IETF Logo Mail Archive

Re: [Cfrg] Recommended bit length before truncating a hash mod p

Michele Orrù <lists@tumbolandia.net> Mon, 08 April 2019 14:19 UTC

Return-Path: <lists@tumbolandia.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDEAC1203DC for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2019 07:19:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZX3XGljhr3LB for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2019 07:19:37 -0700 (PDT)
Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCA9B1201A3 for <cfrg@irtf.org>; Mon, 8 Apr 2019 07:19:36 -0700 (PDT)
X-Originating-IP: 129.199.101.113
Received: from [129.199.101.113] (unknown [129.199.101.113]) (Authenticated sender: lists@tumbolandia.net) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id A7010FF804; Mon, 8 Apr 2019 14:19:33 +0000 (UTC)
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cfrg@irtf.org, Anita DURR <anita.durr@psl.eu>, Brice Minaud <brice.minaud@ens.fr>
References: <1853a156-df76-7999-df2b-1ea120a85b40@tumbolandia.net> <20190406174721.GA108882@LK-Perkele-VII>
From: Michele Orrù <lists@tumbolandia.net>
Message-ID: <4f83a1a8-70bc-e9b4-838a-ee5209cbf329@tumbolandia.net>
Date: Mon, 08 Apr 2019 16:19:33 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <20190406174721.GA108882@LK-Perkele-VII>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/erqcBF3AkiuGvowyFWl1zOE2www>
Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 14:19:39 -0000

On 4/6/19 7:47 PM, Ilari Liusvaara wrote:

> In fact, the uniformity can heavily depend on p. Any p very close to
> power of two gives very uniform results. And one needs lots of extra
> bits to increase the uniformity further.
> 
> Looking at Curve25519, Curve448 and NIST P-384, the SD is <2^-200 and
> that won't bulge with 64 extra bits.
> 
> NIST P-256 has much bigger base SD (~2^-32), and that starts to move
> with ~30 extra bits. 64 extra bits seems to decrease SD by factor of
> ~2^64.
> 


Hi Ilari,

that's right, good point. It seems to us that there are two 
possibilities now:

- (as you note) we list the curves for which 64 extra bits are needed in 
order to smooth out the bias, i.e. the curves for which p = 2^λ - r is 
very close to a power of two, or more precisely (1-r/p) r/2^(λ-1)  < 2^-64.

- or we just advise developers to always take 64 + log(p) + 1 bits.
Unless those extra bits do not come cheap, it is perhaps the easiest 
solution?


In both cases, we think that the standard could be more explicit about 
how much entropy is needed for a (close to) uniform distribution. Thoughts?



PS. adding Brice in Cc; I forgot him in my previous mail.
--
μ.

v2.23.0 | Report a Bug | By Email