IETF Logo Mail Archive

Re: [Cfrg] Recommended bit length before truncating a hash mod p

Dan Brown <danibrown@blackberry.com> Fri, 22 March 2019 14:49 UTC

Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3CD5130E9A for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2019 07:49:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TZ1l9dTmDnB2 for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2019 07:49:16 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C415A128CB7 for <cfrg@irtf.org>; Fri, 22 Mar 2019 07:49:15 -0700 (PDT)
Received: from xct104cnc.rim.net ([10.65.161.204]) by mhs214cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 22 Mar 2019 10:49:14 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT104CNC.rim.net ([::1]) with mapi id 14.03.0415.000; Fri, 22 Mar 2019 10:49:13 -0400
From: Dan Brown <danibrown@blackberry.com>
To: Christopher Wood <christopherwood07@gmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Recommended bit length before truncating a hash mod p
Thread-Index: AQHU4E1tMJURvna95UWevnh6zFw5a6YXsS6Q
Date: Fri, 22 Mar 2019 14:49:13 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501DA82DA@XMB116CNC.rim.net>
References: <CAO8oSXkwdyMQ8MHdt=+iYpd3__a55h6mcD-OgKHhdTytgb8Oew@mail.gmail.com>
In-Reply-To: <CAO8oSXkwdyMQ8MHdt=+iYpd3__a55h6mcD-OgKHhdTytgb8Oew@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.251]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0127_01D4E09C.E22CBDD0"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/t52N6Y0qddLwuVaWZjaj6IuLKsg>
Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 14:49:19 -0000

> -----Original Message-----
> From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Christopher Wood
> 
> Some existing standards [2] recommend taking at least log2(p) + 64 bits “so
> that bias produced by the mod function … is negligible.” If we were to follow
> this guidance for hash2curve, we’d lose out on several ciphersuite
> combinations, such as P-256 and Curve25519 with SHA256.
> 
> So, our question to the group is, how many extra bits are necessary?
> 

Zero (or perhaps less?) extra bits are necessary, at least for some hashes mentioned in Section 10:

 Elligator2, for example, only maps strings to "about half of all curve points,"
 whereas Icart's method only covers about 5/8 of the points.

The output points (for these hashes) are already biased and easily distinguishable from general points, hence biased field elements should thus be tolerable too. 

I vaguely recall reading about some of the hash-to-point functions aiming to produce a uniformly distributed point.  I am not sure if your draft includes such hashes.  If it does, the uniform field elements would likely be needed for those hashes, if only because uniformity is advertised.

Best regards,

Dan

PS

By "less" than zero extra bits, I meant using, say, SHA1 to map a bit string into a P256 point.  The only possible gain of such would be compression if one use a variable-length point representation.  This *might* be safe in some applications, similar in safety to the way that using a ECDH generator with a small coordinate might be safe, and the way of using points with 1 bit of bias is.  (I am ignoring the general questionability of SHA1, just focusing on its shorter length.)

The requirements from NIST SP 800-56a are about private key generation, where uniformity is more important, e.g. in signatures, and perhaps MQV.

v2.23.0 | Report a Bug | By Email