Re: [Cfrg] Recommended bit length before truncating a hash mod p
Sam Scott <sam.scott89@gmail.com> Fri, 22 March 2019 13:59 UTC
Return-Path: <sam.scott89@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4012130EDC for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2019 06:59:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ik-iY9wQBWDb for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2019 06:59:52 -0700 (PDT)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20473130ED7 for <cfrg@irtf.org>; Fri, 22 Mar 2019 06:59:52 -0700 (PDT)
Received: by mail-qt1-x833.google.com with SMTP id x12so2566322qts.7 for <cfrg@irtf.org>; Fri, 22 Mar 2019 06:59:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/J6igekJqeKHT9A2lWLM79MnMRQ58rnbvZDV8gQ3L3M=; b=CdZ/6W8Ulz2Na1IrclfaMPUDfEAuKhSEsNi1weRSwL4GeGZHr+dSTmsfPfcUSytpnQ XVrtnArDJ7ARYTyhITBmI0O80FJVoqukMaJ1DcFNhiaK0J3r+b97ifazyd7PXwe94NUY Zvrnj/vmlQxWEvjTFowvA/XB2GyosqY8GVHvJOodcaTJtMZGXz6w5Lz3/wqHWLZDDCqb sb2PmB0Q69h09bZ9LUYpN3V4IibyzDibzIE0HKh8/s4y16Eofmt8kwovhy1KX+rmWOpL RRCHRmBw5VY8W2DGIAFIMV/tydIfCGvSzToiwSDMT56aJjnURwstpDu1OyfdDvG2AZf9 yazg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/J6igekJqeKHT9A2lWLM79MnMRQ58rnbvZDV8gQ3L3M=; b=jKd2LBC71RE5S6xsEqzknI1jpE7OTrPevMOPA++DQCu/uDCKKPE7BPIjvtNS/mhUoc +rK71g8kqeCVXL1iAoTJbKtXsYxTOc3y1p7ATbsOZj0WmeY4bggRJmkUqSjTRKDES5Cv 63pMiEFn1JTNDKJM6cNtkfUO50jxEhGzUNga7t3fvVzjPNJymFm0cPGUS8lNeJHxpG6u CdBrkQ/6B7fvFFNqpVPxNFg58dPaRdNSMt+IrrNVXDbLw+GtgRGeQhKBUWiQ8UY61RZA AWFb8U21GT+IUXVR52ZfyeigxUa2pEG9eFmXBpTVFsRB9LL6PRsmZzm/vWSK+d15Cc22 Rsvg==
X-Gm-Message-State: APjAAAUQhKPGtGYrD+Gqh+XZPL3gb7cQiISRkG11hENAPqYkf38TNDkC AZZzCZfjW+MGRXnVNDQO3kvo1f+srf/CmZq4iMQ=
X-Google-Smtp-Source: APXvYqwPHm8QS2NgE0RrWmkn4NxBAjAP2jAu0zvrITsum34Kp7oAvuCK86BKfC4Nzdk3Bz7EfdwkFA/gGbXQTGlDthE=
X-Received: by 2002:ac8:260d:: with SMTP id u13mr8094346qtu.32.1553263190910; Fri, 22 Mar 2019 06:59:50 -0700 (PDT)
MIME-Version: 1.0
References: <CAO8oSXkwdyMQ8MHdt=+iYpd3__a55h6mcD-OgKHhdTytgb8Oew@mail.gmail.com>
In-Reply-To: <CAO8oSXkwdyMQ8MHdt=+iYpd3__a55h6mcD-OgKHhdTytgb8Oew@mail.gmail.com>
From: Sam Scott <sam.scott89@gmail.com>
Date: Fri, 22 Mar 2019 09:59:39 -0400
Message-ID: <CAOFNb8oE7-n70ZZ8sWRR+CN0W+y_qM1V-2H9OVnZr3MtWNO66Q@mail.gmail.com>
To: Christopher Wood <christopherwood07@gmail.com>
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000bcab1c0584af4406"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/s0D0h38ghPhTtYnxM6llpIhPDrY>
Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 13:59:54 -0000
A couple of people have suggested concatenating hash outputs to get enough bits. While this is useful feedback - we may need to specify this explicitly anyway, and in this case it might be the right approach regardless - the question was primarily around what is understood to be "enough" bits in this case. For a prime p, taking floor(log(p))+1 random bits and reducing mod p results in some amount of bias on the distribution [0, p-1]. Due to this, the NIST recommendation Chris linked above recommends taking log(p)+64 bits to smooth out the bias. In that instance, the output is used directly as a private key. Whereas in `hash2base` the output is fed into another encoding algorithm, which itself introduces bias as well. The options as we see them are: 1. Be more permissive, require only floor(log(p))+1 random bits, allowing combinations such as SHA256 + Curve25519 (with a single hash). 2. Require floor(log(p)) + 64 bits, resulting in combinations such as SHA512 + Curve25519, or SHA256 with concatenated outputs. The conclusion was this was a subtle enough trade off, that it seemed worth raising to the list to see if there were any objections/insights into the two options. Thanks all, Sam On Thu, 21 Mar 2019 at 21:20, Christopher Wood <christopherwood07@gmail.com> wrote: > Hi folks, > > In draft-irtf-cfrg-hash-to-curve, we define a utility function called > `hash2base` as follows [1]: > > ~~~ > hash2base(x). This method is parametrized by p and H, where p is the > prime order of the base field Fp, and H is a cryptographic hash > function which outputs at least floor(log2(p)) + 1 bits. The function > first hashes x, converts the result to an integer, and reduces modulo > p to give an element of Fp. We provide a more detailed algorithm in > Appendix C.7. > ~~~ > > Some existing standards [2] recommend taking at least log2(p) + 64 > bits “so that bias produced by the mod function … is negligible.” If > we were to follow this guidance for hash2curve, we’d lose out on > several ciphersuite combinations, such as P-256 and Curve25519 with > SHA256. > > So, our question to the group is, how many extra bits are necessary? > > Thanks, > Chris > > [1] https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-03#section-4 > [2] > https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Recommended bit length before truncating a… Christopher Wood
- Re: [Cfrg] Recommended bit length before truncati… Mehmet Adalier
- Re: [Cfrg] Recommended bit length before truncati… David Núñez
- Re: [Cfrg] Recommended bit length before truncati… Markku-Juhani Olavi Saarinen
- Re: [Cfrg] Recommended bit length before truncati… David Núñez
- Re: [Cfrg] Recommended bit length before truncati… Gilles Van Assche
- Re: [Cfrg] Recommended bit length before truncati… Sam Scott
- Re: [Cfrg] Recommended bit length before truncati… Markku-Juhani Olavi Saarinen
- Re: [Cfrg] Recommended bit length before truncati… Dan Brown
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù
- Re: [Cfrg] Recommended bit length before truncati… Ilari Liusvaara
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù