Re: [Cfrg] Comments regarding draft-sullivan-cfrg-hash-to-curve
Christopher Wood <christopherwood07@gmail.com> Mon, 26 March 2018 13:46 UTC
Return-Path: <christopherwood07@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB0C127419 for <cfrg@ietfa.amsl.com>; Mon, 26 Mar 2018 06:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cvle1J7KgJ7r for <cfrg@ietfa.amsl.com>; Mon, 26 Mar 2018 06:45:59 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D0531275AB for <cfrg@irtf.org>; Mon, 26 Mar 2018 06:45:59 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id y23so6136859ywy.4 for <cfrg@irtf.org>; Mon, 26 Mar 2018 06:45:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CnxhrG10d70GFDiclWRPyjaByFc3W0b2WbNCZTBuK64=; b=SoI0SMS2XUp5SXDeS5697JcVBNNhJLgq/OgaGKN3ihnDkH28CCuLkOOZu5xAsq2dTW ia0oVhMoC/eP8khk/tXKaY04/cIcaHmzYbUeEs+dgDwR9ZT8RyB1iSXBjbqZJ5AHlfnE bnSuXmFzoz0w0p/sDI56p+KjcVjkAc4m0LivVJePqT5ZZc7j48vBxwK6Vux5A+yFJOto RQ0HCQANXvUZluFWJamcUmgCax79IfTdn3e2/wXJk9lkU5iB0JANntoeUFXzM/1RQkfW IQhlRlXDePV6ttCxPEPte4BsBmV89n+/KCPKYJrUjhcvlYOJEYZrRuv/J+lZuU8WfI/H zD0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CnxhrG10d70GFDiclWRPyjaByFc3W0b2WbNCZTBuK64=; b=NiI0lHi8+842PrzvwTnEL73edxaqBcE3bj6bVF9EjyS8OelhBGGK6Dqlm0s7gA3om5 MpnwYI+xE2101pI8nJGj9Q7/7/q2MuYEkmHpXjBmP9K+9lGUSb5nyQPPcx13zVN+n+6k vC7E2iFfzx4p4+NKZdVGtcWUlJAYry4UHljFRytJHxhDQy4cVHu0J0dUVae4JNXlQkd1 Gp4KcNa5KDdfB6RvFQwI3lHRRVHEOuQiwIrFCrievtaz6blHZIa2i+HiKYnK5zDmUsRW SS/GnPAfSnhumRUUzl9lj9Js6mBNtcP/YXJKwcDVnIeJXlTnzf6/ehBcPMigYR1+h2eR itDw==
X-Gm-Message-State: AElRT7Es76RYQi7Lwped69bPo5htB0KlTxTgeZq3frdTl2Q5LYJQdlXJ ZOa49cVxICjmbPWSDUM3gzC2X0jPqKfzJ0aZMj4=
X-Google-Smtp-Source: AIpwx4983yMRdJQKg40AKGvbKT3SEfRzSFjFfb6/pdmP2FBY1qpaOhHzsfHfSGHlU0oIOuAguYOHfq7a5wesMzJO2LQ=
X-Received: by 10.13.196.196 with SMTP id g187mr896380ywd.119.1522071957922; Mon, 26 Mar 2018 06:45:57 -0700 (PDT)
MIME-Version: 1.0
References: <OF6FFC9F11.340C9F5B-ON00258255.0080017E-00258256.0002E0C9@notes.na.collabserv.com>
In-Reply-To: <OF6FFC9F11.340C9F5B-ON00258255.0080017E-00258256.0002E0C9@notes.na.collabserv.com>
From: Christopher Wood <christopherwood07@gmail.com>
Date: Mon, 26 Mar 2018 13:45:47 +0000
Message-ID: <CAO8oSXnxS4Ea89A3Yq46sPk2f8iYqiEsFwNALqAfb+2951NBsA@mail.gmail.com>
To: jresch@us.ibm.com
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="001a114d5f065fe9fa056850fe1b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/uBJr0VKIRhQMtEL-gjzca5ALYlU>
Subject: Re: [Cfrg] Comments regarding draft-sullivan-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 13:46:01 -0000
Hi Jason, Thanks for the review and feedback. Please see inline below for comments. On Mon, Mar 19, 2018 at 5:35 PM Jason Resch <jresch@us.ibm.com> wrote: > *Comment 1: Algorithm Recommendations Table* > > Is there any reason not to include recommendations be made for other > common curves, such as NIST P-521, Curve1174, or Koblitz curves such as > secp256k1? > No. We didn't have an immediate use for them. That said, we should be inclusive to all curves and provide appropriate recommendations. I filed: https://github.com/chris-wood/draft-sullivan-cfrg-hash-to-curve/issues/9 > > *Comment 2: Icart vs. SWU Simplified* > > Both of these are listed as having performance of "O(log^3 q)". Given > this, is there a significant advantage to using Icart for P-384? > Implementation simplicity might motivate using SWU Simplified for all > curves, for example, as opposed to special casing NIST P-384. > That may well be the case. We are still working on the analysis and cost comparison. I suspect we will prune the list of algorithms specified (in the main body) in the future. If and when that happens, we may move all other algorithms to the appendix. > > *Comment 3: Algorithm description of SWU Simplified* > > I did not understand this line: > > "5. Output (-g * alpha) * (g * beta)" > > - g was not defined here, except above as a function of x, but here it is > being used in a multiplication. > - g might be confused with the generator point for the curve > - The output should be in the form of a point with coordinates x and y, > should it not? > This is a bug in that description. I'll clean this up in the next revision. > > Steps "19" and "20" use "//" presumably to denote division, but "//" is > also used later to represent comments. Is there any difference here > between "//" and "/"? > Would it be clearer to represent these divisions as multiplications of the > multiplicative inverse computed over p? > Good point. There is no difference as written. I will clarify this notation. > > Step "21" indicates an equality comparison. Unless implemented specially, > these could lead to side-channel attacks as an equality check of equal > values takes longer than one where the values are unequal. It might be more > secure to separately compute both comparisons, i.e. also compute "e_2 = (y2 > ^ 2 == h3)" as a mitigation strategy or alternative to implementing > constant time equality checks, which might not be readily available in > different BigInteger libraries/languages. > Another good point. I will make sure these are written to be constant-time comparisons. > > *Comment 4: Definition of HashToBase* > > An example is given that this can be any cryptographic hash function, such > as SHA-256. However, I think it would be better if this is defined as a > method supporting variable length outputs. For example, HKDF (Hmac Key > Derivation Function). The justification being that some elliptic curves > operate on fields that are too large, even for SHA-512 (e.g. NIST P-521), > and naive attempts at extending the length of a hash may otherwise be > designed insecurely. > This does in fact seem better. I'll see if we can integrate it. > > If the function is specified as HKDF (which operates on bytes rather than > bits) there should be clarification as to which bits of the output are to > be used (e.g. the left-most bits output by HKDF). > > There should be some security recommendation as well, in terms of > selecting hash functions with security properties appropriately matched for > the security of the curve. > Agreed. We will add this missing information. > > > > *Comment 5: Clarification for supported curves*The draft indicates that > Simplified SWU works for all curves where: p == 3 % 4 > > However, the Koblitz curve secp256k1 has a p such that p == 3 % 4, yet it > does not seem to work with Simplified SWU. The problem is that it's "a" > coefficient is defined as zero. Thus it isn't possible to compute (-b / a) > which is required and used in the Simplified SWU method. Is there a means > around this? > Thanks for pointing this out. I'm not sure off hand and will investigate more. Thanks again for your very thorough feedback. I will circle back with you when the next revision is made. Best, Chris
- [Cfrg] Comments regarding draft-sullivan-cfrg-has… Jason Resch
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… David Núñez
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Tony Arcieri
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Christopher Wood
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Christopher Wood
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Jason Resch
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Christopher Wood
- Re: [Cfrg] Comments regarding draft-sullivan-cfrg… Jason Resch