Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Sat, 10 April 2021 09:32 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1DC93A2B5E for <cfrg@ietfa.amsl.com>; Sat, 10 Apr 2021 02:32:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pfqAJ0irb_lV for <cfrg@ietfa.amsl.com>; Sat, 10 Apr 2021 02:32:31 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2065.outbound.protection.outlook.com [40.107.21.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F25BE3A2B5A for <cfrg@irtf.org>; Sat, 10 Apr 2021 02:32:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UBVegb2dgyXIiFVUVZSqEouqniplOkPG1O+nM6vKAQ1q2b/QwTvseftDJlCZnvo5P2VCmqbCEXFrlaHOCF9NJZtuBpIODI5NBtKovhwTmYifONoO8NXnq1/xOLf/RDsgGFO6uxYQFjNngmx+SZVyua+BwYdmsZ353MUuRL+KWopiJMVBvl5aUBM4F0jrzgo4yHKsyMSSJvCs7JbxW/QkzsgeOydkXLwkYkYbMbmdGvp5OEfmz+N1PaEUurIcb0cf449BjeA3V4P5Xsrz5+uyGyTa62L3wue8L0P4fptRLW4u4ZJcblokskiFf3+NyMY3Kvwg58O/UZ8QktYDzR9sGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5tcZpmaq2aGc2E1oX976OGMs3xrrNBq87lcCniDbirQ=; b=QOLeXvJJ35KMmTxJ1jRGP2tV6vIQiwZOHxwIZnmylgLjPJdcySKQTWeuX5koHQL91IhZ+yzMvgPVR1fT6K6b1JhMX9KG7tQVqd/moRDeLrdJmldom84TRGJXkavnB137TS42QmFysPBzI8zQX7waioHt4Ip0+ybsV9TWKegeRIBXJrm8IIvpyJd46raaFP2E5MTdEOu+BuX4+TNpvtcvfO49EyS3davYLs6ouT3nMQzNpZBCKdrIMz0oeKYiBkapxeWS42PBRKtjL/c7OipL+QENy/c3zpuPghFeTzEUkCASTQgEb8RMObEY1Mbv2RGd03//nw1CFmDFvmbaBohKzw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from VI1SPR01MB0357.eurprd01.prod.exchangelabs.com (2603:10a6:803:8d::12) by VI1PR0101MB2479.eurprd01.prod.exchangelabs.com (2603:10a6:800:58::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.21; Sat, 10 Apr 2021 09:32:24 +0000
Received: from VI1SPR01MB0357.eurprd01.prod.exchangelabs.com ([fe80::5865:9e5a:626f:8953]) by VI1SPR01MB0357.eurprd01.prod.exchangelabs.com ([fe80::5865:9e5a:626f:8953%4]) with mapi id 15.20.3999.032; Sat, 10 Apr 2021 09:32:24 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Mike Hamburg <mike@shiftleft.org>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
Thread-Index: AQHXLUZyltFEkNrErU2XoZAaYPSJsKqsrj2AgAANMx6AACTDAIAAhZzV
Date: Sat, 10 Apr 2021 09:32:24 +0000
Message-ID: <VI1SPR01MB03574E592790FD59C1ACEB84D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <VI1SPR01MB035772443E4DA3206E4CD4D3D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>, <7944D4F1-81F8-44FC-95D1-45D47733B385@shiftleft.org>
In-Reply-To: <7944D4F1-81F8-44FC-95D1-45D47733B385@shiftleft.org>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: shiftleft.org; dkim=none (message not signed) header.d=none;shiftleft.org; dmarc=none action=none header.from=warwick.ac.uk;
x-originating-ip: [86.1.162.194]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 309895b2-15cc-461e-9fee-08d8fc038c92
x-ms-traffictypediagnostic: VI1PR0101MB2479:
x-microsoft-antispam-prvs: <VI1PR0101MB247913DF474715F2F53CB4B0D6729@VI1PR0101MB2479.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: E8VLGkYAYKdxFJ1dZA0xLySL4KoUEmHlAb2reLugmPks6Pelu5PD4opMqxf4F6xwoNj6RySfc12zgpoULdt6QEInp7JHWxHH0lvgkJ4ZTfdTOUMDNYdZRx3esY+5lez9087tJng/fGqBIrS3Ak92JTml/CvO2gOJfE/CU4H6ATvmBYUoIPOzaFa4Yn6F8RmDSpbYxqyFyPqQBYx0al4L/L+n1rqfhzaBQQp59vWFaeSipwAAqaQU7obWPZjBKgaLYgaEuebj/jtzFDXI6lGxduYW2aaJ2bM4KEKXKQYTn4E1AL2Vds1SjCXZihB4OZabAXnWPiMuSEGpJfdTQycWvV6fyZ95BVfEcL1EB1J2paZ/Cr59a1Rj/kQa0VVkYog4HhWC1D6y1A0OE63x8Fih2wxoJXc2hwQA1qHjTwAmBmZ8QKbluEdJ2Sv6vyhpGCz/omHDfmPz8lgFyxvdgKPhhZ6RB7/Cx0yMWs6XOnPG9TMLTs3AkrenIozoZWpWIGt702gjM7pe5lHyWgAXnUpNg4swskfs6r97/uadm4eNM0Tj4oeYj4HdnM32WG6ugRBUlxr2arcO6oZszmzDT1qAFAS0h5X2a3tw1nyxx8BkfZOVxdztph86oHW/8zlxZhTdiGX78wrFbiNWTcHIaX/11ERXxTZFNpHLpTV03uZrHJFySPR2EiR9wdQHZPlDSV3l
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1SPR01MB0357.eurprd01.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(136003)(396003)(39860400002)(376002)(83380400001)(966005)(33656002)(166002)(66556008)(786003)(76116006)(478600001)(6916009)(316002)(8936002)(55016002)(4326008)(38100700002)(5660300002)(8676002)(2906002)(9326002)(86362001)(71200400001)(9686003)(6506007)(7696005)(91956017)(52536014)(26005)(66476007)(64756008)(66946007)(66446008)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: F6LArhqxB6BCgwjCIKlrW9i1QlISUcUXMM5yDZox1eSSlBAH3O3QIs7RKuGMrXpgsUJ5eb/PaHJpMOOwv9FA78R8RHboqNK681lZkCnkEhu8bFNvHciaTmxaa/MY/le2mMxYjFrT6A4lhmdoPf8KDAIYIIoYTzGkOIIaBzvf5S1eoZELHE259GAM9wdGmYQLNVvm09KDHx0CPL1tMc9uz6r+1PWovosQEqr1qpNioBks5GOVC8dhAXzPFsGKKFCGX+t6VmzDHiblVGFtfdiXAlz0Tn3Fj+w2dgD0ZWGaegbylSW/CoL0wQFhciwwNOoFmja/4pgrtc7kSddSGhErZQ31Lq8RBIM1fW5SlwHITGMFr3oyya+x5oXJne33oz/E0Zr+LPi4IMVarPFUrjDve3bYsVk8OqRk9NXlQtyMI16m+tenkRMySkusb++XnnrVGUMELI5O6sH0jVi8QXLqh3onSt2PiFWXjF31rdUh+ksmtQk8zf20+DieLAm2en+aUvOmr8BegQW2EoIf1VAbk5V9aBAgWP80aQnItMpyzHVd8/uAyswv98h3M8pCDQX+qXXZHQbQysPEgB6D2AV4e4cH0B6QKS6TNl6wdPLRgI6d8aRGjS+O5fsDjp6Q/pwP8DKgsOzHbXwQZABlsM3MvP+/a59l8jyG62RNJok8JDZJdC6RRuxDf45hGyOG/RcWVyQKhKrKnGKLPSQ6rZjW3FYCzU5d1G3YpPB3GFosMVSod0uUK2kYLTi8CtNjoeUpFsH1b4TKz4HsjVn2s5RDDX42kex/liOOeaxDWvK54m0nHrCtcTVqbfMkAlszxb7Zp6lQwRccqaWnazc27XTFhy10dYPb4+67vBlnY/4nRqojlQt9SMVW3/Q4NoUUpLrW4hjfJTgkemE/yvh8urokAQffeoD1D3Uok9/mawJmtdz+fZY18hmusb6pJA5jBiI8Won5fXK9nMpWk3y8WQgGp5fzn72XOxJK/kNjfmNmBKNWX0wED+dX2qCtesBd6MIifRsuyaQLPjjyKaTVeTvObXl1R1Xo4sAAzB6rOiKatuvLpF6puBMsvO+2IvN6I42sAFqcNKNPOTLKOk/V6SAtSGfF66fzw8jEemBgIhPdEUD8wBt/cPHgWGUVafiXXG/1nepMm674BXeOLjk2qxZJEl5PCVhmMJU2IzG+a4qm8G4cspln5GpfjhjWfb8SGl3Ju7sSayfCuFRZkASVAfKN+rkgkdtG4b56elOjq9CP2bjET44uFiaCxlTwBJdIhXKUaponkVIzhWuwCnljBGfLPUhosOYBCkRc8ICMojTs9lnFbE3pVrUh0/+YLZfb7kgVeH0GR8dfjn6nBIVVS3x8bQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1SPR01MB03574E592790FD59C1ACEB84D6729VI1SPR01MB0357eu_"
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1SPR01MB0357.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 309895b2-15cc-461e-9fee-08d8fc038c92
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2021 09:32:24.4876 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lMSnHhHQl6aVl93W/mgkhGPW7hVDKf+qx7jq1CoZuCnbhb09gWoUfFJVz+tgU7zvaJdBCiTdcC+vUnyst/M0XYE0QL55YtD+036BLvkRUeM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0101MB2479
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/qwgl710j73FFeKhmVzcPOIfL7NA>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2021 09:32:36 -0000

Hi Mike,



  *   Have you considered what happens in CPace if Alice’s SampleScalar() function returns 7?  I’m following the notation of https://eprint.iacr.org/2021/114.pdf. In this case, the password will be vulnerable to a dictionary attack: the key K will be 7*Y_b, which an attacker can quickly detect by checking whether

Rsw also gave a similar example of having all zeros for the hash. Let me clarify that we are not – and shouldn’t be - concerned with any of such cases since the values are uniformly distributed within their respective range.

What we are discussing here is structural analysis of a PAKE system with the hash-to-curve being included as a building block. What the map-to-curve function permits in the output is a class of special data structures that fall into a small subgroup. Therefore, it’s necessary to analyse the effect of this class of data to the overall PAKE system.  As I explained, as soon as map-to-curve returns a small subgroup point, it will instantly cause the password in CPace/OPAQUE (PAK as well) to be compromised by offline dictionary attacks. There is nothing you can do at the protocol level to save it.


  *   On a more theoretical note, the hash_to_curve function aims to implement an object which has been studied in the literature, and which is used by several cryptosystems and protocols: for some serializable set S, a function S -> G which acts as closely as possible to a random oracle.  In particular, hash_to_curve is designed to be epsilon-indifferentiable from a random oracle with that signature, in the model that the underlying hash is a random oracle.

Published papers on hash-to-curve define the problem in their own (general) context. This is the first time (I think) we discuss it in the specific context of a PAKE use case with concrete PAKE choices.

I think a major misconception here is that many people may think the use of clearing-the-co-factor step has resolved the small sub-group issue. But that is not true. The clear-the-co-factor step merely changes small subgroup points to infinity points. For the simplicity of discussion, we can remove this step without affecting our analysis at all.

On a theoretical note, be reminded that DDH only holds for non-identity elements in a designated prime-order group on an elliptic curve. When you have small subgroup elements mixed, DDH doesn’t hold. It’s a tiny difference in the group definition, but it can have a significant theoretical effect.


  *   Furthermore, while your proposal is arguably a tiny improvement for SPEKE / CPace, and perhaps even for OPAQUE, it’s also a negligible step backwards for PAK and its variants  (if I recall correctly), since their proof uses the uniformity of the hash-to-curve map.  The same likely holds for other systems.  And it complicates the definition and implementation of hash_to_curve.

About “uniformity”, I think we can try to be more precise: uniformity in what group? With the current map-to-curve functions, the uniformity of the output covers the whole curve, including small subgroup elements. It’s exactly the mixing up with such elements that complicates things.


  *   So I would prefer that we stick here with something that’s been studied and which is already built.

Suppose we keep the draft as it is and only add a note in the security consideration to explain this. What can we possibly say?

One might add a warning to say map-to-curve returns uniformly distributed points on the curve, including small subgroup points. The mapping to small subgroup points is theoretically possible, but statistically unlikely. We don’t know how to remove these points in constant time. However, we have applied co-factor-clearing to turn small subgroup points to infinity points. That doesn’t actually change anything though and we still don’t know how to remove the infinity points in constant time. Therefore, we leave it to the upper layer protocol to decide how to deal with the infinity points.

On the other hand, from the perspective of a higher layer protocol (say CPace, OPAQUE and PAK), it’s simply impossible to handle the exception. As soon as map-to-curve hits the small subgroup, the password in a PAKE system will be compromised. Therefore, the above warning is self-defeating and not meaningful.

Moving forward, I think the best solution is to preclude the small subgroup elements from the map-to-curve function by design. If this can’t be done, or people don’t want to spend efforts to change the current draft, one solution might be to say only the functions defined for certain elliptic curves where co-factor = 1 should be used for PAKE. However, that will significantly limit the usefulness of this draft for the PAKE use case.