Re: [Cfrg] Recommended bit length before truncating a hash mod p
David Núñez <david@nucypher.com> Fri, 22 March 2019 10:12 UTC
Return-Path: <david@nucypher.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AD94126C01 for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2019 03:12:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.02
X-Spam-Level:
X-Spam-Status: No, score=-1.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nucypher.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kCgo_wT5Pae7 for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2019 03:12:38 -0700 (PDT)
Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C50D130ED8 for <cfrg@irtf.org>; Fri, 22 Mar 2019 03:12:38 -0700 (PDT)
Received: by mail-wm1-x32a.google.com with SMTP id a188so1544181wmf.3 for <cfrg@irtf.org>; Fri, 22 Mar 2019 03:12:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nucypher.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=SldaXHwFRKgRGlXsj7nuOj+J3PFb50p1jYtEYSqvzBE=; b=XI7fy3SmHhXug00+g4PI6dp+uio9wVAdi69Ayw1jyKXDpb4vpUXuo+qOoYLMT2/RVV eNku8Bh74ffl+VH3rMljIEBAKlQTx14ycbU3fdEtQDd69odSd4l74o4bbBYyf6SERKwY coUpygHU7YpDI5WlsWCntrz3IIdYzrPGiPaOI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=SldaXHwFRKgRGlXsj7nuOj+J3PFb50p1jYtEYSqvzBE=; b=ddBavir8knXKQDl4Qge8r080b5GVn5k8+ZQTQ+u+ybNi3gZzrt6mDC38IcuIBkjKtQ vJK4UqRUDzORR2S5RNVO04pD4H/TBUjtLBLvBgiiWqcuubSnF4kjzggPh3de/7JpxUFv jd7sTkVW074wk3RPk4ZsWNiNVOjRU+YXFfhOprCNqYPwb+2KQNzxeF22hf/Xwr3+o/v/ +nnbULUxJzACGa8G+pn5QiFl4t6eakJFCqyGKiYRNgYXhFt8dkPjLS0SsV8z744a8BDu 3UlCZ3lvYOTuRiULpdUqA1Pz34opguA+P2UXHP0VR7rZI2pGLqBq+FKWDSP+HyUsa6KU ivmA==
X-Gm-Message-State: APjAAAXcaiPHQhxUQP7vltit2xd+nkWaYhHlU1Lgj61DKytGbZN7aMlZ CWJVY9SuNmMabyE4+91AyQWEgHKhdS/b4UMdeDFyhEp7dQQ=
X-Google-Smtp-Source: APXvYqy3KxvFamF8fe/qTd8VTjOlHFEJRYzSeA39If+EVQPmFRTPfSelH579rxotyxxG82psddqyNqGrLLMT638tN7Q=
X-Received: by 2002:a1c:f111:: with SMTP id p17mr2424835wmh.147.1553249556536; Fri, 22 Mar 2019 03:12:36 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.3617.1553248218.6143.cfrg@irtf.org>
In-Reply-To: <mailman.3617.1553248218.6143.cfrg@irtf.org>
From: David Núñez <david@nucypher.com>
Date: Fri, 22 Mar 2019 11:12:25 +0100
Message-ID: <CALNOPK+SmbcVHz49D1ZUV8cdq81YEUn5Xrmn4kB3dftrV7Ygbg@mail.gmail.com>
To: cfrg@irtf.org, christopherwood07@gmail.com, madalier@antarateknik.com
Content-Type: multipart/alternative; boundary="00000000000010b0cd0584ac1825"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wM4s4G88hBD6z3JvgD0Vwbbb_-c>
Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 10:12:42 -0000
Hi Christopher, for this exact problem, we follow the approach described by Mehmet: Hash512(x) = Hash256(0||x) || Hash256(1||x) This way we can take up to 512 bits using a 256-bit hash function. You can find an example implementation of this (for Keccak256) here: https://github.com/nucypher/pyUmbral/blob/master/umbral/random_oracles.py#L84 Regards, David > ---------- Forwarded message ---------- > From: Mehmet Adalier <madalier@antarateknik.com> > To: Christopher Wood <christopherwood07@gmail.com>, <cfrg@irtf.org> > Cc: > Bcc: > Date: Thu, 21 Mar 2019 19:11:47 -0700 > Subject: Re: [Cfrg] Recommended bit length before truncating a hash mod p > Would this work? > > 1) generate two hashes with two different x values, > 2) concatenate the two outputs > 3) take however many high order bits you need (with at least 64 additional > bits per spec) > > In our regular P256 implementation we use a 512-bit value before we > perform reduction. > > mA > > On 3/21/19, 6:20 PM, "Cfrg on behalf of Christopher Wood" < > cfrg-bounces@irtf.org on behalf of christopherwood07@gmail.com> wrote: > > Hi folks, > > In draft-irtf-cfrg-hash-to-curve, we define a utility function called > `hash2base` as follows [1]: > > ~~~ > hash2base(x). This method is parametrized by p and H, where p is the > prime order of the base field Fp, and H is a cryptographic hash > function which outputs at least floor(log2(p)) + 1 bits. The function > first hashes x, converts the result to an integer, and reduces modulo > p to give an element of Fp. We provide a more detailed algorithm in > Appendix C.7. > ~~~ > > Some existing standards [2] recommend taking at least log2(p) + 64 > bits “so that bias produced by the mod function … is negligible.” If > we were to follow this guidance for hash2curve, we’d lose out on > several ciphersuite combinations, such as P-256 and Curve25519 with > SHA256. > > So, our question to the group is, how many extra bits are necessary? > > Thanks, > Chris > > [1] > https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-03#section-4 > [2] > https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > >
- [Cfrg] Recommended bit length before truncating a… Christopher Wood
- Re: [Cfrg] Recommended bit length before truncati… Mehmet Adalier
- Re: [Cfrg] Recommended bit length before truncati… David Núñez
- Re: [Cfrg] Recommended bit length before truncati… Markku-Juhani Olavi Saarinen
- Re: [Cfrg] Recommended bit length before truncati… David Núñez
- Re: [Cfrg] Recommended bit length before truncati… Gilles Van Assche
- Re: [Cfrg] Recommended bit length before truncati… Sam Scott
- Re: [Cfrg] Recommended bit length before truncati… Markku-Juhani Olavi Saarinen
- Re: [Cfrg] Recommended bit length before truncati… Dan Brown
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù
- Re: [Cfrg] Recommended bit length before truncati… Ilari Liusvaara
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù
- Re: [Cfrg] Recommended bit length before truncati… Michele Orrù