Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Mike Hamburg <mike@shiftleft.org> Sat, 10 April 2021 20:22 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65C053A1A20 for <cfrg@ietfa.amsl.com>; Sat, 10 Apr 2021 13:22:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.305
X-Spam-Level:
X-Spam-Status: No, score=-1.305 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q31k9vEJe_6W for <cfrg@ietfa.amsl.com>; Sat, 10 Apr 2021 13:22:50 -0700 (PDT)
Received: from doomsayer.shiftleft.org (unknown [54.219.126.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B94C3A1A1F for <cfrg@irtf.org>; Sat, 10 Apr 2021 13:22:50 -0700 (PDT)
Received: from [192.168.7.53] (unknown [198.207.18.242]) (Authenticated sender: mike) by doomsayer.shiftleft.org (Postfix) with ESMTPSA id 64BB5BB869; Sat, 10 Apr 2021 20:22:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1618086169; bh=7GVNF6epIKf2u8LMj05lxHpbDjnGi/YI36SefmO2exw=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=UULPif3aIeAgc5GVESKvONTtLmh0ZJa6sBinEysBvYEKPqP+6T2RezJYpN4wK9FCS 9pDxf/7Ciio1zhEtwZqBkMTpn76u31+Gmat1Tye9foLLrwxWxvFpqkwzKfmGzD4ES6 Z0fizmqzcJ5JtbIiqPh4ktQ5wnt+v8D25u4VhoB0=
From: Mike Hamburg <mike@shiftleft.org>
Message-Id: <491484D0-BBF6-4B4A-B1B3-99E4951AF677@shiftleft.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0666096D-F81A-416F-91F3-2C5B98E1B82E"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Sat, 10 Apr 2021 17:22:48 -0300
In-Reply-To: <64982C96-4594-493A-A7F8-9AAD984A83EE@shiftleft.org>
Cc: CFRG <cfrg@irtf.org>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <VI1SPR01MB035772443E4DA3206E4CD4D3D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <7944D4F1-81F8-44FC-95D1-45D47733B385@shiftleft.org> <VI1SPR01MB03574E592790FD59C1ACEB84D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <A1BFD5D1-00E2-4ACB-B55A-D18033229FF6@shiftleft.org> <VI1SPR01MB0357E0F2D567D0C8B81EE31AD6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <64982C96-4594-493A-A7F8-9AAD984A83EE@shiftleft.org>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/elDuw8sE7_WyPWp2M216f2Z2L5c>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2021 20:22:54 -0000


> On Apr 10, 2021, at 5:19 PM, Mike Hamburg <mike@shiftleft.org> wrote:
> 
> I was insufficiently precise.  I’d forgotten that PAK refers to several PAKE algorithms; I was thinking of some of the elliptic curve versions, such as PAK-EC from "More efficient password-authenticated key exchange" by Philip MacKenzie, CT-RSA 2001.  I re-proposed a variant of this protocol, not knowing that it had been done before, as "SPAKE2: Elligator Edition”.  This design is slightly slower than SPEKE, but it has a simpler security analysis than SPEKE.  It sends something very roughly of the form aG + hash_to_curve(password), so you want hash_to_curve to be uniform.  Security follows by a very simple argument (compared to most other PAKEs) under ROM + strong DH.

Replying to myself here, because I forgot to mention: as in most other uses of hash/map to curve, PAK-EC is provably secure even for somewhat nonuniform outputs, such as map_to_curve outputs.  It’s just most secure with uniform outputs.

Regards,
— Mike