Re: [Cfrg] Recommended bit length before truncating a hash mod p
Michele Orrù <lists@tumbolandia.net> Mon, 08 April 2019 14:19 UTC
Return-Path: <lists@tumbolandia.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDEAC1203DC for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2019 07:19:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZX3XGljhr3LB for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2019 07:19:37 -0700 (PDT)
Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCA9B1201A3 for <cfrg@irtf.org>; Mon, 8 Apr 2019 07:19:36 -0700 (PDT)
X-Originating-IP: 129.199.101.113
Received: from [129.199.101.113] (unknown [129.199.101.113]) (Authenticated sender: lists@tumbolandia.net) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id A7010FF804; Mon, 8 Apr 2019 14:19:33 +0000 (UTC)
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cfrg@irtf.org, Anita DURR <anita.durr@psl.eu>, Brice Minaud <brice.minaud@ens.fr>
References: <1853a156-df76-7999-df2b-1ea120a85b40@tumbolandia.net> <20190406174721.GA108882@LK-Perkele-VII>
From: Michele Orrù <lists@tumbolandia.net>
Message-ID: <4f83a1a8-70bc-e9b4-838a-ee5209cbf329@tumbolandia.net>
Date: Mon, 08 Apr 2019 16:19:33 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <20190406174721.GA108882@LK-Perkele-VII>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/erqcBF3AkiuGvowyFWl1zOE2www>
Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 14:19:39 -0000
On 4/6/19 7:47 PM, Ilari Liusvaara wrote: > In fact, the uniformity can heavily depend on p. Any p very close to > power of two gives very uniform results. And one needs lots of extra > bits to increase the uniformity further. > > Looking at Curve25519, Curve448 and NIST P-384, the SD is <2^-200 and > that won't bulge with 64 extra bits. > > NIST P-256 has much bigger base SD (~2^-32), and that starts to move > with ~30 extra bits. 64 extra bits seems to decrease SD by factor of > ~2^64. > Hi Ilari, that's right, good point. It seems to us that there are two possibilities now: - (as you note) we list the curves for which 64 extra bits are needed in order to smooth out the bias, i.e. the curves for which p = 2^λ - r is very close to a power of two, or more precisely (1-r/p) r/2^(λ-1) < 2^-64. - or we just advise developers to always take 64 + log(p) + 1 bits. Unless those extra bits do not come cheap, it is perhaps the easiest solution? In both cases, we think that the standard could be more explicit about how much entropy is needed for a (close to) uniform distribution. Thoughts? PS. adding Brice in Cc; I forgot him in my previous mail. -- μ.
- [Cfrg] Recommended bit length before truncating a… Christopher Wood
- Re: [Cfrg] Recommended bit length before truncati… Mehmet Adalier
- Re: [Cfrg] Recommended bit length before truncati… David Núñez
- Re: [Cfrg] Recommended bit length before truncati… Markku-Juhani Olavi Saarinen
- Re: [Cfrg] Recommended bit length before truncati… David Núñez
- Re: [Cfrg] Recommended bit length before truncati… Gilles Van Assche
- Re: [Cfrg] Recommended bit length before truncati… Sam Scott
- Re: [Cfrg] Recommended bit length before truncati… Markku-Juhani Olavi Saarinen
- Re: [Cfrg] Recommended bit length before truncati… Dan Brown
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù
- Re: [Cfrg] Recommended bit length before truncati… Ilari Liusvaara
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù