Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Fri, 09 April 2021 19:02 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D42B63A2B41 for <cfrg@ietfa.amsl.com>; Fri, 9 Apr 2021 12:02:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQbgbY1QQ06i for <cfrg@ietfa.amsl.com>; Fri, 9 Apr 2021 12:02:10 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2059.outbound.protection.outlook.com [40.107.21.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3A183A2CAA for <cfrg@irtf.org>; Fri, 9 Apr 2021 12:01:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WUKJA8mFmM4vuRMwYVJ061CSZ8Jo+n946gAiephbWlgAzWXMw2ToE/mjDHs5fXN2bJ1xbyxx8LYJ0aAf0vPwYfNgJ5FANTNWyaZCy0RmcU0zUV26MIBgkLIY5C5bV+kHP7+iaHIZJwPgW81d7z1oSFcb3CzWZupWKsr7KIO4wDfLWs4s+I0H9XHBH8I66eY7xeeMdFkjYNjXxIv5UoOvb4PRwSJse0Xm5uEudF5MW3F3IHj/pi4fVthwWwAalQRt4pEkwTGpSH6wSBdjZIY0/HPT+kzEvICh/l5RpQ3Z+EvQoPtFUp815YTMWfsu0J/4PskBu8eZLYAcqwlub4XzEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=a8OS0M3wGWNYt9ZQlUGtv4kBT0Xe1cIRzUuSYZa2ihE=; b=RZIdl1UMv8PVfmtqasH+9E0PWXnDTCDmkWt3cN6+L9lFT3M8eQkygCOIl/MQ7WMY+YnN+cCzvEMoNpvDeYff1kL/XThj5UGniJ5884dtu1MXN/9OuczlLe+6rpMzQGfk+Stlw4PVQck4vJk8joyqxMYCBr+Q+0bEjj4Ervg6bbVBGAXJHhjiYq+A7f/02ltmGgaMSoiAsL6D1XKErbxcihwJAAsA3RTk8nD2NiKexuzvCBct+K3CuaVt4FXBSiWQhPEX9BZkeKeYoAQv2uzY7Tf2vDqh60G2Y6iJmAAnsFN412v71UnbkIRTdqGo74vSlmk+B4bSNaZPpTPfq2/AWw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from VI1SPR01MB0357.eurprd01.prod.exchangelabs.com (2603:10a6:803:8d::12) by VI1PR0101MB2365.eurprd01.prod.exchangelabs.com (2603:10a6:800:50::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.17; Fri, 9 Apr 2021 19:01:30 +0000
Received: from VI1SPR01MB0357.eurprd01.prod.exchangelabs.com ([fe80::5865:9e5a:626f:8953]) by VI1SPR01MB0357.eurprd01.prod.exchangelabs.com ([fe80::5865:9e5a:626f:8953%4]) with mapi id 15.20.3999.032; Fri, 9 Apr 2021 19:01:29 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>, Mike Hamburg <mike@shiftleft.org>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
Thread-Index: AQHXLUZyltFEkNrErU2XoZAaYPSJsKqsQ0gAgAADtICAAAg2loAAGaoAgAAVuYCAAAJqgIAAB5lA
Date: Fri, 9 Apr 2021 19:01:29 +0000
Message-ID: <VI1SPR01MB03579AD8C245CD62078DF831D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <4590aaa512acf5a482c9890ebe48f1760e5831a5.camel@loup-vaillant.fr> <F9593D27-3244-470E-89BE-85215B2DC9E7@shiftleft.org> <VI1SPR01MB0357AE729116A79C8DF70516D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <6F4F0566-3465-4C9C-8993-1B3FDFDDD792@shiftleft.org> <BN7PR11MB26410E0EB14DFE5DFB4B4F6EC1739@BN7PR11MB2641.namprd11.prod.outlook.com>, <BN7PR11MB264116DF63B9930B6C421DEEC1739@BN7PR11MB2641.namprd11.prod.outlook.com>
In-Reply-To: <BN7PR11MB264116DF63B9930B6C421DEEC1739@BN7PR11MB2641.namprd11.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=warwick.ac.uk;
x-originating-ip: [86.1.162.194]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 63ac64b0-32e2-47f8-cb61-08d8fb89e252
x-ms-traffictypediagnostic: VI1PR0101MB2365:
x-microsoft-antispam-prvs: <VI1PR0101MB23659831E661345FC60B26AED6739@VI1PR0101MB2365.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ab42Dspkpoag2ZqnG/RJ/tdAgBU8yUj9EU1LxNQy6qiwV2EqUUj3ITMMklFzg+LcO2n+m0wi6udLFg0/fqjtYYmNkXDeQRX/2x50hclifGOWwu4GJEt+2LkquHt+RkKNdWSBOluKU08aoilNnzte76pWJNmFHBAzeHwMJ1Rpo16NZif2wFqC9ze7Tnb2+v+6MSbagy871pI4EDOohVq331IquX+KikoVYpaucrmYavOVj3NPbrDwn+hSto0rBit2xd0/Bf00JQIDmJuGl7VRBVNGuJ8eMNESDGfaRojHNibJijpdcptEQLsjm8S+qlDLFub8/GKQBc9kGop7rlllmFT88+G1zb/ZByGVodxiHcWqV3T7+3QbYOaW0LxK/WeX7HIh6ZFU5I9lQl8vw18gdl/DTFlaIkbPf7jLpCguQ9yUHWf/GGUlwb8Nc568u/91E5QxWJvxK+TWiDByfnOLFTxr9IIy93AHSMkkGookWKZIz6yNzPvph/b+MdoHC40cEdYQvXqUTujslmHhPZ3zUL4JbS9ZI+FfJ2BzQL4cG9iWfJ/fOsgmmfKjDNJSF3zzvxTeQqxnWPzu0vYXw9CbI+ERNMeNdJ2b7Te9jtG8vcShf2oweJVWnv4bIxmntJJbMnIKSApx3pFsOboS1uX+WIMPmbu9VUhMqeiL0VDlIZ8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1SPR01MB0357.eurprd01.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(396003)(136003)(366004)(376002)(346002)(786003)(316002)(110136005)(55016002)(9686003)(8676002)(186003)(7696005)(53546011)(6506007)(33656002)(83380400001)(64756008)(66446008)(86362001)(66946007)(66476007)(2906002)(66556008)(71200400001)(76116006)(91956017)(38100700001)(5660300002)(8936002)(26005)(4326008)(478600001)(52536014)(9326002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?IHf2JB5D9WW5Tz5aNoVOB+tKIfBTaOol1jANf4BIqdckwiZBsp1Psn3m?= =?Windows-1252?Q?o4WZpXqoyLEOXH0/EBWkKyTWG+ihR9/lC+SVAJe9GnbPvInocmRYtogB?= =?Windows-1252?Q?P/7fRkn+Hmq9R9ZFbXJ4kGboEOr0ppW9gIsi+NLFKcLCHdqJmODTu1W1?= =?Windows-1252?Q?tyuHTHKx1lh+Gh0Tocu+jxZz0TwDfJo8FhviSMkrFRFwciyhPtzFugyF?= =?Windows-1252?Q?PP77obuEyrUqk1pU+/XIF0KiUV9f0YZ3wH6xEbpYhU++6Qrmdg5Z+sI7?= =?Windows-1252?Q?UwigoFn/MDIeR5YOQooBXmrPktGVPJlTZpjrmFNPzBix1MV83B29GVCb?= =?Windows-1252?Q?xSMc9Lpr3jWMylfDhwjl4OKthcToCuBu5zIL2u/2jGMqz/ayGfzqwofb?= =?Windows-1252?Q?K97QsVYfMniXU1drKrU/Rf1LHnCkd0RnHoAV5/7js9ECGcBhee5CloAX?= =?Windows-1252?Q?lVNuTgayOfQNV9NCXR5mk2YpG73lMC9TyCUr5TSugDoJASoADseL/n2K?= =?Windows-1252?Q?sy9PdkHP7H9g69IJxmtwSxnSYAejy9YL9NZMVQcUU0V0/KwzdnGt/QPD?= =?Windows-1252?Q?OyEv/xe5G90F/jPKTtn3dmR4kXYuv7vgxZgI0SaaqRrCS4G6pm2s8K0I?= =?Windows-1252?Q?qcKQ2cATyPxm6UywIgHdikRsj0J/iGu1uAzN+ywEhPA+xzcUcvTc2R3x?= =?Windows-1252?Q?Srdt9p8APcC1zFmBu2p6GzZhMLwezI1aGxwWcxHyzn1WdEPtBNUZMCn/?= =?Windows-1252?Q?OfYOzbrhhjwXhg6OWT1dHShk6SpaNN/5u3j9mov0ubv4B1xspGqrD0qQ?= =?Windows-1252?Q?ubjrx6dV6dj9vcPFPFOBYcP/KnodzrPyzegQv4gRrlxwXG9jTcC8u0N9?= =?Windows-1252?Q?UEGU/b+HlVxFh7dxXbgIdR0T4Anl91db3+w6Vvy97GZ9AgOpdC/p2X02?= =?Windows-1252?Q?C4rgCNcNaFlKkHwvMvYj5oYEZqrgDjL7mlIyoMAzYn/4LiuGNtuF5w1O?= =?Windows-1252?Q?gs+6QiAGSgPqtRrFIc9jPpGsfSxuTeRe2z4ZSZxhAJCzpp/hOI6S8ga0?= =?Windows-1252?Q?8MZJ5UthNxmnog9m0utARZTHDjhMUMk3zeKaBlwBjzdjaucMIs1wsLz8?= =?Windows-1252?Q?RzwSAikKRM/Mt682xLnWzCJzJ5qHVqktoMmO7W0FHbrO931EWYlX1JTx?= =?Windows-1252?Q?cIAe+e9HKVO8n9MrCVtVp/YoEdYTyuIYukzJoeXh4cbz8idJCZhMwlj+?= =?Windows-1252?Q?JGhi1tslN7f6aMRJWMfI/I/1l2bvlOXdKCPksrdh8z6/xAHDwr+/+BzF?= =?Windows-1252?Q?zgq7YJiW0QjyBbZuGQeXGEcjc9xXblxBY+wL7fXH6/R2JZlDhedoDV7F?= =?Windows-1252?Q?m5gty9PqIj0O5POWkkDwFJAZoKWKhpRHadOH6cSgwjTdISQWlq2e1A5O?= =?Windows-1252?Q?hdAw9LcaHgqumZSNlZFGeQ=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1SPR01MB03579AD8C245CD62078DF831D6739VI1SPR01MB0357eu_"
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1SPR01MB0357.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 63ac64b0-32e2-47f8-cb61-08d8fb89e252
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2021 19:01:29.7614 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hvsYNnyLFvC3c2yH6MMtmfszxEu6Zh/i6fZSyqSVeyAOTrmTWF/C+EaAOO+k/w1b/Z9tHfUAZ0O4/7ljiX0tvbcnN/P91zDdEKwsZTVoH80=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0101MB2365
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/dj3ptmsQ28eNvMJrm0dGFDjkRS4>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 19:02:17 -0000

Hi Scott,

It’s not a simple case of testing and aborting. Suppose in a system, hash-to-curve returns a low-order point to the higher protocol (say CPace/OPAQUE) that is calling it, you can’t accept this value (insecure base generator) nor can you reject it (timing side channel will reveal the password). The failure mode here is non-recoverable.

Cheers,
Feng

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Date: Friday, 9 April 2021 at 19:26
To: Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org>rg>, Mike Hamburg <mike@shiftleft.org>rg>, Hao, Feng <Feng.Hao@warwick.ac.uk>
Cc: CFRG <cfrg@irtf.org>
Subject: RE: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
Correction: Opaque does use a hash-to-curve operation (used to translate the password into an elliptic curve point); if it happens to translate a specific password to a low order point, then that specific password is easy to test for; however there are no other implications…

From: CFRG <cfrg-bounces@irtf.org> On Behalf Of Scott Fluhrer (sfluhrer)
Sent: Friday, April 9, 2021 2:17 PM
To: Mike Hamburg <mike@shiftleft.org>rg>; Hao, Feng <Feng.Hao@warwick.ac.uk>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Opaque doesn’t use a hash-to-curve operation.

CPace does; it also automatically aborts (fails) if the hash-to-curve operation happens to return a low order point (that is, a point that, after multiplying by the cofactor, is the neutral element).

From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Mike Hamburg
Sent: Friday, April 9, 2021 1:00 PM
To: Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>>
Cc: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

I don’t know if the same holds for OPAQUE or CPace: for all I know, they may have specification holes and/or end in failure in that case.