Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-curve-10

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Thu, 01 April 2021 05:44 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D107C3A1252 for <cfrg@ietfa.amsl.com>; Wed, 31 Mar 2021 22:44:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p5std-YmEsrr for <cfrg@ietfa.amsl.com>; Wed, 31 Mar 2021 22:44:06 -0700 (PDT)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40A8F3A11DB for <cfrg@irtf.org>; Wed, 31 Mar 2021 22:44:04 -0700 (PDT)
Received: by mail-ej1-x629.google.com with SMTP id u9so1037712ejj.7 for <cfrg@irtf.org>; Wed, 31 Mar 2021 22:44:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aoGj//ZLgEh/D69e83k/67rIxDE78wGd7Rr/SBfy8Dc=; b=Djj124h5lk0jSZiPrCe+FxtbnNQGxNPtfLnbByj7VgCDQRK4qexOHSWdzAbo9v2coU DEUOVo88A2PyZBD7uXV7uJjhxa1+1xTz0l6AFNDbKiz4D585nEcpbSCOv/r45jnjlWoY YL5oIS+aimkElspZvXs+TuZK0j7Efu7Q4Onk/MeBToLYdM8vpGiQy4LrFqSqWCFBZ7AX eUepEXWl+BIRDkLJmnyBvLDJF8aZKxIgqIhZ1nN8mnZiYUH5sVsxAmq1/F2zDDtBNaZA cRrM+jqS8zSeCVIt2J2VKzi9Jvu7KnyxuJ8okUVzxT5CLBuXYw8qEmrP0BlfS8rzyimC I/0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aoGj//ZLgEh/D69e83k/67rIxDE78wGd7Rr/SBfy8Dc=; b=Ef/41ztFwcaW20lBVS7EpymYqE0fV3D+asIC8XTe2sCc4pAxbvmkOoMKAqfvShRwgL WefMS42QODr8TyVHHjO8FDmFjR692FB1nUzsu8ZKYaBEhlpCbX2pBj22saZqHV9AYBm8 kwkCvqQ4+w6+E9RJaW+ibpiNSOb83v+xPpNBVniAUGQeqX7d6Aq7uzkUY40v/7k1vOlc CQUh9uoMyJlcws4mcd8Nj9CsKo4OujVLX55zzF8ZMgrH6zsGn8Z3NTCHGf+0EKVRYsy5 7//fgnn+nz2SwtFA7CEMEcbZa9+IW4Zmih/yFNWWrF3tWw9I/CSyqMIaxDeYhoeQXA1v WJTA==
X-Gm-Message-State: AOAM532me5dp0iT/fPnvCRAeXSxAZQ2X3eD9pLoiPypxFhWpCw3o2osU c5xhXqvCCRFKxSTP7H8Pu05HGeHA8qSXxrAyfEs=
X-Google-Smtp-Source: ABdhPJyEUIKebSrsnXUxmWJ232xn92VOc94JwhbqaGuY8+0nyTZSpT13z3MX9Q4fttR4S2umTfZR+mWBfJq8t4Zk388=
X-Received: by 2002:a17:906:22d2:: with SMTP id q18mr7405719eja.437.1617255841247; Wed, 31 Mar 2021 22:44:01 -0700 (PDT)
MIME-Version: 1.0
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com>
In-Reply-To: <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Thu, 01 Apr 2021 08:41:33 +0300
Message-ID: <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>, daira@jacaranda.org
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000edb61e05bee2b7ac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/oCu5pbBXuovSW_QqCEJazArqWqs>
Subject: Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-curve-10
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 05:44:12 -0000

Dear Daira,

The CFRG is close to moving the hash-to-curve draft forward (i.e., to the
IRSG review phase) - it might happen in a couple of weeks.
Could you please reply to Chris Wood's comments in the previous message in
this thread?

If there are no objections to his comments before the middle of April, the
draft is expected to be moved forward in the current form – probably, after
some small modifications to address possible concerns in Shepherd's review,
but without any changes related to the optimization issue mentioned in your
message.

Regards,
Stanislav



On Thu, 18 Mar 2021 at 03:24, Christopher Wood <caw@heapingbits.net> wrote:

> Hi Daira,
>
> Thanks for the feedback, and apologies for the delayed reply! Given the
> maturity of this document and its state in the RG, I've two very high-level
> responses:
>
> 1. Changing the sign bit breaks backwards compatibility. Absent more
> support for this change, especially from those familiar with the challenges
> in the current design, perhaps now is not the time. I note that future
> ciphersuites could change the sign computation, should that be desired for
> certain applications.
> 2. I think the optimized, curve-specific algorithms in the appendix are
> constant time as described, so it doesn't *seem* necessary to make any
> substantial editorial changes to lift those to the main text. The mappings
> in Section 6 are not intended to be translated directly into code. Instead,
> each mapping points to a corresponding straight-line implementation in
> Appendix F.
>
> I would love to hear from others who may have opinions on either of these
> points, or on the particular suggestions below.
>
> Best,
> Chris
>
> On Mon, Jan 4, 2021, at 5:40 AM, Daira Hopwood wrote:
> > Hello,
> >
> > This is a response to the RG Last Call for
> draft-irtf-cfrg-hash-to-curve-10.
> >
> > The current draft is based in large part on
> > [WB2019](https://eprint.iacr.org/2019/403).
> > However, it does not cover most of the optimizations described in that
> > paper. This is understandable given that the paper is focussed on
> > hashing to BLS12-381 G1 and G2, and does not explain in much detail how
> > to apply these optimizations to other curves.
> >
> > In fact, *all* of the optimizations applied for BLS12-381 G1 in [WB2019]
> > can be adapted to general short Weierstrass curves over an arbitrary
> > prime field:
> >
> > * merging an inversion and square root in map_to_curve;
> > * eliminating all remaining inversions by use of Jacobian coordinates
> >
> >    * in map_to_curve;
> >    * in the addition, for the random oracle variant; and
> >    * in the isogeny map, for curves with AB = 0.
> >
> > These are all compatible with a constant-time implementation; actually,
> > they result in an algorithm that is naturally constant time. The
> > unoptimized algorithm, on the other hand, entails a trade-off between
> > constant-timeness and speed. That could tempt implementors to rely on
> > arguments about inapplicability of timing attacks in their context,
> > that may be incorrect, or may fail when code is reused in a different
> > context.
> >
> > (Yes I have read section 10 of the ID. From experience, implementors
> > are very likely to ignore even strong recommendations if they have a
> > performance issue to solve and they believe, correctly or incorrectly,
> > that they can get away with it for their application.)
> >
> > Probably all of the above is also true for curves over extension fields,
> > but I haven't verified that.
> >
> > Recent developments in proof systems have made it more important to be
> > able to efficiently hash to curves over F_p where p = 1 + m * 2^n for
> > reasonably large n, say n ~= 32 (informally, "highly 2-adic" fields).
> > This is effectively a requirement for fast polynomial arithmetic using
> > FFTs. Some proof systems, such as
> > [PLONK](https://eprint.iacr.org/2019/953) and its variants, depend
> > fundamentally on the resulting multiplicative subgroup structure.
> >
> > My main concern is a lack of advice in the draft on how to apply the
> > [WB2019] optimizations to such fields, which is not at all obvious.
> > The paper only discusses the cases needed for BLS12-381 G1 (where
> > p = 3 (mod 4)), and G2 (a quadratic extension field where
> > p^2 = 9 (mod 16)).
> > The [reference
> > code](
> https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/tree/master/poc)
> > only has some of the optimizations for simplified SWU on fields where
> > p = 3 (mod 4), p = 5 (mod 8), and p^2 = 9 (mod 16).
> >
> > It took me a couple of days to work out the detail of other cases.
> > Therefore I think it is likely that the draft as it stands would lead
> > to many sub-optimal implementations. Also, in my opinion optimization
> > attempts will carry a great risk of introducing errors or
> > incompatibilities in corner cases (including some that are
> > exceptionally unlikely to be picked up in tests not focussed
> > specifically on those cases), with the specification as it stands.
> >
> > The description in the current draft also obscures the extent of the
> > performance advantage for the simplified SWU mapping, potentially
> > leading practitioners to make sub-optimal choices in protocol design.
> > By my estimates, an optimized constant-time simplified SWU
> > implementation can be at least 3 times faster than a constant-time
> > SW implementation. Some of the same optimization ideas could in
> > principle be applied to SW, but some cannot.
> >
> > ----
> >
> > All of the following assumes that F is a prime field. Again, it is
> > likely to be easily adaptable to extension fields but I haven't
> > checked it for that case.
> >
> > In order to obtain the speed-ups discussed above for arbitrary prime
> > fields, it's first necessary to change the interface to the square
> > root algorithm. We need an algorithm, that I'll call divsqrt, with
> > the following specification.
> >
> > Let h be a fixed nonsquare in F.
> >
> >    divsqrt(N: F, D: F \ {0}) -> (F, Bool):
> >        if N/D is square in F, return (sqrt(N/D), true)
> >        else return (sqrt(h * N/D), false).
> >
> > where sqrt returns an arbitrary choice of square root.
> >
> > It's possible to implement this specification in constant time
> > without computing two square roots or any explicit inversion. For
> > example this can be done using an adaptation of the algorithm in
> > [Sarkar2020](https://eprint.iacr.org/2020/1407), combined with
> > [BDL+12](https://cr.yp.to/papers.html#ed25519) section 5, and some
> > hints in [WB2019] section 4.2.
> >
> > A prototype specialized for n = 32 and the
> > [Pallas/Vesta](
> https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/)
> > curves is at https://github.com/zcash/pasta/squareroottab.sage .
> > I can provide an implementation that is not dependent on n if needed.
> > Note that this is also more efficient than the commonly used
> > Tonelli–Shanks, especially its constant-time variant.
> >
> > (That code does data-dependent look-ups, but could be modified to also
> > be resistant to cache-based side channel attacks by using smaller
> > tables and accessing all elements. [Sarkar2020] also has a variant
> > that doesn't use tables, and is still significantly faster than the
> > constant-time Tonelli–Shanks in Appendix I of the ID.)
> >
> > The overhead of handling the division in the square root, relative
> > to a plain sqrt using a similar algorithm, is just over n squarings
> > and log2(n) multiplications for F_p where p = 1 + m * 2^n. This is a
> > substantial saving over a constant-time inversion, which would take
> > around |p| squarings.
> >
> > Now given divsqrt, we can apply another optimization in section 4.2
> > of [WB2019] that avoids needing to test whether gx1 (using the notation
> > of the Internet Draft) is square. In brief: we first compute the
> > numerators and denominators for x1 = N/D and gx1 = U/V as in the
> > paper. If gx1 is not square, then we have sqrt(h * gx1); using a
> > precomputed square root of Z/h, we can calculate the numerators and
> > denominators of x2 and y2, without ever needing to calculate gx2.
> > The detail is explained in comments at
> > https://github.com/zcash/pasta/hashtocurve.sage .
> >
> > Note that the same procedure works for *all* short Weierstrass curves
> > to which simplified SWU is applicable. Therefore IMHO (and this is
> > the main point of this email), it may as well be included in the
> > description of the basic algorithm rather than presented as an
> > optimization — especially given that it is naturally constant time,
> > and the currently presented algorithm isn't!
> >
> > As far as I can see, there are only three potential arguments for not
> > making this change:
> >
> > * That divsqrt is more complicated than sqrt. This doesn't really
> >    hold up, because it is just as easy to implement divsqrt naively
> >    as it would be to implement the current map_to_curve naively.
> >
> > * That it's less obvious how this is derived from the original
> >    algorithm of [BCI+10](https://eprint.iacr.org/2009/340). But the
> >    current algorithm already diverges from that paper a little. What
> >    matters IMHO is that the algorithm is correct and its derivation
> >    is explained so that anyone with a mathematical background can
> >    check it.
> >
> > * That it would make the map_to_curve dependent on Jacobian coordinates,
> >    which might not be what an implementor wants to use in the rest of
> >    their code. But it is straightforward to also say how to obtain the
> >    output in homogeneous or affine coordinates.
> >
> > A naive constant-time implementation of a full hash_to_curve using the
> > simplified SWU algorithm from the draft takes 1001S + 168M + 4I for
> > the Pallas curve (a 255-bit non-pairing friendly curve with A = 0 and
> > a degree-3 isogeny from the curve on which hashing is performed).
> > With optimizations, it takes 577S + 150M and no inversions, if output
> > is in Jacobian coordinates.
> >
> > Aside: the current draft prohibits Z = -1. It is unclear why, since
> > that is exactly what [WB2019] uses for BLS12-381 G1.
> >
> > ----
> >
> > Another possible change I would suggest is in the method of choosing
> > the sign of the y-coordinate. (Unlike the optimizations discussed
> > above, this would actually change the map_to_curve function, and so
> > would probably need to be optional.) The current method involves
> > ensuring that the low bit of u (as named in the ID) is consistent
> > with the low bit of y.
> >
> > This is fine if we're on a conventional processor where taking the
> > low bit of a field element is cheap. However, it is unnecessarily
> > inefficient in the setting of an arithmetic circuit. To take the low
> > bit of a field element in that setting requires a full decomposition
> > of the value, with cost O(|p|). In an R1CS-based proof system that
> > requires one constraint per bit of p. In PLONK it requires one range
> > check (e.g. implemented using
> > [plookup](https://eprint.iacr.org/2020/315)) for each chunk of k bits
> > where k is limited by the circuit size.
> >
> > Since it is very cheap to check a square root in an arithmetic circuit
> > using nondeterminism, these bit decompositions become the major cost
> > bottleneck of hash-to-curve in a circuit.
> >
> > The following modification halves this cost for for arithmetic circuits
> > while not imposing significant overhead in other settings: simply
> > require that sgn0(u - y) = 0. This is not the same as requiring that
> > u and y have the same low bit, but it has a similar effect on the
> > distribution of y.
> >
> > Either for this modification or for the existing algorithm, it would
> > be desirable to have a proof that it suffices to use the low bit of u
> > (rather than using an extra random bit independent of u), since this
> > is not entirely obvious.
> >
> > ----
> >
> > I work for Electric Coin Company, but I'm not speaking for them here.
> >
> > None of the optimizations or changes discussed here are to my knowledge
> > affected by, or likely to be affected by, patents or other IP issues.
> >
> > --
> > Daira Hopwood
> >
> > _______________________________________________
> > CFRG mailing list
> > CFRG@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> >
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>