IETF Logo Mail Archive

Re: [Cfrg] Recommended bit length before truncating a hash mod p

Mehmet Adalier <madalier@antarateknik.com> Fri, 22 March 2019 02:11 UTC

Return-Path: <madalier@antarateknik.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8CEB1279A3 for <cfrg@ietfa.amsl.com>; Thu, 21 Mar 2019 19:11:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ET98J5gSGNwZ for <cfrg@ietfa.amsl.com>; Thu, 21 Mar 2019 19:11:55 -0700 (PDT)
Received: from sonic301-26.consmr.mail.gq1.yahoo.com (sonic301-26.consmr.mail.gq1.yahoo.com [98.137.64.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7484D12787F for <cfrg@irtf.org>; Thu, 21 Mar 2019 19:11:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1553220714; bh=ABLcF57EjNG86ZJVXDnuS6dskZuNiP0VwMYeSfdvGsU=; h=Date:Subject:From:To:References:In-Reply-To:From:Subject; b=NFulA68Wbi9r1vgNpLhE6U3fgzWdf3XcLiSwNxJtSwHilm05GcwYPnZJ9RxSauLtu7qU4ynYunhZ4MAwQ6o/ELSKUpn2T1ffTcNooM1iR7AuUaIBrorFI4Dokgviau4/urM4OQRDc3nmpFNV/KgM/936q/Yeehu5Sy8W/jiDGxpLqwLVw5iF0eaqvxg761jA1gzuGGzOYUuCHXeOUTD05XRAjlntn0phmWK4UyCecJW32fPBJxf+jYfm9m+4Miy2cb4sJojCxDpkJOQJTcLpStQwrzvtzqc11+walGXCrQjmcpd8hEsMletOd18Z3G2pPa7zZyjVx1Nm3UI7tvg4Ig==
X-YMail-OSG: avqrYcUVM1kS8HA5o1gNNQ4yv.oLZzM9.P5QfVuytljYRHCdEHuAFx93h9inHtR cku4FNQ6n1NOQRLx6dR7ezH23tr.yvzK.k2PIzEoXtBMcKCvYmPisHwFo.2n0Y63CUt3cWNpj.hA umzECniDfVKCHLmDK2TP2FWArcv64nyr75jkPlbllujSq.XbmSG4yNcIj7MsZUX1ilkKi6N8_tZq nS0Zbco5ltUtMfVB4lWVpTHDvBNglU6NLPzwuHEvshL7zhr6LeYl_ERH0oC3VS4Rxa26y32Fi4pN RLIVOAFLEhQGa1ORg3tZZgHgOursC1Oubc2a_g.Ns2lvMWjuQZkmIci9w0BDKX9dPNhG23QFnAOo 4FNb_Eba57KD3E6wTRSMKIr_7eXG82pH4_xqjlSGWsWzCuMfmMbBjadcMEJuz4KEk8k2jOFhp4N0 CnnAxeBY9bsQT0CeQFZdjV8p152gY9evgdc.ANYwwmg6ws86vW8Ev3xoTKWZnVTT6j7OHQQXk7LG FkYgY22ZDgkoQLvTN6Ux6MuKdaDQ1wRhmOcEF7nsqryI9WWaEIW.ipoMNS2Y1hhbvVJ0XgRpNlST 2OUl4MTauaTqoLJQqbBIXtW3sjcuU8uQyS5qOeeo9HKxZrtGvdOgwgUiKnnS_s8KzNUyFbQvbUVh 2JYojwJ5TfEjzO4cbGjEG1x2bZOaLHxHNd36E4y_jXt4BS6mht2z3Din2LQ_Uz8RT.5eBqaSUTv4 HqmCmMan0H4XUjj3KJSvtFdNA_RAmHEu94mtQoKlH6q30xxlAvBwJKjzWyfpyWg143YVqvEEd39W LUVEzwfUpdNnglVQNbVeHOD45rOsno_QTf8dEb4t0kZvON_3HlorwDBH20o4bN7s6VuqfQTZTWzm Q0eevIgMoB4AoM8o3ETcps.ZSN3o9nqh36dCIR2QxY0UdqnzzhyVrMotSm.9MnqZ5LRoSt_PQTsT pNnzgZKrvQUaOwBeWA9w_lQVIiPvc1B0DCjrb.To58N3FwEutZ.gOn8koossMS9edeArJotjSsyL n7FtkGjR94ROF9Mi4n_ul_0CJiVlsccAtHFayRZ9u0BioyjBELAnzUhRcmEQLk7OkKQjbkXYemAA 66OGEB0eRHU9ET2S2A6RRZMwYIe9qCbZ2o24-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.gq1.yahoo.com with HTTP; Fri, 22 Mar 2019 02:11:54 +0000
Received: from 207.231.74.174 (EHLO [10.0.0.8]) ([207.231.74.174]) by smtp430.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 79ff511bf8a7b605e07172dc14b29804; Fri, 22 Mar 2019 02:11:50 +0000 (UTC)
User-Agent: Microsoft-MacOutlook/10.16.1.190220
Date: Thu, 21 Mar 2019 19:11:47 -0700
From: Mehmet Adalier <madalier@antarateknik.com>
To: Christopher Wood <christopherwood07@gmail.com>, cfrg@irtf.org
Message-ID: <258974E8-F22C-4826-AC33-F711E0A5D919@antarateknik.com>
Thread-Topic: [Cfrg] Recommended bit length before truncating a hash mod p
References: <CAO8oSXkwdyMQ8MHdt=+iYpd3__a55h6mcD-OgKHhdTytgb8Oew@mail.gmail.com>
In-Reply-To: <CAO8oSXkwdyMQ8MHdt=+iYpd3__a55h6mcD-OgKHhdTytgb8Oew@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/i_lmhmw2ICEOqdKRQ2n2NWVgrJE>
Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 02:11:58 -0000

Would this work?

1) generate two hashes with two different x values, 
2) concatenate the two outputs 
3) take however many high order bits you need (with at least 64 additional bits per spec)

In our regular P256 implementation we use a 512-bit value before we perform reduction.

mA

On 3/21/19, 6:20 PM, "Cfrg on behalf of Christopher Wood" <cfrg-bounces@irtf.org on behalf of christopherwood07@gmail.com> wrote:

    Hi folks,
    
    In draft-irtf-cfrg-hash-to-curve, we define a utility function called
    `hash2base` as follows [1]:
    
    ~~~
    hash2base(x).  This method is parametrized by p and H, where p is the
    prime order of the base field Fp, and H is a cryptographic hash
    function which outputs at least floor(log2(p)) + 1 bits.  The function
    first hashes x, converts the result to an integer, and reduces modulo
    p to give an element of Fp.  We provide a more detailed algorithm in
    Appendix C.7.
    ~~~
    
    Some existing standards [2] recommend taking at least log2(p) + 64
    bits “so that bias produced by the mod function … is negligible.” If
    we were to follow this guidance for hash2curve, we’d lose out on
    several ciphersuite combinations, such as P-256 and Curve25519 with
    SHA256.
    
    So, our question to the group is, how many extra bits are necessary?
    
    Thanks,
    Chris
    
    [1] https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-03#section-4
    [2] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
    
    _______________________________________________
    Cfrg mailing list
    Cfrg@irtf.org
    https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email