Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Watson Ladd <watsonbladd@gmail.com> Sat, 10 April 2021 21:20 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27CF33A1C10 for <cfrg@ietfa.amsl.com>; Sat, 10 Apr 2021 14:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0IRIrCc1q0E5 for <cfrg@ietfa.amsl.com>; Sat, 10 Apr 2021 14:20:15 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83C2B3A1C0D for <cfrg@irtf.org>; Sat, 10 Apr 2021 14:20:15 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id u21so13996841ejo.13 for <cfrg@irtf.org>; Sat, 10 Apr 2021 14:20:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=v0yU/AzlFDd94pjfOFwrYiDu0KKiSzD/43gnJ5wRHhg=; b=l8KGkLwCnowKtZ3VmCu2EkvYgDNsSH9YmI7NagKOR/Lw390Pc9CaY7bcDvQjvk7tiK sNPIoaZ9qi2VpoqyLNyLYyUGtVJgytSkrSgMCxUbWQPcEcG6/C7/mIp6lupmXoMgEs0p EIkLbg0Tf6IEfiF88mR9nY9L5RI9BtIWcDff4uG+Xlflc7tqEMEdKlTX1Lb1laizCG6i ORUbkKSx8VumwalIJ6L7ewjnSDZkaJ27YEpem02myh7z+ySZzyoi5bjjNR+j96ixLwlG PRpS6xhd6DI4vaosaZk7t0i6LAng/c2Ast0sh4FaUn6/IbIr4C1BEnq6UyNrJmiE8zbB /fzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=v0yU/AzlFDd94pjfOFwrYiDu0KKiSzD/43gnJ5wRHhg=; b=mYc0Y3rKFtMpvjs9/lbFZHy0xKbY4Jf7AfJMjGPHufz4dDvgT3eZDl/J9A7SvRMbeu PYuSOv/HTLvZr9whgJD6dcSqKr3hVynZHf0w1bK4qwuur0ZQMpOggUrJtpUZSOuOI56n d7pkbI1s9LbZlmxNSoj5wx5P4fvsPMGIzpHnOLniChYOyLIOfr78ZPUvMn6eOxSRruZt QfFJ3o/+NbQz2Fr3VHFEuxSl5LUQKXWmeK8FNsV8ijCR9qaFQIecqI7pc8u1LfyE4ON+ 69Qmrnp258ziykgqiQDBfHikdbBulKDeTtBM7GIrxAdltNue813zs6wdAfGqYwoVhAwr pKUA==
X-Gm-Message-State: AOAM532zNpZDsKPvXv06xfMRRO/9IthEjDJXkgvA92Dg1LCHnEY0WlcV kJy4zdw9wSnERfW6FJ42ZWzdSgj0eid0ForfXwo=
X-Google-Smtp-Source: ABdhPJx3jkh10yYzHE3fZ1BxrwQS46O9SMdpq8xVHN0ZX+oHZZyTJzKDT8Tn/24xYjKFJycPPlhbxX/KvnOlvt2cCEU=
X-Received: by 2002:a17:906:4015:: with SMTP id v21mr21972964ejj.433.1618089613019; Sat, 10 Apr 2021 14:20:13 -0700 (PDT)
MIME-Version: 1.0
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <VI1SPR01MB035772443E4DA3206E4CD4D3D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <7944D4F1-81F8-44FC-95D1-45D47733B385@shiftleft.org> <VI1SPR01MB03574E592790FD59C1ACEB84D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <20210410151254.7ze5pt4lpvblhk3f@muon> <CADi0yUNo7o07qM2Qw8yd_eVw_-cM-9wNy3CrLw_Pif79oD_+Og@mail.gmail.com> <VI1SPR01MB0357253A9BA2C2544D6B3F51D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>
In-Reply-To: <VI1SPR01MB0357253A9BA2C2544D6B3F51D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 10 Apr 2021 14:20:01 -0700
Message-ID: <CACsn0c=mDvLgy+yWskOTBRj4TvQWO_7VbgCu71dyPAer_gms0w@mail.gmail.com>
To: "Hao, Feng" <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org>
Cc: Hugo Krawczyk <hugo@ee.technion.ac.il>, CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/u-fKXeUH9wKaBbLj-5VheLwphC4>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2021 21:20:20 -0000

On Sat, Apr 10, 2021 at 1:37 PM Hao, Feng
<Feng.Hao=40warwick.ac.uk@dmarc.ietf.org> wrote:

> So the registration phase doesn’t help you. Even if it’s done over a secure SSL/TLS channel, it’s sufficient if the attacker can observe the timing delay in the communication.
>
>
>
> Therefore, the best one can do is to hope map-to-curve never falls into a small subgroup. But in that case, wouldn’t it better to preclude small subgroup points from map-to-curve by design?

What is the probability that the map to curve output is the identity?

Sincerely,
Watson



-- 
Astra mortemque praestare gradatim