Re: [Cfrg] RGLC on draft-irtf-cfrg-hash-to-curve-10
Greg Hudson <ghudson@mit.edu> Sat, 17 October 2020 10:10 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57F8F3A09E9; Sat, 17 Oct 2020 03:10:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.111
X-Spam-Level:
X-Spam-Status: No, score=-2.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.213, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hc4INjIqPatd; Sat, 17 Oct 2020 03:10:28 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B8E13A09E8; Sat, 17 Oct 2020 03:10:28 -0700 (PDT)
Received: from [192.168.1.14] (pool-100-0-182-84.bstnma.fios.verizon.net [100.0.182.84]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 09HAAOwl022484 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 17 Oct 2020 06:10:26 -0400
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, CFRG <cfrg@irtf.org>
Cc: cfrg-chairs@ietf.org
References: <CAMr0u6=-rzVW_tsmmifPu-7FA9DaZ1z83_akp4pkTjHRDGUHiA@mail.gmail.com>
From: Greg Hudson <ghudson@mit.edu>
Autocrypt: addr=ghudson@mit.edu; keydata= mDMEXqnt4RYJKwYBBAHaRw8BAQdAzXfl3g5JJqlqM42fUUk/heS/9HBlRsg+nxe2STu4Su+0 HUdyZWcgSHVkc29uIDxnaHVkc29uQG1pdC5lZHU+iJYEExYIAD4WIQS7YOmQRa0ieO6SH+BO swnsPlpb8QUCXqnt4QIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBOswns Plpb8aqtAP42pvOVq1EMSxNC1700RRyc1vhn0oHwcvQvh9KFjeLrbwEAnhQDwJsF3jJEsUhm 3pYkGXbUNFmTeAmKpSWxNa1tvgW4OAReqe3hEgorBgEEAZdVAQUBAQdAAaEKW1gflS0YVNfR azqT484BHfoNGd6HC5sidhGX5AUDAQgHiH4EGBYIACYWIQS7YOmQRa0ieO6SH+BOswnsPlpb 8QUCXqnt4QIbDAUJCWYBgAAKCRBOswnsPlpb8bFNAP40xH2VSjRL9fJ6AwFLH9kC2nLMIbf9 SaqB5KymlBlKtAD+NFHB1W68lmQGqlNglGxobCmVvlP7/kgNlfzfETgs+Aw=
Message-ID: <c43ee53d-56ae-d8ef-0703-4840aeaac959@mit.edu>
Date: Sat, 17 Oct 2020 06:10:24 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAMr0u6=-rzVW_tsmmifPu-7FA9DaZ1z83_akp4pkTjHRDGUHiA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/o1y2Ue3wY_w2_IQEUEtPi92wifg>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-hash-to-curve-10
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Oct 2020 10:10:31 -0000
I have some concerns over the use of the terms "random" and "uniform" in this document. The term "random" is sometimes used to describe the output of deterministic functions. For instance, section 5 says "it first hashes the input byte string to produce a uniformly random byte string", and section 5.2 says that an alternative hash_to_field must output field elements that are "uniformly random except with bias at most 2^-k". hash_to_field is a deterministic function; it introduces no randomness. The term "uniform" describes a probability distribution where all values have equal probability. There is an assumption in the document that applying a hash function to an input string produces an output that is somehow uniform or uniformly random, without discussing the input as being selected from any particular probability distribution. Perhaps there is a definition of "uniform" which makes this language more rigorous, but the document does not define the term or provide a reference, so I can only read it as having the meaning from probability. I understand that the document wants to specify functions indistinguishable from random oracles, and therefore needs to be concerned with not introducing bias beyond what is intrinsic in the input distribution. (An example of bias intrinsic to the input distribution would be hashing passwords to curve elements, where 90% of the passwords are "mypassword". One output element will necessarily have 90% probability, no matter how random-looking that single element might be.) I unfortunately don't know how to rigorously describe that, so can't suggest specific wording changes.
- [Cfrg] RGLC on draft-irtf-cfrg-hash-to-curve-10 Stanislav V. Smyshlyaev
- Re: [Cfrg] RGLC on draft-irtf-cfrg-hash-to-curve-… Greg Hudson
- Re: [Cfrg] RGLC on draft-irtf-cfrg-hash-to-curve-… Watson Ladd
- Re: [Cfrg] RGLC on draft-irtf-cfrg-hash-to-curve-… Hal Murray
- Re: [CFRG] [Cfrg] RGLC on draft-irtf-cfrg-hash-to… Leonid Reyzin