Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)
Soatok Dreamseeker <soatok.dhole@gmail.com> Sun, 11 April 2021 15:36 UTC
Return-Path: <soatok.dhole@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E06763A1137 for <cfrg@ietfa.amsl.com>; Sun, 11 Apr 2021 08:36:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30UyY_sMrxaw for <cfrg@ietfa.amsl.com>; Sun, 11 Apr 2021 08:36:29 -0700 (PDT)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3E183A1136 for <cfrg@irtf.org>; Sun, 11 Apr 2021 08:36:29 -0700 (PDT)
Received: by mail-wr1-x42a.google.com with SMTP id j5so9381559wrn.4 for <cfrg@irtf.org>; Sun, 11 Apr 2021 08:36:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kROwjR6fMWlvsqmcgRbbVWnfGsmA+iZSeKMS8RSKinY=; b=rS95gxfCIlLCfjlONZSLmTz+tcwJYu29Xf80SFZAsSvg0ppuIOb00aUkmVbwdci8Dm /1xoLVdTbjf/vXlXLcxKoE09D3u62BuH/UK8wdINdzxS+QySD7SFul81DNnJHIFghcvc bmxJi9kXAABzKycPy44fkbsMcrj78E97Ls7KxN9gAhbMltnYWf6eJUYpOjExeG5GJG7z M8vjYhAGi8WU12+wGzaGEcGIlVPUMqMdEZSpWkB7f3TDljR2hZWCopQj68pK9erwkYsW Wl8BRvivm8ge+53MndLDcKZHDulDzddVVSWr0ZVmcuI0tZcsGYz71DfKJ1XAnQZF3e/9 ueLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kROwjR6fMWlvsqmcgRbbVWnfGsmA+iZSeKMS8RSKinY=; b=jSrFGLIatZZ3YaXUvaTsdirCZJOBOagR78kyj6HTMNT30hcQc6/NHHCDgc/ISyuYvp Tf2/KG1Glp/plNbWRfr5qElpVXSJKkrTsf7duPOas3bMpU7mlBlFatFJRqZ0w50kTsoo HSqLypYThiqcvMSdIXl5X56hVIIsRbmwCzwiADoksj3K4wW5hUQ58XCjGnqAWA+AQy8E knj6FQY77M4hzEaBBgvqzmH4Xl5IkE0oTR/U7eM+oP/4PzmcWkHfJMdcEEY92YEXGfIz cQTbNspj+XqliQ959rylYvvv8SMmu/huCYu3/Lsj/8r7fgYbXKd5Q6t64xSxqcJWpcnQ IKcw==
X-Gm-Message-State: AOAM531Y4agf2MrrXmtvNFn2RZg22Ypwaf7RpIuSZ7wgtRHf695Z/pOb x09f+zwp2XAvFmtvfAvOCrq5zuvWy/fjP00Zais=
X-Google-Smtp-Source: ABdhPJxi0uYrAFUmSv0suABALacO4IGJ2WR1lKKXOD8I3GXqs8mY7TmvynpOms6wLlftqMI8ZEfoHFWRhiUY4sgZXy4=
X-Received: by 2002:a5d:480a:: with SMTP id l10mr25374825wrq.261.1618155386337; Sun, 11 Apr 2021 08:36:26 -0700 (PDT)
MIME-Version: 1.0
References: <5kNv_5tUGSftaikmVD_WOJNEXwJjdLV07YODBNFunXGvBKKTOJ2ytxrCKgsj9OgNK3fB_ofUTv7pYbKO-akAqXmhszP0-eYfzj8B6lCRuwg=@protonmail.com> <CAOvwWh2V6ds67BxzQjakXpsuFuJhhg-GOuiDfY5rqubqZVM0Fg@mail.gmail.com> <B007B163-3A5F-43E3-AD2A-81500BF8CB58@shiftleft.org>
In-Reply-To: <B007B163-3A5F-43E3-AD2A-81500BF8CB58@shiftleft.org>
From: Soatok Dreamseeker <soatok.dhole@gmail.com>
Date: Sun, 11 Apr 2021 11:36:15 -0400
Message-ID: <CAOvwWh3iYwUxMw57165P7QOS-NgKfi90Tbsqz_r2U02-5se3kA@mail.gmail.com>
To: Mike Hamburg <mike@shiftleft.org>
Cc: Squeamish Ossifrage <squeamishossifrage.se@protonmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vOj5aDbXKjB__4bGCBc6RHXwYCk>
Subject: Re: [CFRG] please use real names (was: Re: Small subgroup question for draft-irtf-cfrg-hash-to-curve)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 15:36:35 -0000
Hi Mike, On Sun, Apr 11, 2021 at 10:56 AM Mike Hamburg <mike@shiftleft.org> wrote: > > > > > On Apr 11, 2021, at 10:52 AM, Soatok Dreamseeker <soatok.dhole@gmail.com> wrote: > > An additional observation. > > > > - AES has a 128-bit block size > > - When you use 256-bit keys, there are about 2^128 different keys that > > will map a single 128-bit plaintext block to a single 128-bit > > ciphertext block > > > > However, I believe this probability of H=[0x000...000] is zero, > > because the AES block cipher is a PRP and the input is [0x000...000], > > and as far as I'm aware, there are no known (P, k) pairs for which > > E_k(P) = P. > > Hi Soatok, > > This is not an expected property of a PRP: for a fully random permutation, > we would expect about 1 element to map to itself in expectation for each key. > The existence or non-existence of known pairs (P,k) where E_k(P)=P doesn’t > rule out E being a PRP either way — e.g. it might be that there are no such > pairs, or that with the key you can easily identify such a P — but for an ideal > block cipher they would exist with overwhelming probability but would be very > hard to find. That's good to know. Thank you. > > If AES were a PRF instead of a PRP, the risk calculus here would be > > different. (But also, the 128-bit block size would need to be 256-bit > > to reach the same security under birthday bound assumptions.) > > Also, IIRC AES-GCM has better bounds with a PRF than with a PRP, because > you’d prefer the keystream to be uniformly random independent values instead > of uniformly random unique values. That is, going to a PRF would remove > the birthday term in GCM’s analysis, though of course the PRF’s own security > analysis might itself have a birthday term. This is how the analysis proceeds > for AES-GCM: note that any PRP is a PRF at the cost of a birthday term, and > then do the analysis for a PRF. Yes, but a 128-bit PRF has different security properties than a 128-bit PRP, and a 256-bit PRF would generally line up better with most cryptography users' expectations here. > > Regards, > > > > S. Dreamseeker <https://soatok.blog> > > My 2c on real names. I think it’s preferable that we use real names if at all > practical, for a few reasons: > > * Real names add a layer of professionalism that helps us not turn into > Reddit. Which, while an interesting place, is arguably less productive than > CFRG, and is a safer space for e.g. racist jerks, because they can hide > behind pseudonyms. > > * We need at least long-term pseudonyms to help remember, or even > research, who is making the which arguments. Different people on these > forums have different styles. > > * This body influences standards-setting organizations, so it may be > useful for legal reasons to keep track of who is sending in ideas (to > prevent, e.g., patent shenanigans). > > There are legitimate reasons that someone might prefer a pseudonym. > Simply having a long-term handle isn’t a good enough reason, because > you could always sign as "Mike Hamburg (bitwiseshiftleft)” or similar. And > we can’t keep people from coming up with a fake “real name”. So I would > be happy with leaving this as a strong suggestion, rather than an absolute > policy. > > Regards, > — Mike Your proposal is reasonable. Frankly, I was surprised to hear these arguments take place on a cryptography forum, where anonymity experts are more plentiful than in a random sample of the rest of the Internet. Briefly: The risk of anonymity towards misbehavior is not because of anonymity itself, but the removal of social consequences. As you touched upon, long-term pseudonyms are preferable in forums where reputation matters to one-time or short-lived pseudonyms. Most of the participants on this forum do not know who Soatok is in the government's perspective, nor would you be expected to care about that. However, I do blog as Soatok, and my blog touches on cryptography a lot. Additionally, I have open source cryptography libraries (primarily written JS and PHP) on Github under this name. You could say that my long-term pseudonym has "skin in the game". Thus, my proposal is simply to include a preference for long-term pseudonyms over short-term pseudonyms within the "strong suggestion" that Mike proposed.
- [CFRG] Comment on draft-irtf-cfrg-hash-to-curve-10 Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Christopher Wood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- [CFRG] Small subgroup question for draft-irtf-cfr… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Russ Housley
- Re: [CFRG] Small subgroup question for draft-irtf… Richard Outerbridge
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Armando Faz
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- [CFRG] please use real names (was: Re: Small subg… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Riad S. Wahby
- Re: [CFRG] please use real names (was: Re: Small … Filippo Valsorda
- Re: [CFRG] please use real names (was: Re: Small … Scott Arciszewski
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Watson Ladd
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] please use real names (was: Re: Small … Henry de Valence
- Re: [CFRG] please use real names (was: Re: Small … Dan Harkins
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Squeamish Ossifrage
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Small subgroup question for draft-irtf… Stanislav V. Smyshlyaev
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Colin Perkins
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Michael Sierchio
- [CFRG] Closure (was Re: Small subgroup question f… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Phillip Hallam-Baker
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] please use real names (was: Re: Small … David Jacobson
- Re: [CFRG] please use real names (was: Re: Small … Julia Hesse
- Re: [CFRG] Closure (was Re: Small subgroup questi… Armando Faz
- Re: [CFRG] Closure (was Re: Small subgroup questi… Hao, Feng
- Re: [CFRG] Closure (was Re: Small subgroup questi… Mike Hamburg
- Re: [CFRG] thoughts on clearing the cofactor in h… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Riad S. Wahby
- [CFRG] (suggested language re mixing square roots… Rene Struik
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Rene Struik
- Re: [CFRG] please use real names (was: Re: Small … isis agora lovecruft