Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)

Soatok Dreamseeker <> Sun, 11 April 2021 15:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E06763A1137 for <>; Sun, 11 Apr 2021 08:36:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 30UyY_sMrxaw for <>; Sun, 11 Apr 2021 08:36:29 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A3E183A1136 for <>; Sun, 11 Apr 2021 08:36:29 -0700 (PDT)
Received: by with SMTP id j5so9381559wrn.4 for <>; Sun, 11 Apr 2021 08:36:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kROwjR6fMWlvsqmcgRbbVWnfGsmA+iZSeKMS8RSKinY=; b=rS95gxfCIlLCfjlONZSLmTz+tcwJYu29Xf80SFZAsSvg0ppuIOb00aUkmVbwdci8Dm /1xoLVdTbjf/vXlXLcxKoE09D3u62BuH/UK8wdINdzxS+QySD7SFul81DNnJHIFghcvc bmxJi9kXAABzKycPy44fkbsMcrj78E97Ls7KxN9gAhbMltnYWf6eJUYpOjExeG5GJG7z M8vjYhAGi8WU12+wGzaGEcGIlVPUMqMdEZSpWkB7f3TDljR2hZWCopQj68pK9erwkYsW Wl8BRvivm8ge+53MndLDcKZHDulDzddVVSWr0ZVmcuI0tZcsGYz71DfKJ1XAnQZF3e/9 ueLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kROwjR6fMWlvsqmcgRbbVWnfGsmA+iZSeKMS8RSKinY=; b=jSrFGLIatZZ3YaXUvaTsdirCZJOBOagR78kyj6HTMNT30hcQc6/NHHCDgc/ISyuYvp Tf2/KG1Glp/plNbWRfr5qElpVXSJKkrTsf7duPOas3bMpU7mlBlFatFJRqZ0w50kTsoo HSqLypYThiqcvMSdIXl5X56hVIIsRbmwCzwiADoksj3K4wW5hUQ58XCjGnqAWA+AQy8E knj6FQY77M4hzEaBBgvqzmH4Xl5IkE0oTR/U7eM+oP/4PzmcWkHfJMdcEEY92YEXGfIz cQTbNspj+XqliQ959rylYvvv8SMmu/huCYu3/Lsj/8r7fgYbXKd5Q6t64xSxqcJWpcnQ IKcw==
X-Gm-Message-State: AOAM531Y4agf2MrrXmtvNFn2RZg22Ypwaf7RpIuSZ7wgtRHf695Z/pOb x09f+zwp2XAvFmtvfAvOCrq5zuvWy/fjP00Zais=
X-Google-Smtp-Source: ABdhPJxi0uYrAFUmSv0suABALacO4IGJ2WR1lKKXOD8I3GXqs8mY7TmvynpOms6wLlftqMI8ZEfoHFWRhiUY4sgZXy4=
X-Received: by 2002:a5d:480a:: with SMTP id l10mr25374825wrq.261.1618155386337; Sun, 11 Apr 2021 08:36:26 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Soatok Dreamseeker <>
Date: Sun, 11 Apr 2021 11:36:15 -0400
Message-ID: <>
To: Mike Hamburg <>
Cc: Squeamish Ossifrage <>, "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 11 Apr 2021 15:36:35 -0000

Hi Mike,

On Sun, Apr 11, 2021 at 10:56 AM Mike Hamburg <> wrote:
> > On Apr 11, 2021, at 10:52 AM, Soatok Dreamseeker <> wrote:
> > An additional observation.
> >
> > - AES has a 128-bit block size
> > - When you use 256-bit keys, there are about 2^128 different keys that
> > will map a single 128-bit plaintext block to a single 128-bit
> > ciphertext block
> >
> > However, I believe this probability of H=[0x000...000] is zero,
> > because the AES block cipher is a PRP and the input is [0x000...000],
> > and as far as I'm aware, there are no known (P, k) pairs for which
> > E_k(P) = P.
> Hi Soatok,
> This is not an expected property of a PRP: for a fully random permutation,
> we would expect about 1 element to map to itself in expectation for each key.
> The existence or non-existence of known pairs (P,k) where E_k(P)=P doesn’t
> rule out E being a PRP either way — e.g. it might be that there are no such
> pairs, or that with the key you can easily identify such a P — but for an ideal
> block cipher they would exist with overwhelming probability but would be very
> hard to find.

That's good to know. Thank you.

> > If AES were a PRF instead of a PRP, the risk calculus here would be
> > different. (But also, the 128-bit block size would need to be 256-bit
> > to reach the same security under birthday bound assumptions.)
> Also, IIRC AES-GCM has better bounds with a PRF than with a PRP, because
> you’d prefer the keystream to be uniformly random independent values instead
> of uniformly random unique values.  That is, going to a PRF would remove
> the birthday term in GCM’s analysis, though of course the PRF’s own security
> analysis might itself have a birthday term.  This is how the analysis proceeds
> for AES-GCM: note that any PRP is a PRF at the cost of a birthday term, and
> then do the analysis for a PRF.

Yes, but a 128-bit PRF has different security properties than a
128-bit PRP, and a 256-bit PRF would generally line up better with
most cryptography users' expectations here.

> > Regards,
> >
> > S. Dreamseeker <>
> My 2c on real names.  I think it’s preferable that we use real names if at all
> practical, for a few reasons:
> * Real names add a layer of professionalism that helps us not turn into
> Reddit.  Which, while an interesting place, is arguably less productive than
> CFRG, and is a safer space for e.g. racist jerks, because they can hide
> behind pseudonyms.
> * We need at least long-term pseudonyms to help remember, or even
> research, who is making the which arguments.  Different people on these
> forums have different styles.
> * This body influences standards-setting organizations, so it may be
> useful for legal reasons to keep track of who is sending in ideas (to
> prevent, e.g., patent shenanigans).
> There are legitimate reasons that someone might prefer a pseudonym.
> Simply having a long-term handle isn’t a good enough reason, because
> you could always sign as "Mike Hamburg (bitwiseshiftleft)” or similar.  And
> we can’t keep people from coming up with a fake “real name”.  So I would
> be happy with leaving this as a strong suggestion, rather than an absolute
> policy.
> Regards,
> — Mike

Your proposal is reasonable.

Frankly, I was surprised to hear these arguments take place on a
cryptography forum, where anonymity experts are more plentiful than in
a random sample of the rest of the Internet.

Briefly: The risk of anonymity towards misbehavior is not because of
anonymity itself, but the removal of social consequences. As you
touched upon, long-term pseudonyms are preferable in forums where
reputation matters to one-time or short-lived pseudonyms.

Most of the participants on this forum do not know who Soatok is in
the government's perspective, nor would you be expected to care about
that. However, I do blog as Soatok, and my blog touches on
cryptography a lot. Additionally, I have open source cryptography
libraries (primarily written JS and PHP) on Github under this name.
You could say that my long-term pseudonym has "skin in the game".

Thus, my proposal is simply to include a preference for long-term
pseudonyms over short-term pseudonyms within the "strong suggestion"
that Mike proposed.