Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-04.txt

Dan Harkins <dharkins@lounge.org> Tue, 16 July 2019 09:25 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00EE212001E for <cfrg@ietfa.amsl.com>; Tue, 16 Jul 2019 02:25:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.436
X-Spam-Level: *
X-Spam-Status: No, score=1.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MFYzRpRriIuQ for <cfrg@ietfa.amsl.com>; Tue, 16 Jul 2019 02:25:54 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10941120019 for <cfrg@irtf.org>; Tue, 16 Jul 2019 02:25:54 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-93-146-89.san.res.rr.com [76.93.146.89]) by wwwlocal.goatley.com (PMDF V6.8-0 #1001) with ESMTP id <0PUQ00I8IA751F@wwwlocal.goatley.com> for cfrg@irtf.org; Tue, 16 Jul 2019 04:25:53 -0500 (CDT)
Received: from thinny.local ([217.19.42.20]) by trixy.bergandi.net (PMDF V6.7-x01 #1001) with ESMTPSA id <0PUQ00A09A6TJ4@trixy.bergandi.net> for cfrg@irtf.org; Tue, 16 Jul 2019 02:25:42 -0700 (PDT)
Received: from ns1.makeit.at ([217.19.42.20] EXTERNAL) (EHLO thinny.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Tue, 16 Jul 2019 02:25:42 -0700
Date: Tue, 16 Jul 2019 02:25:50 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <156262877252.887.17736027249172849204@ietfa.amsl.com>
To: cfrg@irtf.org
Message-id: <ed63dbe8-4a7e-8c0d-ffe2-90cc99bb9a6e@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8; format=flowed
Content-language: en-US
Content-transfer-encoding: 8BIT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=217.19.42.20)
X-PMAS-External-Auth: ns1.makeit.at [217.19.42.20] (EHLO thinny.local)
References: <156262877252.887.17736027249172849204@ietfa.amsl.com>
X-PMAS-Software: PreciseMail V3.3 [190715] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/gFn3tvf62e1FKx_SkVXk8hsSVig>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-04.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 09:25:55 -0000

   Hello,

   This draft seems like a departure from the direction -03 was going,
which is unfortunate.

   Version -03 had several methods of hashing whose preconditions made them
appropriate for certain curves. Importantly, though, it had SWU which will
work with basically any Weierstrass curve. Now it seems the focus is on 
highly
optimized and curve-specific methods and ciphersuites which fix the curve
and hash algorithm. SWU is now optimized to work only on certain 
pairing-friendly
curves.

   Would it be possible to add back the -03 SWU as a generic template that
can be instantiated with a curve and a hash function? That was how I was
planning on using this soon-to-be RFC.

   And a comment on -04. The Simple SWU method now has a check whether u=0
to prevent divide-by-zero. In the event it is, the algorithm outputs
B/(Z * A) as x. Doesn't this leak information? If I, as a passive observer,
notice x = B/(Z * A) then I know that hash_to_curve(m) returned 0. I know
the probability of u=0 is astronomically small but if the possibility is
going to be addressed why not reduce the output of the hash modulo (p-2)
and then add 2 to always place 1 < u < p?

   regards,

   Dan.

On 7/8/19 4:32 PM, internet-drafts@ietf.org wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Crypto Forum RG of the IRTF.
>
>          Title           : Hashing to Elliptic Curves
>          Authors         : Armando Faz-Hernandez
>                            Sam Scott
>                            Nick Sullivan
>                            Riad S. Wahby
>                            Christopher A. Wood
> 	Filename        : draft-irtf-cfrg-hash-to-curve-04.txt
> 	Pages           : 60
> 	Date            : 2019-07-08
>
> Abstract:
>     This document specifies a number of algorithms that may be used to
>     encode or hash an arbitrary string to a point on an elliptic curve.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-04
> https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-04
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-hash-to-curve-04
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg