Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)

Mike Hamburg <mike@shiftleft.org> Sun, 11 April 2021 14:57 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3C243A0E97 for <cfrg@ietfa.amsl.com>; Sun, 11 Apr 2021 07:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.306
X-Spam-Level:
X-Spam-Status: No, score=-1.306 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DG_VM812pKmA for <cfrg@ietfa.amsl.com>; Sun, 11 Apr 2021 07:57:10 -0700 (PDT)
Received: from doomsayer.shiftleft.org (unknown [54.219.126.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF5BE3A0EC3 for <cfrg@irtf.org>; Sun, 11 Apr 2021 07:56:58 -0700 (PDT)
Received: from [192.168.7.53] (unknown [198.207.18.242]) (Authenticated sender: mike) by doomsayer.shiftleft.org (Postfix) with ESMTPSA id 6DC03BB80C; Sun, 11 Apr 2021 14:56:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1618153016; bh=QmpL56DffTET3Gdsy7AlT0HczYwz3886efyxmxmudkI=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=igPegQ/vcC04P74b0RBjWY8bAbKqrI8zOy08UK9tVGFnbkW+uLUmKcEVZrvFsunRH Hgdgtk7YBbxAYMqucSTKUNbhvrQJD3CQ3raTHuZBffj0t+8trCSghr3VEmXXolPK2w u2Xgi2WgyjOj3KH7b/25mUUxtXu+MAoMx/1lDvww=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Mike Hamburg <mike@shiftleft.org>
In-Reply-To: <CAOvwWh2V6ds67BxzQjakXpsuFuJhhg-GOuiDfY5rqubqZVM0Fg@mail.gmail.com>
Date: Sun, 11 Apr 2021 11:56:53 -0300
Cc: Squeamish Ossifrage <squeamishossifrage.se@protonmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B007B163-3A5F-43E3-AD2A-81500BF8CB58@shiftleft.org>
References: <5kNv_5tUGSftaikmVD_WOJNEXwJjdLV07YODBNFunXGvBKKTOJ2ytxrCKgsj9OgNK3fB_ofUTv7pYbKO-akAqXmhszP0-eYfzj8B6lCRuwg=@protonmail.com> <CAOvwWh2V6ds67BxzQjakXpsuFuJhhg-GOuiDfY5rqubqZVM0Fg@mail.gmail.com>
To: Soatok Dreamseeker <soatok.dhole@gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/s8C98xAU6hFJ2EIwNxNFRIbS3mo>
Subject: Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 14:57:15 -0000


> On Apr 11, 2021, at 10:52 AM, Soatok Dreamseeker <soatok.dhole@gmail.com> wrote:
> An additional observation.
> 
> - AES has a 128-bit block size
> - When you use 256-bit keys, there are about 2^128 different keys that
> will map a single 128-bit plaintext block to a single 128-bit
> ciphertext block
> 
> However, I believe this probability of H=[0x000...000] is zero,
> because the AES block cipher is a PRP and the input is [0x000...000],
> and as far as I'm aware, there are no known (P, k) pairs for which
> E_k(P) = P.

Hi Soatok,

This is not an expected property of a PRP: for a fully random permutation,
we would expect about 1 element to map to itself in expectation for each key.
The existence or non-existence of known pairs (P,k) where E_k(P)=P doesn’t
rule out E being a PRP either way — e.g. it might be that there are no such
pairs, or that with the key you can easily identify such a P — but for an ideal
block cipher they would exist with overwhelming probability but would be very
hard to find.

> If AES were a PRF instead of a PRP, the risk calculus here would be
> different. (But also, the 128-bit block size would need to be 256-bit
> to reach the same security under birthday bound assumptions.)

Also, IIRC AES-GCM has better bounds with a PRF than with a PRP, because
you’d prefer the keystream to be uniformly random independent values instead
of uniformly random unique values.  That is, going to a PRF would remove
the birthday term in GCM’s analysis, though of course the PRF’s own security
analysis might itself have a birthday term.  This is how the analysis proceeds
for AES-GCM: note that any PRP is a PRF at the cost of a birthday term, and
then do the analysis for a PRF.

> Regards,
> 
> S. Dreamseeker <https://soatok.blog>

My 2c on real names.  I think it’s preferable that we use real names if at all
practical, for a few reasons:

* Real names add a layer of professionalism that helps us not turn into
Reddit.  Which, while an interesting place, is arguably less productive than
CFRG, and is a safer space for e.g. racist jerks, because they can hide
behind pseudonyms.

* We need at least long-term pseudonyms to help remember, or even
research, who is making the which arguments.  Different people on these
forums have different styles.

* This body influences standards-setting organizations, so it may be
useful for legal reasons to keep track of who is sending in ideas (to
prevent, e.g., patent shenanigans).

There are legitimate reasons that someone might prefer a pseudonym.
Simply having a long-term handle isn’t a good enough reason, because
you could always sign as "Mike Hamburg (bitwiseshiftleft)” or similar.  And
we can’t keep people from coming up with a fake “real name”.  So I would
be happy with leaving this as a strong suggestion, rather than an absolute
policy.

Regards,
— Mike