Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-04.txt
Armando Faz <armfazh@cloudflare.com> Mon, 22 July 2019 18:40 UTC
Return-Path: <armfazh@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8201B120122 for <cfrg@ietfa.amsl.com>; Mon, 22 Jul 2019 11:40:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k7CeJ99HsfdL for <cfrg@ietfa.amsl.com>; Mon, 22 Jul 2019 11:40:32 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D0C012011B for <cfrg@irtf.org>; Mon, 22 Jul 2019 11:40:32 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id d24so38573003ljg.8 for <cfrg@irtf.org>; Mon, 22 Jul 2019 11:40:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=eML61vHRNnUcEYySylg2PfidKcsqGYscYNloJQEPPgs=; b=xvs0etSt/7NZjkNKJq7aw1OHfO8ZFQybSwoAKYXg+6USlcdlObZx1KkuEV1VQ3VKhd 6qdcFdrYjPFDgdp6Qdw2ek8LZBR8UXOsW1tbxdU/h6WwO4PHcr5SlkK0aYeKP/HO5jc9 FQoPu+oRoVvr651mJxShlWGRZDeH6+IACOIts=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=eML61vHRNnUcEYySylg2PfidKcsqGYscYNloJQEPPgs=; b=p79iIk9Eyh1bpUtFWyQeeTokXSEEcKGr2AMrZ1XTbDiS0Ms1JnXzdkCEWfSviJOLfK y4WnO3/bm04DxVl0/2fh00IxTFKHlRLpdM6S5NVXVelSYl6mE3nh7+EgVaCB0VhMfv3U 3DNChGeJRC6/Y9MLoZQ23VeXb6+sCslWTW6nlj+lywLH404HvEllqu2OZ03fMsd7uPfT J7u3Y2TQW0IOP5P2yuaReHcbvllk8P4lIMBB1Rq82KrLd3aHnq39hwYrExpVHwALSubc y23csqbY2+Xh7QsfN3ivuc9z2MTBXNIBFQ+9PeH0ia63dYaNR4j+ysYJmXP9iOOIhkYR 3WaQ==
X-Gm-Message-State: APjAAAV1rl6ooKUqZZutZGtRLfkCg76uOedp16PAG7yzi4MdSIUPSoTE Qm8DndhF+w+NKi/wGVgGazDolu9NybOZFxxpITQfkLVUaoqc2Q==
X-Google-Smtp-Source: APXvYqxyiXk4cAAMjXm510sGc/2e4CYo5Z3HDfGcjx/h6gpzjTajUUuUVEPdDI+Oezlpkis2IIsMHAQzFz+yFtQMlUc=
X-Received: by 2002:a2e:85d4:: with SMTP id h20mr37509023ljj.142.1563820830139; Mon, 22 Jul 2019 11:40:30 -0700 (PDT)
MIME-Version: 1.0
From: Armando Faz <armfazh@cloudflare.com>
Date: Mon, 22 Jul 2019 11:40:19 -0700
Message-ID: <CABZxKYnJ3tV7Y20pQfNV+jDaag27ou--7qdCDBYbr3vrPJpPqA@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="00000000000012da98058e496968"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wb_4adui8KnsaKaK6_dAH5jPQqc>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-04.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 18:40:35 -0000
Revisiting Ulas' paper [1], the Theorem 2.3 proposes two methods: - one for Weierstrass curves of the form: y^2 = x^n+ax+b, which includes almost all elliptic curves except those with a=0 or b=0. - and another one for curves of the form: y^2=x^n+ax^2+bx, which includes Montgomery curves except those with a=0 or b=0. Although there exist faster methods for hashing (e.g. the simplified SWU, Icart's, and Elligator2), the SWU method has the advantage of supporting more curves at the cost of evaluating several expensive operations. Example 1: Hashing methods for P-256 curve: simplified SWU and SWU. Example 2: Hashing methods for Curve448: Elligator2 and SWU. Hence, SWU can be used as a last resort in case one of the faster methods can not be applied. [1] Ulas, Rational Points on Certain Hyperelliptic Curves over Finite Fields. -- Armando Faz Cloudflare Inc.
- [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-… internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Björn Haase
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Björn Haase
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Riad S. Wahby
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Riad S. Wahby
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Björn Haase
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Rene Struik
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Armando Faz
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Björn Haase
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Riad S. Wahby
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Björn Haase
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-cu… Riad S. Wahby