IETF Logo Mail Archive

[Cfrg] Comments regarding draft-sullivan-cfrg-hash-to-curve

"Jason Resch" <jresch@us.ibm.com> Tue, 20 March 2018 00:31 UTC

Return-Path: <jresch@us.ibm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 900FF1241F8 for <cfrg@ietfa.amsl.com>; Mon, 19 Mar 2018 17:31:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id scAGCsNJ_3Ut for <cfrg@ietfa.amsl.com>; Mon, 19 Mar 2018 17:31:30 -0700 (PDT)
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6915812D80F for <cfrg@irtf.org>; Mon, 19 Mar 2018 17:31:29 -0700 (PDT)
Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2K0V4hf003276 for <cfrg@irtf.org>; Mon, 19 Mar 2018 20:31:29 -0400
Received: from smtp.notes.na.collabserv.com (smtp.notes.na.collabserv.com [192.155.248.74]) by mx0a-001b2d01.pphosted.com with ESMTP id 2gtp61tnq9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <cfrg@irtf.org>; Mon, 19 Mar 2018 20:31:28 -0400
Received: from localhost by smtp.notes.na.collabserv.com with smtp.notes.na.collabserv.com ESMTP for <cfrg@irtf.org> from <jresch@us.ibm.com>; Tue, 20 Mar 2018 00:31:28 -0000
Received: from us1a3-smtp05.a3.dal06.isc4sb.com (10.146.71.159) by smtp.notes.na.collabserv.com (10.106.227.92) with smtp.notes.na.collabserv.com ESMTP; Tue, 20 Mar 2018 00:31:26 -0000
Received: from us1a3-mail154.a3.dal06.isc4sb.com ([10.146.38.91]) by us1a3-smtp05.a3.dal06.isc4sb.com with ESMTP id 2018032000312613-1194971 ; Tue, 20 Mar 2018 00:31:26 +0000
In-Reply-To:
From: Jason Resch <jresch@us.ibm.com>
To: cfrg@irtf.org
Date: Tue, 20 Mar 2018 00:31:26 +0000
MIME-Version: 1.0
Sensitivity:
Importance: Normal
X-Priority: 3 (Normal)
References:
X-Mailer: IBM iNotes ($HaikuForm 1011.1) | IBM Domino Build SCN1805107_20180220T0755_FP3 March 05, 2018 at 16:31
X-LLNOutbound: False
X-Disclaimed: 40295
X-TNEFEvaluated: 1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
x-cbid: 18032000-7581-0000-0000-000006787F06
X-IBM-SpamModules-Scores: BY=0; FL=0; FP=0; FZ=0; HX=0; KW=0; PH=0; SC=0.40304; ST=0; TS=0; UL=0; ISC=; MB=0.249299
X-IBM-SpamModules-Versions: BY=3.00008705; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000254; SDB=6.01005546; UDB=6.00511923; IPR=6.00784829; BA=6.00005875; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00020135; XFM=3.00000015; UTC=2018-03-20 00:31:27
X-IBM-AV-DETECTION: SAVI=unsuspicious REMOTE=unsuspicious XFE=unused
X-IBM-AV-VERSION: SAVI=2018-03-19 20:28:33 - 6.00008217
x-cbparentid: 18032000-7582-0000-0000-00000262CC7A
Message-Id: <OF6FFC9F11.340C9F5B-ON00258255.0080017E-00258256.0002E0C9@notes.na.collabserv.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-19_13:, , signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/svOlLaFELxz3l4NV3SfI3Br3LIE>
Subject: [Cfrg] Comments regarding draft-sullivan-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 00:34:56 -0000

I recently read and implemented the draft "draft-sullivan-cfrg-hash-to-curve" Nick Sullivan and Christopher Wood:

Sullivan & Wood         Expires September 6, 2018              [Page 17]
Internet-Draft                hash-to-curve                   March 2018

Available at: https://datatracker.ietf.org/doc/draft-sullivan-cfrg-hash-to-curve/?include_text=1" target="_blank" rel="nofollow">https://datatracker.ietf.org/doc/draft-sullivan-cfrg-hash-to-curve/?include_text=1


And had some feedback I wished to make available to the authors and the list.

First, I wanted to thank the authors for organizing this draft; I think standards on hashing to EC points are sorely needed and this is an excellent collection of recommendations that simplify things for implementors such as myself.

Comment 1: Algorithm Recommendations Table

Is there any reason not to include recommendations be made for other common curves, such as NIST P-521, Curve1174, or Koblitz curves such as secp256k1?

Comment 2: Icart vs. SWU Simplified

Both of these are listed as having performance of "O(log^3 q)". Given this, is there a significant advantage to using Icart for P-384?  Implementation simplicity might motivate using SWU Simplified for all curves, for example, as opposed to special casing NIST P-384.

Comment 3: Algorithm description of SWU Simplified

I did not understand this line:

"5. Output (-g * alpha) * (g * beta)"

- g was not defined here, except above as a function of x, but here it is being used in a multiplication.
- g might be confused with the generator point for the curve
- The output should be in the form of a point with coordinates x and y, should it not?

Steps "19" and "20" use "//" presumably to denote division, but "//" is also used later to represent comments.  Is there any difference here between "//" and "/"?
Would it be clearer to represent these divisions as multiplications of the multiplicative inverse computed over p?

Step "21" indicates an equality comparison.  Unless implemented specially, these could lead to side-channel attacks as an equality check of equal values takes longer than one where the values are unequal. It might be more secure to separately compute both comparisons, i.e. also compute "e_2 = (y2 ^ 2 == h3)" as a mitigation strategy or alternative to implementing constant time equality checks, which might not be readily available in different BigInteger libraries/languages.

Comment 4: Definition of HashToBase

An example is given that this can be any cryptographic hash function, such as SHA-256.  However, I think it would be better if this is defined as a method supporting variable length outputs.  For example, HKDF (Hmac Key Derivation Function).  The justification being that some elliptic curves operate on fields that are too large, even for SHA-512 (e.g. NIST P-521), and naive attempts at extending the length of a hash may otherwise be designed insecurely.

If the function is specified as HKDF (which operates on bytes rather than bits) there should be clarification as to which bits of the output are to be used (e.g. the left-most bits output by HKDF).

There should be some security recommendation as well, in terms of selecting hash functions with security properties appropriately matched for the security of the curve.

Comment 5: Clarification for supported curves

The draft indicates that Simplified SWU works for all curves where: p == 3 % 4

However, the Koblitz curve secp256k1 has a p such that p == 3 % 4, yet it does not seem to work with Simplified SWU. The problem is that it's "a" coefficient is defined as zero. Thus it isn't possible to compute (-b / a) which is required and used in the Simplified SWU method.  Is there a means around this?


Those are all the comments that I had.

Best Regards,

Jason Resch

v2.23.0 | Report a Bug | By Email