Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)

Colin Perkins <csp@csperkins.org> Sun, 11 April 2021 15:26 UTC

Return-Path: <csp@csperkins.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 268C83A10BC for <cfrg@ietfa.amsl.com>; Sun, 11 Apr 2021 08:26:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=csperkins.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GrMOipLTlpt for <cfrg@ietfa.amsl.com>; Sun, 11 Apr 2021 08:26:08 -0700 (PDT)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52A8F3A10AC for <cfrg@irtf.org>; Sun, 11 Apr 2021 08:26:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=csperkins.org; s=mythic-beasts-k1; h=To:Date:From:Subject; bh=E08tibqhIlHEhWe77dsBIlMO0R0xUgvfKsSemJ9rYNA=; b=oRg+OmlvE9nAYhl1HtS6Yx3sUt nnA7M1dfrW+9kPH6S3NocXiQCcrX3W2tC6ddLQ+58TEYLhhzSJeufHskO6ruyW4wYDAceAyQu5b3W QNCMt2z6J+X25JJunMICYAIJHNe3mU3ZQDOs1cyatMXporGyxu21634IzVYBbPgz/MxHybTEVSQ2G FNoJB2k4/WjpCU8n7aDfi5ydPd5gXDJe9dmbpfGcv4KBiqyMxdXUm6EUmet0kvlBM48wIwyOQqGiu NKGxJ14CeFAfyiCosi3/G2uzHHjIKh3s0brITPpyBkRJQvFdIy149dO3MUftLqOZNB7hvk5QpcgKk lGMyO/1Q==;
Received: from [81.187.2.149] (port=49106 helo=[192.168.0.69]) by haggis.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from <csp@csperkins.org>) id 1lVbyI-0004Gz-CH; Sun, 11 Apr 2021 16:25:58 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Colin Perkins <csp@csperkins.org>
In-Reply-To: <fc33aa70-1723-7bc1-5a3e-6c58036ec766@gmail.com>
Date: Sun, 11 Apr 2021 16:25:52 +0100
Cc: rsw@cs.stanford.edu, CFRG <cfrg@irtf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2D9AC492-5687-427A-A5FC-0C425006E823@csperkins.org>
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <VI1SPR01MB035772443E4DA3206E4CD4D3D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <7944D4F1-81F8-44FC-95D1-45D47733B385@shiftleft.org> <VI1SPR01MB03574E592790FD59C1ACEB84D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <20210410151254.7ze5pt4lpvblhk3f@muon> <fc33aa70-1723-7bc1-5a3e-6c58036ec766@gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/t-sk7jJOp3eVcNjnVRwo65-Qjyo>
Subject: Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 15:26:14 -0000

To the best of my knowledge, there is no requirement for participants in the IRTF to use their real names.

Participants do, however, agree to follow the intellectual property disclosure rules, and other requirements, of the Note Well. These require a certain amount of transparency.

There is some tension between these two points, but my understanding is that it is possible to participate in IRTF pseudonymously while complying with the Note Well.

Colin



> On 10 Apr 2021, at 16:34, Rene Struik <rstruik.ext@gmail.com> wrote:
> 
> Hi "rsw":
> 
> As a general courtesy, may I suggest that all communications use people's real names and not some obscure acronym.
> 
> The CFRG is supposed to be a research forum, where people do not hide their identity. In fact, in my opinion, IETF should have no place for communications by "anonymous".
> 
> Rene
> 
> On 2021-04-10 11:12 a.m., rsw@cs.stanford.edu wrote:
>> Hello Feng,
>> 
>> "Hao, Feng" <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org> wrote:
>>> Rsw also gave a similar example of having all zeros for the hash.
>>> Let me clarify that we are not – and shouldn’t be - concerned with
>>> any of such cases since the values are uniformly distributed within
>>> their respective range.
>> Right. And the argument is precisely the same for hash-to-curve!
>> 
>> Let me be perfectly clear: the property that hash_to_curve gives
>> is that the output is a uniformly* distributed point in the (big)
>> prime-order subgroup of the target elliptic curve.
>> 
>> At the risk of seeming didactic (in which case, apologies): the
>> identity element is indeed an element of the target group G.
>> 
>> Put another way: fix a generator g of group G of prime order q. Then,
>> hash_to_curve returns g^r in G, for r sampled uniformly* at random
>> in 0 <= r < q. Under the assumption that discrete log is hard in G,
>> hash_to_curve does not reveal r. Under the preimage and collision
>> resistance of the underlying hash function, one cannot choose any
>> particular r or find two inputs that hash to the same r.
>> 
>> I hope this helps clarify the security properties, and why focus
>> on low-order points at intermediate steps of the computation is not
>> relevant to the security of hash_to_curve as specified.
>> 
>> * uniformly except for some statistical distance less than 2^-100.
>> 
>> Regards,
>> 
>> -=rsw
>> 
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
> 
> 
> -- 
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
> 
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg


-- 
Colin Perkins
https://csperkins.org/