Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Mike Hamburg <> Sat, 10 April 2021 19:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8EDA83A1810 for <>; Sat, 10 Apr 2021 12:09:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.304
X-Spam-Status: No, score=-1.304 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5sBEfnG0_R47 for <>; Sat, 10 Apr 2021 12:09:32 -0700 (PDT)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B8C463A180F for <>; Sat, 10 Apr 2021 12:09:32 -0700 (PDT)
Received: from [] (unknown []) (Authenticated sender: mike) by (Postfix) with ESMTPSA id 2986ABB869; Sat, 10 Apr 2021 19:09:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=sldo; t=1618081770; bh=8Mh61o/RKf+TpKBlUB9ENJgCLzXpnWIYkCsoMbKiC/c=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=hKBC/PSLHQZkPw76xhf+UZxWogznHgJeBPXgpdHZMWe4LTl8LOkX5ZFMwWEPwOq2c Aya8vRoZ+6QwFDxjv+TWBoy/MIhtfU3IUdnwB21NMLdo3GGad2VWOr3MmjuC9GvEWL dBYjrUhTvgvE5uoln71K7N97UorNe9UHLojOA1Ac=
From: Mike Hamburg <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_451CCBE4-B593-47D7-BFBF-E9DEDB275B5A"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Date: Sat, 10 Apr 2021 16:09:26 -0300
In-Reply-To: <>
Cc: Hugo Krawczyk <>, CFRG <>, "Hao, Feng" <>
To: Rene Struik <>
References: <> <> <> <> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <> <> <> <20210410151254.7ze5pt4lpvblhk3f@muon> <> <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 10 Apr 2021 19:09:38 -0000

Hi Rene,

I’m not sure about specific PAKEs, but typically a password would be hashed through a salted KDF construction like Argon2 or PBKDF2, and some protocols include a nonce as well.  For honest users, this means that (unless the hash is truly terrible, i.e. fails to roughly preserve entropy) the identity will never be encountered, even if the hash or map-to-curve is subtly backdoored.

The argument breaks down if an active adversary can find a salt/nonce such that hash(pw, salt) maps to the identity point for many passwords pw.  This is unlikely to happen even if the hash is broken, because the salt is typically short.  But even so, I’m not sure this is unique to the identity element: at least if the client confirms first, then the adversary just needs to find a salt such that dlog(hash(pw1, salt), hash(pw2, salt)) is known — or better yet, such that dlog relations are known for a large set of passwords — in order to break SPEKE or CPace's security.

Again, I’m sympathetic to the idea that returning the identity complicates error handling.  At least for some protocols, we have to forbid sending it to keep the protocol contributive (or for other reasons), so the identity would cause an error, which might be the only possible error in some code paths.  We could instead specify a hash_to_curve that’s uniform over non-identity elements.  This could be achieved by eg computing (1 + (hash1 mod p-1)) * cofactor * map_to_curve(hash2), at least if you can keep low-order elements out of map_to_curve(h2).  If a low-order element is an image, you could use (1 + (hash1 mod p-1)) * cofactor * (map_to_curve(hash2) + Q), where Q is the precomputed lexicographically least point such that no low-order point is an image.

This is slower, but if you’re going to scalarmul again anyway, then you could fold the multiplies together so that the leading term costs basically nothing.  Or, since most protocols don’t actually need uniformity, just do the analysis and drop the leading term.

But I don’t think this is convincing.  The counterargument is: uniform maps to G are already analyzed, already implemented, simpler, and preferable in some cases (again, at least for PAK), and the security implications are pretty much negligible, and are likely to remain negligible even if the hash is broken.  So it’s just not worth re-doing at the map to curve level.  It’s easier to just say: if in your protocol you don’t want the identity to come out of hash_to_curve, then detect it and replace it with the generator.  Or again, drop uniformity and use cofactor * (map_to_curve + Q).

— Mike

> On Apr 10, 2021, at 2:51 PM, Rene Struik <> wrote:
> Hi Hugo:
> It would be of interest what the impact of a "broken" hash function in the hash to curve construction on the security of password based schemes would be. In the case of mappings that always yield a high-order point, the impact may not immediately be obvious, while with mappings that do not preclude low-order points this might show more readily, also to offline observers. This may be an interesting addition to security proof papers that now focus mostly on idealized functionality (such as random oracles).
> As an aside, as I noted in my email of yesterday [1],  mappings that fix a particular image point for a specific input are trivial if the construction itself has "free variables" one could fix after the fact (e.g., pick delta such that delta*H("Hugo123")^2=t0), thereby yielding an immediate attack, irrespective of hash function functionality. See specific comment a) in [1].
> All in all, it seems that guaranteeing that curve mappings would never yield low-order points seems prudent, esp. if it comes at roughly the same computational cost as ones that do not give those assurances.
> Best regards, Rene
> Ref: [1] <>
> On 2021-04-10 1:27 p.m., Hugo Krawczyk wrote:
>> Feng, you say:
>> > On the other hand, from the perspective of a higher layer protocol (say CPace, OPAQUE and PAK), it’s simply impossible to handle the exception. As soon as map-to-curve hits the small subgroup, the password in a PAKE system will be compromised. Therefore, the above warning is self-defeating and not meaningful.
>> If I understand correctly, you are saying that in the case of password protocols, the unlikely event of (a correctly designed, correctly implemented) hash-to-curve mapping some value to the identity has irrecoverable consequences that are specific to the PAKE setting.
>> I wanted to comment that in the case of OPAQUE, you could check during password registration that a user's password maps to the identity and ask to choose a new password (we are used to websites rejecting some passwords). However, when that happens, the website should immediately (*) sound an alarm to be heard across the universe. You would have found a preimage of the identity under a RO-modeled hash function. Either you are observing an event with probability, say, 2^{-256}, or you are observing a hugely more probable event: Someone broke the one-wayness of the hash function. STOP USING IT IMMEDIATELY FOR ANY PURPOSE.
>> (The same alarm should go off if it just happens in a run of any other protocol.)
>> (*) Of course, you should first check that you really have a preimage of the identity under the hash - the most probable event to produce such a result is an implementation error.
>> Hugo
>> PS: When you have an analysis that assumes a uniform distribution and then decide to deviate from it as a way to "enhance" the design, you may be introducing subtle weaknesses. An historic example (irrelevant to the cases we are discussing here but illustrating the principle) is Enigma's avoidance  of encrypting letters to themselves - something Turing was fast to exploit
>> <>
>> On Sat, Apr 10, 2021 at 11:13 AM < <>> wrote:
>> Hello Feng,
>> "Hao, Feng" < <>> wrote:
>> > Rsw also gave a similar example of having all zeros for the hash.
>> > Let me clarify that we are not – and shouldn’t be - concerned with
>> > any of such cases since the values are uniformly distributed within
>> > their respective range.
>> Right. And the argument is precisely the same for hash-to-curve!
>> Let me be perfectly clear: the property that hash_to_curve gives
>> is that the output is a uniformly* distributed point in the (big)
>> prime-order subgroup of the target elliptic curve.
>> At the risk of seeming didactic (in which case, apologies): the
>> identity element is indeed an element of the target group G.
>> Put another way: fix a generator g of group G of prime order q. Then,
>> hash_to_curve returns g^r in G, for r sampled uniformly* at random
>> in 0 <= r < q. Under the assumption that discrete log is hard in G,
>> hash_to_curve does not reveal r. Under the preimage and collision
>> resistance of the underlying hash function, one cannot choose any
>> particular r or find two inputs that hash to the same r.
>> I hope this helps clarify the security properties, and why focus
>> on low-order points at intermediate steps of the computation is not
>> relevant to the security of hash_to_curve as specified.
>> * uniformly except for some statistical distance less than 2^-100.
>> Regards,
>> -=rsw
>> _______________________________________________
>> CFRG mailing list
>> <>
>> <>
>> _______________________________________________
>> CFRG mailing list
>> <>
>> <>
> -- 
> email: <> | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
> _______________________________________________
> CFRG mailing list