-US
Content-transfer-encoding: 8BIT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
X-PMAS-SPF: SPF check skipped for authenticated session (, send-ip=
X-PMAS-External-Auth: [] (EHLO
References: <> <> <>
X-PMAS-Software: PreciseMail V3.3 [190718a] (
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-04.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 22 Jul 2019 21:10:09 -0000

On 7/22/19 1:22 PM, Riad S. Wahby wrote:
> On July 22, 2019 4:08:25 PM EDT, "Björn Haase" <> wrote:
>> The second simple question IMO is P384. I'd not consider Icart's mapping
>> as long as the patents apply. I'd use plain SWU here.
> The generalized version of Simplified SWU given in -04 also applies to P384. So the question of which map to use for P384 is an instance of the broader question you asked, namely, are we comfortable with the IPR situation surrounding Simplified SWU? (I don't know! but maybe we'll understand more about this soon.)
> So: if P256 ends up using Simplified SWU, P384 can as well.
> (I certainly agree that we should be leery of the Icart IPR issues.)

   My original request to add back SWU was so I could have 1 method that 
for the majority of curves that can be instantiated with a particular curve
and a particular hash function. I thought the trend from -03 to -04 was for
ciphersuite-style methods where if you're using curve foo you do one kind of
hash to curve with one particular hash algorith and if you're using 
curve bar
you use a different hash to curve method with a different hash 
algorithm. From
a programming point of view the latter is sub-optimal as I have to implement
a whole slew of hash to curve methods if I want to support a slew of curves
(where slew > 3).

   If the Simplified SWU of -04 also applies to all the curves that SWU 
then that complaint goes away. One issue with the Simplified SWU of -04, 
is that I need the parameter Z for the curve so I either need to derive a Z
for every curve my code is going to support and store it (perhaps along with
the rest of the domain parameter set) or I derive it on the fly which sounds
like more looping which I want to avoid.

   So I still have a slight preference for the long-form SWU from -03 to
return in -05. Having ciphersuites for people who prefer that sort of thing
is fine but just don't make that the only way to go. Patents are, of course,
show stoppers.