Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
"Hao, Feng" <Feng.Hao@warwick.ac.uk> Sat, 10 April 2021 09:32 UTC
Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1DC93A2B5E for <cfrg@ietfa.amsl.com>; Sat, 10 Apr 2021 02:32:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pfqAJ0irb_lV for <cfrg@ietfa.amsl.com>; Sat, 10 Apr 2021 02:32:31 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2065.outbound.protection.outlook.com [40.107.21.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F25BE3A2B5A for <cfrg@irtf.org>; Sat, 10 Apr 2021 02:32:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UBVegb2dgyXIiFVUVZSqEouqniplOkPG1O+nM6vKAQ1q2b/QwTvseftDJlCZnvo5P2VCmqbCEXFrlaHOCF9NJZtuBpIODI5NBtKovhwTmYifONoO8NXnq1/xOLf/RDsgGFO6uxYQFjNngmx+SZVyua+BwYdmsZ353MUuRL+KWopiJMVBvl5aUBM4F0jrzgo4yHKsyMSSJvCs7JbxW/QkzsgeOydkXLwkYkYbMbmdGvp5OEfmz+N1PaEUurIcb0cf449BjeA3V4P5Xsrz5+uyGyTa62L3wue8L0P4fptRLW4u4ZJcblokskiFf3+NyMY3Kvwg58O/UZ8QktYDzR9sGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5tcZpmaq2aGc2E1oX976OGMs3xrrNBq87lcCniDbirQ=; b=QOLeXvJJ35KMmTxJ1jRGP2tV6vIQiwZOHxwIZnmylgLjPJdcySKQTWeuX5koHQL91IhZ+yzMvgPVR1fT6K6b1JhMX9KG7tQVqd/moRDeLrdJmldom84TRGJXkavnB137TS42QmFysPBzI8zQX7waioHt4Ip0+ybsV9TWKegeRIBXJrm8IIvpyJd46raaFP2E5MTdEOu+BuX4+TNpvtcvfO49EyS3davYLs6ouT3nMQzNpZBCKdrIMz0oeKYiBkapxeWS42PBRKtjL/c7OipL+QENy/c3zpuPghFeTzEUkCASTQgEb8RMObEY1Mbv2RGd03//nw1CFmDFvmbaBohKzw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from VI1SPR01MB0357.eurprd01.prod.exchangelabs.com (2603:10a6:803:8d::12) by VI1PR0101MB2479.eurprd01.prod.exchangelabs.com (2603:10a6:800:58::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.21; Sat, 10 Apr 2021 09:32:24 +0000
Received: from VI1SPR01MB0357.eurprd01.prod.exchangelabs.com ([fe80::5865:9e5a:626f:8953]) by VI1SPR01MB0357.eurprd01.prod.exchangelabs.com ([fe80::5865:9e5a:626f:8953%4]) with mapi id 15.20.3999.032; Sat, 10 Apr 2021 09:32:24 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Mike Hamburg <mike@shiftleft.org>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
Thread-Index: AQHXLUZyltFEkNrErU2XoZAaYPSJsKqsrj2AgAANMx6AACTDAIAAhZzV
Date: Sat, 10 Apr 2021 09:32:24 +0000
Message-ID: <VI1SPR01MB03574E592790FD59C1ACEB84D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <VI1SPR01MB035772443E4DA3206E4CD4D3D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>, <7944D4F1-81F8-44FC-95D1-45D47733B385@shiftleft.org>
In-Reply-To: <7944D4F1-81F8-44FC-95D1-45D47733B385@shiftleft.org>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: shiftleft.org; dkim=none (message not signed) header.d=none;shiftleft.org; dmarc=none action=none header.from=warwick.ac.uk;
x-originating-ip: [86.1.162.194]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 309895b2-15cc-461e-9fee-08d8fc038c92
x-ms-traffictypediagnostic: VI1PR0101MB2479:
x-microsoft-antispam-prvs: <VI1PR0101MB247913DF474715F2F53CB4B0D6729@VI1PR0101MB2479.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: E8VLGkYAYKdxFJ1dZA0xLySL4KoUEmHlAb2reLugmPks6Pelu5PD4opMqxf4F6xwoNj6RySfc12zgpoULdt6QEInp7JHWxHH0lvgkJ4ZTfdTOUMDNYdZRx3esY+5lez9087tJng/fGqBIrS3Ak92JTml/CvO2gOJfE/CU4H6ATvmBYUoIPOzaFa4Yn6F8RmDSpbYxqyFyPqQBYx0al4L/L+n1rqfhzaBQQp59vWFaeSipwAAqaQU7obWPZjBKgaLYgaEuebj/jtzFDXI6lGxduYW2aaJ2bM4KEKXKQYTn4E1AL2Vds1SjCXZihB4OZabAXnWPiMuSEGpJfdTQycWvV6fyZ95BVfEcL1EB1J2paZ/Cr59a1Rj/kQa0VVkYog4HhWC1D6y1A0OE63x8Fih2wxoJXc2hwQA1qHjTwAmBmZ8QKbluEdJ2Sv6vyhpGCz/omHDfmPz8lgFyxvdgKPhhZ6RB7/Cx0yMWs6XOnPG9TMLTs3AkrenIozoZWpWIGt702gjM7pe5lHyWgAXnUpNg4swskfs6r97/uadm4eNM0Tj4oeYj4HdnM32WG6ugRBUlxr2arcO6oZszmzDT1qAFAS0h5X2a3tw1nyxx8BkfZOVxdztph86oHW/8zlxZhTdiGX78wrFbiNWTcHIaX/11ERXxTZFNpHLpTV03uZrHJFySPR2EiR9wdQHZPlDSV3l
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1SPR01MB0357.eurprd01.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(136003)(396003)(39860400002)(376002)(83380400001)(966005)(33656002)(166002)(66556008)(786003)(76116006)(478600001)(6916009)(316002)(8936002)(55016002)(4326008)(38100700002)(5660300002)(8676002)(2906002)(9326002)(86362001)(71200400001)(9686003)(6506007)(7696005)(91956017)(52536014)(26005)(66476007)(64756008)(66946007)(66446008)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: F6LArhqxB6BCgwjCIKlrW9i1QlISUcUXMM5yDZox1eSSlBAH3O3QIs7RKuGMrXpgsUJ5eb/PaHJpMOOwv9FA78R8RHboqNK681lZkCnkEhu8bFNvHciaTmxaa/MY/le2mMxYjFrT6A4lhmdoPf8KDAIYIIoYTzGkOIIaBzvf5S1eoZELHE259GAM9wdGmYQLNVvm09KDHx0CPL1tMc9uz6r+1PWovosQEqr1qpNioBks5GOVC8dhAXzPFsGKKFCGX+t6VmzDHiblVGFtfdiXAlz0Tn3Fj+w2dgD0ZWGaegbylSW/CoL0wQFhciwwNOoFmja/4pgrtc7kSddSGhErZQ31Lq8RBIM1fW5SlwHITGMFr3oyya+x5oXJne33oz/E0Zr+LPi4IMVarPFUrjDve3bYsVk8OqRk9NXlQtyMI16m+tenkRMySkusb++XnnrVGUMELI5O6sH0jVi8QXLqh3onSt2PiFWXjF31rdUh+ksmtQk8zf20+DieLAm2en+aUvOmr8BegQW2EoIf1VAbk5V9aBAgWP80aQnItMpyzHVd8/uAyswv98h3M8pCDQX+qXXZHQbQysPEgB6D2AV4e4cH0B6QKS6TNl6wdPLRgI6d8aRGjS+O5fsDjp6Q/pwP8DKgsOzHbXwQZABlsM3MvP+/a59l8jyG62RNJok8JDZJdC6RRuxDf45hGyOG/RcWVyQKhKrKnGKLPSQ6rZjW3FYCzU5d1G3YpPB3GFosMVSod0uUK2kYLTi8CtNjoeUpFsH1b4TKz4HsjVn2s5RDDX42kex/liOOeaxDWvK54m0nHrCtcTVqbfMkAlszxb7Zp6lQwRccqaWnazc27XTFhy10dYPb4+67vBlnY/4nRqojlQt9SMVW3/Q4NoUUpLrW4hjfJTgkemE/yvh8urokAQffeoD1D3Uok9/mawJmtdz+fZY18hmusb6pJA5jBiI8Won5fXK9nMpWk3y8WQgGp5fzn72XOxJK/kNjfmNmBKNWX0wED+dX2qCtesBd6MIifRsuyaQLPjjyKaTVeTvObXl1R1Xo4sAAzB6rOiKatuvLpF6puBMsvO+2IvN6I42sAFqcNKNPOTLKOk/V6SAtSGfF66fzw8jEemBgIhPdEUD8wBt/cPHgWGUVafiXXG/1nepMm674BXeOLjk2qxZJEl5PCVhmMJU2IzG+a4qm8G4cspln5GpfjhjWfb8SGl3Ju7sSayfCuFRZkASVAfKN+rkgkdtG4b56elOjq9CP2bjET44uFiaCxlTwBJdIhXKUaponkVIzhWuwCnljBGfLPUhosOYBCkRc8ICMojTs9lnFbE3pVrUh0/+YLZfb7kgVeH0GR8dfjn6nBIVVS3x8bQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1SPR01MB03574E592790FD59C1ACEB84D6729VI1SPR01MB0357eu_"
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1SPR01MB0357.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 309895b2-15cc-461e-9fee-08d8fc038c92
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2021 09:32:24.4876 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lMSnHhHQl6aVl93W/mgkhGPW7hVDKf+qx7jq1CoZuCnbhb09gWoUfFJVz+tgU7zvaJdBCiTdcC+vUnyst/M0XYE0QL55YtD+036BLvkRUeM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0101MB2479
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/qwgl710j73FFeKhmVzcPOIfL7NA>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2021 09:32:36 -0000
Hi Mike, * Have you considered what happens in CPace if Alice’s SampleScalar() function returns 7? I’m following the notation of https://eprint.iacr.org/2021/114.pdf. In this case, the password will be vulnerable to a dictionary attack: the key K will be 7*Y_b, which an attacker can quickly detect by checking whether Rsw also gave a similar example of having all zeros for the hash. Let me clarify that we are not – and shouldn’t be - concerned with any of such cases since the values are uniformly distributed within their respective range. What we are discussing here is structural analysis of a PAKE system with the hash-to-curve being included as a building block. What the map-to-curve function permits in the output is a class of special data structures that fall into a small subgroup. Therefore, it’s necessary to analyse the effect of this class of data to the overall PAKE system. As I explained, as soon as map-to-curve returns a small subgroup point, it will instantly cause the password in CPace/OPAQUE (PAK as well) to be compromised by offline dictionary attacks. There is nothing you can do at the protocol level to save it. * On a more theoretical note, the hash_to_curve function aims to implement an object which has been studied in the literature, and which is used by several cryptosystems and protocols: for some serializable set S, a function S -> G which acts as closely as possible to a random oracle. In particular, hash_to_curve is designed to be epsilon-indifferentiable from a random oracle with that signature, in the model that the underlying hash is a random oracle. Published papers on hash-to-curve define the problem in their own (general) context. This is the first time (I think) we discuss it in the specific context of a PAKE use case with concrete PAKE choices. I think a major misconception here is that many people may think the use of clearing-the-co-factor step has resolved the small sub-group issue. But that is not true. The clear-the-co-factor step merely changes small subgroup points to infinity points. For the simplicity of discussion, we can remove this step without affecting our analysis at all. On a theoretical note, be reminded that DDH only holds for non-identity elements in a designated prime-order group on an elliptic curve. When you have small subgroup elements mixed, DDH doesn’t hold. It’s a tiny difference in the group definition, but it can have a significant theoretical effect. * Furthermore, while your proposal is arguably a tiny improvement for SPEKE / CPace, and perhaps even for OPAQUE, it’s also a negligible step backwards for PAK and its variants (if I recall correctly), since their proof uses the uniformity of the hash-to-curve map. The same likely holds for other systems. And it complicates the definition and implementation of hash_to_curve. About “uniformity”, I think we can try to be more precise: uniformity in what group? With the current map-to-curve functions, the uniformity of the output covers the whole curve, including small subgroup elements. It’s exactly the mixing up with such elements that complicates things. * So I would prefer that we stick here with something that’s been studied and which is already built. Suppose we keep the draft as it is and only add a note in the security consideration to explain this. What can we possibly say? One might add a warning to say map-to-curve returns uniformly distributed points on the curve, including small subgroup points. The mapping to small subgroup points is theoretically possible, but statistically unlikely. We don’t know how to remove these points in constant time. However, we have applied co-factor-clearing to turn small subgroup points to infinity points. That doesn’t actually change anything though and we still don’t know how to remove the infinity points in constant time. Therefore, we leave it to the upper layer protocol to decide how to deal with the infinity points. On the other hand, from the perspective of a higher layer protocol (say CPace, OPAQUE and PAK), it’s simply impossible to handle the exception. As soon as map-to-curve hits the small subgroup, the password in a PAKE system will be compromised. Therefore, the above warning is self-defeating and not meaningful. Moving forward, I think the best solution is to preclude the small subgroup elements from the map-to-curve function by design. If this can’t be done, or people don’t want to spend efforts to change the current draft, one solution might be to say only the functions defined for certain elliptic curves where co-factor = 1 should be used for PAKE. However, that will significantly limit the usefulness of this draft for the PAKE use case.
- [CFRG] Comment on draft-irtf-cfrg-hash-to-curve-10 Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Christopher Wood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- [CFRG] Small subgroup question for draft-irtf-cfr… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Russ Housley
- Re: [CFRG] Small subgroup question for draft-irtf… Richard Outerbridge
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Armando Faz
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- [CFRG] please use real names (was: Re: Small subg… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Riad S. Wahby
- Re: [CFRG] please use real names (was: Re: Small … Filippo Valsorda
- Re: [CFRG] please use real names (was: Re: Small … Scott Arciszewski
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Watson Ladd
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] please use real names (was: Re: Small … Henry de Valence
- Re: [CFRG] please use real names (was: Re: Small … Dan Harkins
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Squeamish Ossifrage
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Small subgroup question for draft-irtf… Stanislav V. Smyshlyaev
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Colin Perkins
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Michael Sierchio
- [CFRG] Closure (was Re: Small subgroup question f… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Phillip Hallam-Baker
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] please use real names (was: Re: Small … David Jacobson
- Re: [CFRG] please use real names (was: Re: Small … Julia Hesse
- Re: [CFRG] Closure (was Re: Small subgroup questi… Armando Faz
- Re: [CFRG] Closure (was Re: Small subgroup questi… Hao, Feng
- Re: [CFRG] Closure (was Re: Small subgroup questi… Mike Hamburg
- Re: [CFRG] thoughts on clearing the cofactor in h… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Riad S. Wahby
- [CFRG] (suggested language re mixing square roots… Rene Struik
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Rene Struik
- Re: [CFRG] please use real names (was: Re: Small … isis agora lovecruft