Re: [Cfrg] On h2c implementation

"Riad S. Wahby" <> Sat, 07 December 2019 16:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5FE9D12002E for <>; Sat, 7 Dec 2019 08:54:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.472
X-Spam-Status: No, score=-1.472 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.073, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eh4s06_scRjk for <>; Sat, 7 Dec 2019 08:54:50 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 310C1120019 for <>; Sat, 7 Dec 2019 08:54:50 -0800 (PST)
Received: by with SMTP id p9so11060634wmc.2 for <>; Sat, 07 Dec 2019 08:54:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:date:in-reply-to:references:mime-version :content-transfer-encoding:subject:to:from:message-id; bh=pJ7T/nQew8lakcqPdYsU2YUQ6Hxz1VnemAzIS14FlCM=; b=RqMF8X1z1mqroMuEuXFnyu8f15r3UGbnMtCRkEuuGs3ZZM16Ptjc8fRqA8RgHIt8Ws /huR2frQoX3HCULqkv6IxdD96dApc6+3IBGNzUeG3q8C/TLZPepJav8UmX9iiSmmSlaU lrIqLkFdrPjCUT6Iqi0Z1CBhM5ARyJ4ElWu6O6UWQLt4SX5TJPahsZC4WECQCYS73Boi jKTQI+FFCA3KoatWBpxkcHW904bkASFzAPgJ59l8yVMCxoBKhbvY1Mi0k2XaYwv/VkcX QN8ZeCr8PgbeuI8h+dq5avcaohq7rbVxJDeyHDmVexgVEQsNisFlSXnDsXvEQ1sADcSj aP6g==
X-Gm-Message-State: APjAAAUGntXvJBjKqQgQyES30i5DGOccSdR7gif0lT9P2j+IB1qIdVJq Lv2pu/zfu0XaozIy9cGflFfo81UO
X-Google-Smtp-Source: APXvYqxcFuC1WD7BY79+oPi81Fhjb+dJfqvUZNlqSrgPSsNNbi0Z1cAf30fUPNCHrOaS+E0GVDuShA==
X-Received: by 2002:a1c:3d07:: with SMTP id k7mr15194915wma.88.1575737688400; Sat, 07 Dec 2019 08:54:48 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id u14sm19721244wrm.51.2019. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 07 Dec 2019 08:54:47 -0800 (PST)
Date: Sat, 07 Dec 2019 17:54:45 +0100
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
To:,Watson Ladd <>
From: "Riad S. Wahby" <>
Message-ID: <>
Archived-At: <>
Subject: Re: [Cfrg] On h2c implementation
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 07 Dec 2019 16:54:51 -0000

On December 7, 2019 6:55:26 AM GMT+01:00, Watson Ladd <> wrote:
>This is a common way to avoid the cost of a full carry chain, but has the
>disadvantage that the arithmetic functions need to be wrapped to properly
>carry out comparisons to constants.

Hello Watson,

Thanks for the feedback! We'll definitely give more thought to this issue. If you have any other details that you'd like to discuss off-list, happy to chat more.

Speaking only for myself (I haven't yet discussed with the other authors), my inclination is that details of field arithmetic implementations are quite a bit below the level of abstraction the hash-to-curve document is aiming for. For example, Section 4 currently says:

"Guidance on implementing these low-level operations in constant time is beyond the scope of this document."

(If I understand your email correctly, this isn't exactly what you're discussing, but it's in the ballpark and to me suggests a similar conclusion.)

Of course, I could be wrong and/or things could change! Again, happy to chat more.