IETF Logo Mail Archive

Re: [Cfrg] Recommended bit length before truncating a hash mod p

David Núñez <david@nucypher.com> Fri, 22 March 2019 11:02 UTC

Return-Path: <david@nucypher.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3069F130F0F for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2019 04:02:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.02
X-Spam-Level:
X-Spam-Status: No, score=-1.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nucypher.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uKectmjA8PqS for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2019 04:02:01 -0700 (PDT)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76288130F0D for <cfrg@irtf.org>; Fri, 22 Mar 2019 04:02:00 -0700 (PDT)
Received: by mail-wm1-x329.google.com with SMTP id t124so1698086wma.4 for <cfrg@irtf.org>; Fri, 22 Mar 2019 04:02:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nucypher.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QS+5+qtjWUVoj+FQRXo8D0PlxiyPsOLlMe2hkQg5BxY=; b=FmJFQ/6UZW2DO9KRvDF2jzBJavF+l7J67jPiow7jFAqR9kZmfhGPFHu2znydjtFwMc dwuo4DXajS025MgtiB9VPQ3Au/9wOpmcZ+/g+OfHDrFMf7Ro+Du0jGJWYrB0diZtv8e4 A03LDoiLPjdGvzy2/+Zz4i0mU7PWmbyWzL3bc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QS+5+qtjWUVoj+FQRXo8D0PlxiyPsOLlMe2hkQg5BxY=; b=S3SBWWUntXrY6vFjYf6ifirO2XaL2Pq1nBxqv1aTdZKvhdIBbd8rdxMTZjf1dTFlPV TCBHswQBEMWcrD6vl3wBtX7jG5xHMhF6wmdyimsZlwf/pJH8k0OuJF997ZZW3j/LhhHU DEQNtZKHfcCMlpTM+hQsUv86w0IAsExlBc1GluyZVT2k407/C6kmN8g0RCRKaZyGCGLR YDBpfKfSV2XX3B4TjCyc1bApzCWm61zoTTjvVk1avk0Ttg8dZjICIz9KsmGoJXm42/Jb VtRdQgqy3Ro9SVasgZpJlZbo9LChtb75LvWnB6x/uwnXQUM/Qy1c6IhEQFVDa/RGEw3E BquA==
X-Gm-Message-State: APjAAAUPBCPsl9CHRdk9mtEVtsX1zr+aerFz+LLL/C5Z0XylxI25lwvQ aQ/ytVTXe72Q9FFEcY2t/IsXOiN5YfgN/v2+KN/Y4g==
X-Google-Smtp-Source: APXvYqypLOYJbKWqaZg66CzcGpfIG4Wc03RNMRIa9uLP6eaQmkXPjd5V4AueQdMvaC9gyf29yfSSNIyEaK1dTyOJVBE=
X-Received: by 2002:a1c:4e04:: with SMTP id g4mr2499747wmh.127.1553252518864; Fri, 22 Mar 2019 04:01:58 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.3617.1553248218.6143.cfrg@irtf.org> <CALNOPK+SmbcVHz49D1ZUV8cdq81YEUn5Xrmn4kB3dftrV7Ygbg@mail.gmail.com> <CA+iU_qkh1qOyxm6j0gjy28wP4QMbX5GBmsPZ082etB7nCW2Kjg@mail.gmail.com>
In-Reply-To: <CA+iU_qkh1qOyxm6j0gjy28wP4QMbX5GBmsPZ082etB7nCW2Kjg@mail.gmail.com>
From: David Núñez <david@nucypher.com>
Date: Fri, 22 Mar 2019 12:01:47 +0100
Message-ID: <CALNOPKJM0ffsuYfcGNXhvSLk0=dMnteEdnPUkwAfB+fv9S-f-w@mail.gmail.com>
To: Markku-Juhani Olavi Saarinen <mjos@iki.fi>
Cc: cfrg@irtf.org, christopherwood07@gmail.com, madalier@antarateknik.com
Content-Type: multipart/alternative; boundary="000000000000a241db0584acc840"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fBWZWogu0KxXGfOTe6HTH-8zyiM>
Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 11:02:16 -0000

Hi Markku,
Yes, we were aware of all those caveats. We use the term "Keccak256"
deliberately, since we need to be interoperable with Ethereum's EVM, whose
default hash function is the pre-standardized version. There was some
confusion in the past to this regard, since Ethereum initially called this
"SHA3", even if it wasn't the standardized version, but the previous one.
For the same reason, we don't have native access to XOFs, as the EVM only
gives you Keccak256, SHA256 and RIPEMD160.

Regards,
David

On Fri, Mar 22, 2019 at 11:38 AM Markku-Juhani Olavi Saarinen <mjos@iki.fi>
wrote:

> Hi,
>
> Some notes since this is a standardization forum:
>
> - It is generally not advisable to say "Keccak" when you mean SHA3.
> The padding mechanism was slightly changed from the "final competition
> round" Keccak 3.0 proposal to FIPS 202, making the two incompatible.
> Some cryptocurrencies (e.g. Monero) actually use the obsolete
> pre-standardization version and talk of "Keccak" when they refer to
> it.
> - FIPS 202 defines not only an actual SHA3-512 but also
> Extendable-Output Functions (XOFs) that allow hashes of any output
> size. The source code link provides a ExtendedKeccak(Hash) method
> which is a "doubly standard-violating" ad hoc construction, having
> nothing to do with the faster, standardized XOFs (SHAKE128 and
> SHAK256).
>
> Cheers,
> - markku
>
> Dr. Markku-Juhani O. Saarinen <mjos@iki.fi>
>
> On Fri, Mar 22, 2019 at 10:13 AM David Núñez <david@nucypher.com> wrote:
> >
> > Hi Christopher,
> > for this exact problem, we follow the approach described by Mehmet:
> >
> > Hash512(x) = Hash256(0||x) || Hash256(1||x)
> >
> > This way we can take up to 512 bits using a 256-bit hash function. You
> can find an example implementation of this (for Keccak256) here:
> >
> https://github.com/nucypher/pyUmbral/blob/master/umbral/random_oracles.py#L84
> >
> > Regards,
> > David
> >
> >>
> >> ---------- Forwarded message ----------
> >> From: Mehmet Adalier <madalier@antarateknik.com>
> >> To: Christopher Wood <christopherwood07@gmail.com>, <cfrg@irtf.org>
> >> Cc:
> >> Bcc:
> >> Date: Thu, 21 Mar 2019 19:11:47 -0700
> >> Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod
> p
> >> Would this work?
> >>
> >> 1) generate two hashes with two different x values,
> >> 2) concatenate the two outputs
> >> 3) take however many high order bits you need (with at least 64
> additional bits per spec)
> >>
> >> In our regular P256 implementation we use a 512-bit value before we
> perform reduction.
> >>
> >> mA
> >>
> >> On 3/21/19, 6:20 PM, "Cfrg on behalf of Christopher Wood" <
> cfrg-bounces@irtf.org on behalf of christopherwood07@gmail.com> wrote:
> >>
> >>     Hi folks,
> >>
> >>     In draft-irtf-cfrg-hash-to-curve, we define a utility function
> called
> >>     `hash2base` as follows [1]:
> >>
> >>     ~~~
> >>     hash2base(x).  This method is parametrized by p and H, where p is
> the
> >>     prime order of the base field Fp, and H is a cryptographic hash
> >>     function which outputs at least floor(log2(p)) + 1 bits.  The
> function
> >>     first hashes x, converts the result to an integer, and reduces
> modulo
> >>     p to give an element of Fp.  We provide a more detailed algorithm in
> >>     Appendix C.7.
> >>     ~~~
> >>
> >>     Some existing standards [2] recommend taking at least log2(p) + 64
> >>     bits “so that bias produced by the mod function … is negligible.” If
> >>     we were to follow this guidance for hash2curve, we’d lose out on
> >>     several ciphersuite combinations, such as P-256 and Curve25519 with
> >>     SHA256.
> >>
> >>     So, our question to the group is, how many extra bits are necessary?
> >>
> >>     Thanks,
> >>     Chris
> >>
> >>     [1]
> https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-03#section-4
> >>     [2]
> https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
> >>
> >>     _______________________________________________
> >>     Cfrg mailing list
> >>     Cfrg@irtf.org
> >>     https://www.irtf.org/mailman/listinfo/cfrg
> >>
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email