IETF Logo Mail Archive

Re: [Cfrg] Adoption request: draft-hdevalence-cfrg-ristretto

"Riad S. Wahby" <rsw@jfet.org> Thu, 25 July 2019 02:10 UTC

Return-Path: <rswatjfet.org@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 301C11200B9 for <cfrg@ietfa.amsl.com>; Wed, 24 Jul 2019 19:10:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.558
X-Spam-Level:
X-Spam-Status: No, score=-1.558 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.091, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l92T-wjqZuJH for <cfrg@ietfa.amsl.com>; Wed, 24 Jul 2019 19:10:32 -0700 (PDT)
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A13D9120059 for <cfrg@irtf.org>; Wed, 24 Jul 2019 19:10:32 -0700 (PDT)
Received: by mail-pg1-f182.google.com with SMTP id k189so3111260pgk.13 for <cfrg@irtf.org>; Wed, 24 Jul 2019 19:10:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=sokUoanYIQxvvZb7yYqLc2g9umcLXN0dDqKjizLj2Es=; b=B+gQYpUaHtLdvA1Lq0OMCXCSqzn46Q0LDaKvjnXorJeuEGhyuo+LOnlOuQpIKWcRjR sLFxmN1lYT5qUj5MCtmI3sipPPongwUhY4xLwApdqZJNBHw1L4971xUkXRA0LAP07dcy /1JV4WYnf7lbmWAmLqgW1eLcPdk9Cf9eISSVGR/jf0H8rK1dCexergCFe/skZl04E6er euElxUSKJK0tyvaIHQLZdhBaqE9crldxy7LyJupfSpuTp305Fe2O5A42Bqk6TwCLuuqq h8bOypL5E/loxd/HXlqqMNLbim4cIzRH7jznHwUEWGv0tikuQo7AKCMnEAxICSR2DO5b f4rA==
X-Gm-Message-State: APjAAAU0RJnXGx7R/h2Lq8BrvBGluRkt85KfqsEE2x7SaGasom9VByop 5axgCwKHYLDTpQvajh1OhV0baEam
X-Google-Smtp-Source: APXvYqxa/fLKTp1/4Pi08Sl3hyxCw2/NutBNAcG2xoUp/egGWre/2BWc/sDInBJFIMfNo6aVKjbGPw==
X-Received: by 2002:a17:90a:eb04:: with SMTP id j4mr86775420pjz.103.1564020631112; Wed, 24 Jul 2019 19:10:31 -0700 (PDT)
Received: from localhost (positron.stanford.edu. [171.67.76.114]) by smtp.gmail.com with ESMTPSA id v22sm45593176pgk.69.2019.07.24.19.10.29 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 24 Jul 2019 19:10:30 -0700 (PDT)
Date: Wed, 24 Jul 2019 19:10:29 -0700
From: "Riad S. Wahby" <rsw@jfet.org>
To: Filippo Valsorda <filippo@ml.filippo.io>
Cc: Jeff Burdges <jeff@web3.foundation>, draft-hdevalence-cfrg-ristretto@ietf.org, cfrg@irtf.org
Message-ID: <20190725021029.mmw7yt6rcklqwlqz@positron.jfet.org>
References: <a505c99b-32a9-447a-9c69-a8efe3ed1b70@www.fastmail.com> <0370cd6b-adf3-4be2-9ab4-79693b9dc096@www.fastmail.com> <B7F73174-29F0-4B83-8AC0-A7D42D372D4A@inf.ethz.ch> <075d43b1-e123-42a9-ccd9-64fe45306f8b@web3.foundation> <20190724212030.ddcswlg5uxm3muzo@positron.jfet.org> <CAPC=aNVCV2cn62rhQsu+RsJsdjt2Dqqw_rqooLsuc8J5v9s3kQ@mail.gmail.com> <16485892-168c-a7ca-ba8c-94f7ce5c0e8e@web3.foundation> <20190725010945.h2c3pa6k6cqlogqg@positron.jfet.org> <1d2252da-95b1-44fb-b9d5-9dd7f9c5bc54@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1d2252da-95b1-44fb-b9d5-9dd7f9c5bc54@www.fastmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/uy4SDVplIiCk_4mxgYriA3wmYFQ>
Subject: Re: [Cfrg] Adoption request: draft-hdevalence-cfrg-ristretto
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 02:10:34 -0000

Filippo Valsorda <filippo@ml.filippo.io> wrote:
>     DECODE -> map -> (something) -> reverse_map -> ENCODE
> 
> This chain that you describe, if done correctly, would in fact be just
> an alternative implementation of ristretto255, as it operates entirely
> within the realm of internal representatives.

Sweet! I think I'm starting to get it...

In this case, let's be clear that we're talking about DECODE and ENCODE
as defined in Section 3, i.e., working on edwards25519 points as the
"internal representation."

>     ENCODE -> map -> (something) -> reverse_map -> DECODE
> 
> This, correct me if I'm wrong, is an example of the kind of map Jeff
> is talking about: something that takes abstract ristretto255 elements
> (which might be implemented with something else than edwards25519) and
> maps them to edwards25519 points (NOT internal representatives).

Sorry, I don't understand this. edwards25519 points *are* valid
internal representations.

(I fully understand that munging the bitstring that comes out of
ENCODE is crazy and not allowedt, though!)

>     edwards25519 point -> (something) -> reverse_map -> ENCODE
> 
>     DECODE -> map -> edwards25519 point -> (something)

Wait, what is the type signature of reverse_map? ENCODE takes an
edwards25519 point (again, per Section 3), so to me this looks like
a type error, in which case I fully agree this can't return anything
intelligible.

> An example of this is draft-irtf-cfrg-voprf-01 defining its own map to
> ristretto255 internal representatives.

As the Ristretto draft is currently written, that appears to be true
(or, at least, if it's false, it's only by chance).

(Not to muddy the waters, but for the record I'm strongly hoping
that the next Ristretto draft will replace its specification of
FROM_UNIFORM_BYTES with edwards25519-SHA256-EDELL2-RO. There's
no reason for Ristretto to be incompatible with hash-to-curve.
But let's worry about other issues first.)

-=rsw

v2.23.0 | Report a Bug | By Email