IETF Logo Mail Archive

Re: [Cfrg] Comments regarding draft-sullivan-cfrg-hash-to-curve

Christopher Wood <christopherwood07@gmail.com> Mon, 26 March 2018 13:46 UTC

Return-Path: <christopherwood07@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB0C127419 for <cfrg@ietfa.amsl.com>; Mon, 26 Mar 2018 06:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cvle1J7KgJ7r for <cfrg@ietfa.amsl.com>; Mon, 26 Mar 2018 06:45:59 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D0531275AB for <cfrg@irtf.org>; Mon, 26 Mar 2018 06:45:59 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id y23so6136859ywy.4 for <cfrg@irtf.org>; Mon, 26 Mar 2018 06:45:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CnxhrG10d70GFDiclWRPyjaByFc3W0b2WbNCZTBuK64=; b=SoI0SMS2XUp5SXDeS5697JcVBNNhJLgq/OgaGKN3ihnDkH28CCuLkOOZu5xAsq2dTW ia0oVhMoC/eP8khk/tXKaY04/cIcaHmzYbUeEs+dgDwR9ZT8RyB1iSXBjbqZJ5AHlfnE bnSuXmFzoz0w0p/sDI56p+KjcVjkAc4m0LivVJePqT5ZZc7j48vBxwK6Vux5A+yFJOto RQ0HCQANXvUZluFWJamcUmgCax79IfTdn3e2/wXJk9lkU5iB0JANntoeUFXzM/1RQkfW IQhlRlXDePV6ttCxPEPte4BsBmV89n+/KCPKYJrUjhcvlYOJEYZrRuv/J+lZuU8WfI/H zD0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CnxhrG10d70GFDiclWRPyjaByFc3W0b2WbNCZTBuK64=; b=NiI0lHi8+842PrzvwTnEL73edxaqBcE3bj6bVF9EjyS8OelhBGGK6Dqlm0s7gA3om5 MpnwYI+xE2101pI8nJGj9Q7/7/q2MuYEkmHpXjBmP9K+9lGUSb5nyQPPcx13zVN+n+6k vC7E2iFfzx4p4+NKZdVGtcWUlJAYry4UHljFRytJHxhDQy4cVHu0J0dUVae4JNXlQkd1 Gp4KcNa5KDdfB6RvFQwI3lHRRVHEOuQiwIrFCrievtaz6blHZIa2i+HiKYnK5zDmUsRW SS/GnPAfSnhumRUUzl9lj9Js6mBNtcP/YXJKwcDVnIeJXlTnzf6/ehBcPMigYR1+h2eR itDw==
X-Gm-Message-State: AElRT7Es76RYQi7Lwped69bPo5htB0KlTxTgeZq3frdTl2Q5LYJQdlXJ ZOa49cVxICjmbPWSDUM3gzC2X0jPqKfzJ0aZMj4=
X-Google-Smtp-Source: AIpwx4983yMRdJQKg40AKGvbKT3SEfRzSFjFfb6/pdmP2FBY1qpaOhHzsfHfSGHlU0oIOuAguYOHfq7a5wesMzJO2LQ=
X-Received: by 10.13.196.196 with SMTP id g187mr896380ywd.119.1522071957922; Mon, 26 Mar 2018 06:45:57 -0700 (PDT)
MIME-Version: 1.0
References: <OF6FFC9F11.340C9F5B-ON00258255.0080017E-00258256.0002E0C9@notes.na.collabserv.com>
In-Reply-To: <OF6FFC9F11.340C9F5B-ON00258255.0080017E-00258256.0002E0C9@notes.na.collabserv.com>
From: Christopher Wood <christopherwood07@gmail.com>
Date: Mon, 26 Mar 2018 13:45:47 +0000
Message-ID: <CAO8oSXnxS4Ea89A3Yq46sPk2f8iYqiEsFwNALqAfb+2951NBsA@mail.gmail.com>
To: jresch@us.ibm.com
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="001a114d5f065fe9fa056850fe1b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/uBJr0VKIRhQMtEL-gjzca5ALYlU>
Subject: Re: [Cfrg] Comments regarding draft-sullivan-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 13:46:01 -0000

Hi Jason,

Thanks for the review and feedback. Please see inline below for comments.

On Mon, Mar 19, 2018 at 5:35 PM Jason Resch <jresch@us.ibm.com> wrote:

> *Comment 1: Algorithm Recommendations Table*
>
> Is there any reason not to include recommendations be made for other
> common curves, such as NIST P-521, Curve1174, or Koblitz curves such as
> secp256k1?
>

No. We didn't have an immediate use for them. That said, we should be
inclusive to all curves and provide appropriate recommendations. I filed:

https://github.com/chris-wood/draft-sullivan-cfrg-hash-to-curve/issues/9


>
> *Comment 2: Icart vs. SWU Simplified*
>
> Both of these are listed as having performance of "O(log^3 q)". Given
> this, is there a significant advantage to using Icart for P-384?
> Implementation simplicity might motivate using SWU Simplified for all
> curves, for example, as opposed to special casing NIST P-384.
>

That may well be the case. We are still working on the analysis and cost
comparison. I suspect we will prune the list of algorithms specified (in
the main body) in the future. If and when that happens, we may move all
other algorithms to the appendix.


>
> *Comment 3: Algorithm description of SWU Simplified*
>
> I did not understand this line:
>
> "5. Output (-g * alpha) * (g * beta)"
>
> - g was not defined here, except above as a function of x, but here it is
> being used in a multiplication.
> - g might be confused with the generator point for the curve
> - The output should be in the form of a point with coordinates x and y,
> should it not?
>

This is a bug in that description. I'll clean this up in the next revision.


>
> Steps "19" and "20" use "//" presumably to denote division, but "//" is
> also used later to represent comments.  Is there any difference here
> between "//" and "/"?
> Would it be clearer to represent these divisions as multiplications of the
> multiplicative inverse computed over p?
>

Good point. There is no difference as written. I will clarify this notation.


>
> Step "21" indicates an equality comparison.  Unless implemented specially,
> these could lead to side-channel attacks as an equality check of equal
> values takes longer than one where the values are unequal. It might be more
> secure to separately compute both comparisons, i.e. also compute "e_2 = (y2
> ^ 2 == h3)" as a mitigation strategy or alternative to implementing
> constant time equality checks, which might not be readily available in
> different BigInteger libraries/languages.
>

Another good point. I will make sure these are written to be constant-time
comparisons.


>
> *Comment 4: Definition of HashToBase*
>
> An example is given that this can be any cryptographic hash function, such
> as SHA-256.  However, I think it would be better if this is defined as a
> method supporting variable length outputs.  For example, HKDF (Hmac Key
> Derivation Function).  The justification being that some elliptic curves
> operate on fields that are too large, even for SHA-512 (e.g. NIST P-521),
> and naive attempts at extending the length of a hash may otherwise be
> designed insecurely.
>

This does in fact seem better. I'll see if we can integrate it.


>
> If the function is specified as HKDF (which operates on bytes rather than
> bits) there should be clarification as to which bits of the output are to
> be used (e.g. the left-most bits output by HKDF).
>
> There should be some security recommendation as well, in terms of
> selecting hash functions with security properties appropriately matched for
> the security of the curve.
>

Agreed. We will add this missing information.


>
>
>
> *Comment 5: Clarification for supported curves*The draft indicates that
> Simplified SWU works for all curves where: p == 3 % 4
>
> However, the Koblitz curve secp256k1 has a p such that p == 3 % 4, yet it
> does not seem to work with Simplified SWU. The problem is that it's "a"
> coefficient is defined as zero. Thus it isn't possible to compute (-b / a)
> which is required and used in the Simplified SWU method.  Is there a means
> around this?
>

Thanks for pointing this out. I'm not sure off hand and will investigate
more.

Thanks again for your very thorough feedback. I will circle back with you
when the next revision is made.

Best,
Chris

v2.23.0 | Report a Bug | By Email