Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
Mike Hamburg <mike@shiftleft.org> Fri, 09 April 2021 14:58 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81E2B3A241B for <cfrg@ietfa.amsl.com>; Fri, 9 Apr 2021 07:58:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.306
X-Spam-Level:
X-Spam-Status: No, score=-1.306 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gswC35lqmgei for <cfrg@ietfa.amsl.com>; Fri, 9 Apr 2021 07:58:18 -0700 (PDT)
Received: from doomsayer.shiftleft.org (unknown [54.219.126.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAF8D3A2419 for <cfrg@irtf.org>; Fri, 9 Apr 2021 07:58:18 -0700 (PDT)
Received: from [192.168.7.53] (unknown [198.207.18.242]) (Authenticated sender: mike) by doomsayer.shiftleft.org (Postfix) with ESMTPSA id 5D406BB868; Fri, 9 Apr 2021 14:58:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1617980297; bh=EjK/7yisDU/pIrolDLkgDtXKe2G3nQzQGZ0QcGmDqCI=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=ioA4HtW4hGHX98VjCWQsSmRgDzIrHktRFPF6Ek9VVOFSPK3yvv54u2PF1ABSrSJGa 5nax3KllcPZ1n1NHoxXcIBWA7GClwwCB8cjOgZHGY+xB+BJdQrh8YrQHCIBp6GVPfj PfxNMKJvYB/36TV0E9pZ733pFfB9W3NaHNX5LtbY=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Mike Hamburg <mike@shiftleft.org>
In-Reply-To: <4590aaa512acf5a482c9890ebe48f1760e5831a5.camel@loup-vaillant.fr>
Date: Fri, 09 Apr 2021 11:58:15 -0300
Cc: "Hao, Feng" <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org>, CFRG <cfrg@irtf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F9593D27-3244-470E-89BE-85215B2DC9E7@shiftleft.org>
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <4590aaa512acf5a482c9890ebe48f1760e5831a5.camel@loup-vaillant.fr>
To: Loup Vaillant-David <loup@loup-vaillant.fr>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/u8jsJEEgWJKbzcqK9G03XWRj9XE>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 14:58:24 -0000
> On Apr 9, 2021, at 11:45 AM, Loup Vaillant-David <loup@loup-vaillant.fr> wrote: > > Hi, > > >> The methods defined in the draft map field elements in F_p to points >> on elliptic curves. But the points include small subgroup (low-order) >> points. What if the mapped point on the curve falls into a small >> subgroup? The clearing-the-co-factor step (section 7) does no help at >> all here as it only turns the small subgroup point to an identity >> point. >> >> The chance of falling into a small subgroup is extremely small, but >> for the completeness of the algorithm specification and the analysis, >> it’s still necessary to explicitly specify what to do in this case. > > My opinion as an implementer is two fold: > > 1. Excluding low-order points is quite the hassle, and it's not > clear how I could do it in constant time. > 2. We never generate those points to begin with. > > I don't want to deal with (1), which makes (2) very convenient for me. > So I'll just justify (2), using Curve25519 as an example: > > - The order of the prime subgroup is a little over 2^252. > - The cofactor is 8. > - Therefore, Curve25519 has a little over 2^255 points. > - Selecting a point at random will give a low-order point about > once every 2^252 trials. That means never. > > The security of a curve is basically the square root of its prime > order. Here, 2^125 or so. Breaking it with standard brute force methods > is incommensurately easier than stumbling upon a low-order point by > chance. > > In security parlance, a probability of 1/2^255 isn't just "extremely > small", it's "flat out impossible". I can therefore justify my laziness > and chose not to check for that event. > > --- > > Note that generating a small-subgroup point *on purpose* will not work > either: Curve25519 has 8 low-order points, and a maximum of 16 > representatives for those points (maybe a couple more if we allow > representatives over 2^255 - 19). The inputs are hashed before we map > the hash to the curve. So it's not enough to pick a matching > representative, we need to pick a hash whose image is one of those > representatives. > > To do this, we need to conduct a multi-preimage attack on a 2^255-bit > hash, with 16 images. The difficulty of that attack is roughly 2^251. > Again, this is impossible if the hash is secure. > > As a consequence, I cannot generate test vectors that account for this > edge case even if I wanted to. Even if I wasn't lazy, accounting for > low-order points means writing code I cannot trigger even if I want to > —dead code. That will only harm security in practice. > > >> In CPace and OPAQUE, both protocols use the output of hash-to-curve >> as a base generator. The implicit assumption is that the returned >> value from hash-to-curve must be a non-identity point in a subgroup >> of the large prime order. > > This assumption is correct as far as I can tell: yes, in *theory*, we > have a couple exceptions. In *practice*, those exceptions will never > occur. The probabilities are low enough to be considered negligible. > > >> Has this issue been considered? Apologies if I missed any discussion >> on this before. > > Likely. I haven't followed past discussions though, so I cannot say. > > Loup. Yeah, the usual answer is: if an event happens with negligible probability, and an adversary can’t cause it to happen more often, and it only breaks one thing, then it doesn’t affect security. Any reasonable adversarial strategy has some chance to break the protocol anyway (e.g. just guess someone’s private key), and this unlikely event doesn’t significantly contribute to that chance. I haven’t checked the details for CPace and OPAQUE, but for cases I’ve looked at it’s been fine. Of course, implementations will not be fully compliant with the spec unless they can properly handle the identity point. They would have to do another analysis to see whether this sort of non-compliance is itself a security issue, but the answer would probably again be: not unless an adversary can cause it to happen. Cheers, — Mike
- [CFRG] Comment on draft-irtf-cfrg-hash-to-curve-10 Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Christopher Wood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- [CFRG] Small subgroup question for draft-irtf-cfr… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Russ Housley
- Re: [CFRG] Small subgroup question for draft-irtf… Richard Outerbridge
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Armando Faz
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- [CFRG] please use real names (was: Re: Small subg… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Riad S. Wahby
- Re: [CFRG] please use real names (was: Re: Small … Filippo Valsorda
- Re: [CFRG] please use real names (was: Re: Small … Scott Arciszewski
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Watson Ladd
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] please use real names (was: Re: Small … Henry de Valence
- Re: [CFRG] please use real names (was: Re: Small … Dan Harkins
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Squeamish Ossifrage
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Small subgroup question for draft-irtf… Stanislav V. Smyshlyaev
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Colin Perkins
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Michael Sierchio
- [CFRG] Closure (was Re: Small subgroup question f… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Phillip Hallam-Baker
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] please use real names (was: Re: Small … David Jacobson
- Re: [CFRG] please use real names (was: Re: Small … Julia Hesse
- Re: [CFRG] Closure (was Re: Small subgroup questi… Armando Faz
- Re: [CFRG] Closure (was Re: Small subgroup questi… Hao, Feng
- Re: [CFRG] Closure (was Re: Small subgroup questi… Mike Hamburg
- Re: [CFRG] thoughts on clearing the cofactor in h… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Riad S. Wahby
- [CFRG] (suggested language re mixing square roots… Rene Struik
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Rene Struik
- Re: [CFRG] please use real names (was: Re: Small … isis agora lovecruft