IETF Logo Mail Archive

Re: [Cfrg] Recommended bit length before truncating a hash mod p

Markku-Juhani Olavi Saarinen <mjos@iki.fi> Fri, 22 March 2019 10:38 UTC

Return-Path: <mjos.crypto@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CBC61200B3 for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2019 03:38:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PqgC65I_MONw for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2019 03:38:56 -0700 (PDT)
Received: from mail-ed1-f67.google.com (mail-ed1-f67.google.com [209.85.208.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C91A1130DE7 for <cfrg@irtf.org>; Fri, 22 Mar 2019 03:38:55 -0700 (PDT)
Received: by mail-ed1-f67.google.com with SMTP id h22so1252493edw.7 for <cfrg@irtf.org>; Fri, 22 Mar 2019 03:38:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7M7X6Qhng//IOtlMuPSgDafRuAhP1HX2SzeO3qWwW7U=; b=pV1J116otiPpotW1OP6aJBVYyQeNdl0WtbahgSbAHjd5RR1780Hpm9KQlWlIRZ5boM /QCt4ouyac0xNNVMo5kVf2uLm8kvPVzZjjAG+H7YLwL9m5nDfcHqVOnVWftYIuCWI+v1 ufxmxx5kfp6ZatcYK5xgNb8ER5MOBJgEJ3NeyZqoGo4RM4zyGJcApG1ZhmDc6tb0X4Bf AD8PpPFlW2SUt6YPly0RwTIEv85ULREbHURquo/y82qp15tQCldcVVWVc9idUp4ebOEN EXTJaLJRSMobmGLvFXc4OOk5rnXR4ZEQgds2uahAKGVSztn+BlhVeMOv+1e9Vbp95iXL Ht7Q==
X-Gm-Message-State: APjAAAU27YkehZcL1igSiLyCfqDKmGtZz1Yud8W+dF232rRpH4xca1gq +Cxpc8H0zghJJNfQTtGDyN8yaUG5gKVVCEmlYy4=
X-Google-Smtp-Source: APXvYqxyNHnGdW9+C5T257qic7thVAS+76KLem7IOrLKq+FfPEBC2GnVZmd24Rg0MR1bOSr+B9IhUs2hFqNlvJZY2vc=
X-Received: by 2002:a50:aa4e:: with SMTP id p14mr772243edc.59.1553251134284; Fri, 22 Mar 2019 03:38:54 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.3617.1553248218.6143.cfrg@irtf.org> <CALNOPK+SmbcVHz49D1ZUV8cdq81YEUn5Xrmn4kB3dftrV7Ygbg@mail.gmail.com>
In-Reply-To: <CALNOPK+SmbcVHz49D1ZUV8cdq81YEUn5Xrmn4kB3dftrV7Ygbg@mail.gmail.com>
From: Markku-Juhani Olavi Saarinen <mjos@iki.fi>
Date: Fri, 22 Mar 2019 10:38:42 +0000
Message-ID: <CA+iU_qkh1qOyxm6j0gjy28wP4QMbX5GBmsPZ082etB7nCW2Kjg@mail.gmail.com>
To: David Núñez <david@nucypher.com>
Cc: cfrg@irtf.org, christopherwood07@gmail.com, madalier@antarateknik.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/puXQpsNdky2ietYcevQEbixfrvw>
Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 10:38:58 -0000

Hi,

Some notes since this is a standardization forum:

- It is generally not advisable to say "Keccak" when you mean SHA3.
The padding mechanism was slightly changed from the "final competition
round" Keccak 3.0 proposal to FIPS 202, making the two incompatible.
Some cryptocurrencies (e.g. Monero) actually use the obsolete
pre-standardization version and talk of "Keccak" when they refer to
it.
- FIPS 202 defines not only an actual SHA3-512 but also
Extendable-Output Functions (XOFs) that allow hashes of any output
size. The source code link provides a ExtendedKeccak(Hash) method
which is a "doubly standard-violating" ad hoc construction, having
nothing to do with the faster, standardized XOFs (SHAKE128 and
SHAK256).

Cheers,
- markku

Dr. Markku-Juhani O. Saarinen <mjos@iki.fi>

On Fri, Mar 22, 2019 at 10:13 AM David Núñez <david@nucypher.com> wrote:
>
> Hi Christopher,
> for this exact problem, we follow the approach described by Mehmet:
>
> Hash512(x) = Hash256(0||x) || Hash256(1||x)
>
> This way we can take up to 512 bits using a 256-bit hash function. You can find an example implementation of this (for Keccak256) here:
> https://github.com/nucypher/pyUmbral/blob/master/umbral/random_oracles.py#L84
>
> Regards,
> David
>
>>
>> ---------- Forwarded message ----------
>> From: Mehmet Adalier <madalier@antarateknik.com>
>> To: Christopher Wood <christopherwood07@gmail.com>, <cfrg@irtf.org>
>> Cc:
>> Bcc:
>> Date: Thu, 21 Mar 2019 19:11:47 -0700
>> Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p
>> Would this work?
>>
>> 1) generate two hashes with two different x values,
>> 2) concatenate the two outputs
>> 3) take however many high order bits you need (with at least 64 additional bits per spec)
>>
>> In our regular P256 implementation we use a 512-bit value before we perform reduction.
>>
>> mA
>>
>> On 3/21/19, 6:20 PM, "Cfrg on behalf of Christopher Wood" <cfrg-bounces@irtf.org on behalf of christopherwood07@gmail.com> wrote:
>>
>>     Hi folks,
>>
>>     In draft-irtf-cfrg-hash-to-curve, we define a utility function called
>>     `hash2base` as follows [1]:
>>
>>     ~~~
>>     hash2base(x).  This method is parametrized by p and H, where p is the
>>     prime order of the base field Fp, and H is a cryptographic hash
>>     function which outputs at least floor(log2(p)) + 1 bits.  The function
>>     first hashes x, converts the result to an integer, and reduces modulo
>>     p to give an element of Fp.  We provide a more detailed algorithm in
>>     Appendix C.7.
>>     ~~~
>>
>>     Some existing standards [2] recommend taking at least log2(p) + 64
>>     bits “so that bias produced by the mod function … is negligible.” If
>>     we were to follow this guidance for hash2curve, we’d lose out on
>>     several ciphersuite combinations, such as P-256 and Curve25519 with
>>     SHA256.
>>
>>     So, our question to the group is, how many extra bits are necessary?
>>
>>     Thanks,
>>     Chris
>>
>>     [1] https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-03#section-4
>>     [2] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf
>>
>>     _______________________________________________
>>     Cfrg mailing list
>>     Cfrg@irtf.org
>>     https://www.irtf.org/mailman/listinfo/cfrg
>>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email