Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve

Rene Struik <> Sat, 10 April 2021 20:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C543A3A19A3 for <>; Sat, 10 Apr 2021 13:05:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4R6TJVmgJoVl for <>; Sat, 10 Apr 2021 13:05:18 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 976863A19A5 for <>; Sat, 10 Apr 2021 13:05:18 -0700 (PDT)
Received: by with SMTP id x27so4416171qvd.2 for <>; Sat, 10 Apr 2021 13:05:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=to:cc:references:from:subject:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=7+IjSrVOJnvpK/+IzoyVlmbpS/x/Sjx+Lyg/CD3IrCY=; b=ln9vn2tTUa4YI/evMUCxFe6ji72fKMQasajmsWaLtCZ+gcyo7pTCWloltdZO+avTNC nZAT1fivMn0KkWnaKvmUS3WyS7/AOOh6ySCEnHAj9qY3JYzm3IPG9m7C2RQR0a3Dlt9E MZnESln7MpQJpLVRaBp9yJZHt/L614uzoRXfwnbzZy52uOM5RfZwFejZKBKeJExn0el/ IRILXi7U+ni17TI9kIuN9Lskw/s6/IfQpvO97b40azvnpBfo+v5vuCkD/knUDV9YVFoR Xwk9dMgbji7YFVws4gm5k17XzKOA0YgheCaPf7xtfk9ZhJ9Y7tRSWCz7pVdQQ+5iypJR cGJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:to:cc:references:from:subject:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=7+IjSrVOJnvpK/+IzoyVlmbpS/x/Sjx+Lyg/CD3IrCY=; b=VUB8HrznhrzWDjUl7A6XQW9QcLPnVNoNv9JWpZlEd0F6+rh2JMGjrJeCKsQF7D4IQK VeeHk8Qw7gD7zMSq/ucO5H8kfO01RfSsBj2RmUHNzO0gKZO9KZDtzkyvV0j+x7Gi+ngM WdNqT3wUszPBRcrhOYy7TT0SWVYKuz8gk0/lxL9Bw7vxtDJFzYp/TJ0dyUn+8yLXIaKl EYYO3I+v0FrVerjMIBoH3sOpP5aOIInozRy5c7g53/R58cf2ch9q/c5C61WPlgYM3FWH atsO6rajljWxLiYZII57+7iEITQB9FXxh0uyz1ywGpql/r6ciWqdjQrjBpZ26IvU4UIO 0gbQ==
X-Gm-Message-State: AOAM533dywhkr0oHZbV1TlRClgIV+S9gIhI9xEJwEIpL1p29oUJVjxIH VcUcpKcOfR1JY6HzQlAWj38=
X-Google-Smtp-Source: ABdhPJzLF5Za1wgfd/bK1QroPjntUrQJVCDiliteQXdymo4pyHObYDDyy3dEntKqkjbWt+EPkaHkYQ==
X-Received: by 2002:a0c:fc06:: with SMTP id z6mr20553861qvo.25.1618085115982; Sat, 10 Apr 2021 13:05:15 -0700 (PDT)
Received: from ?IPv6:2607:fea8:8a0:1397:d5ce:5162:99f4:1aa? ([2607:fea8:8a0:1397:d5ce:5162:99f4:1aa]) by with ESMTPSA id m25sm4560358qtq.59.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 10 Apr 2021 13:05:15 -0700 (PDT)
To: Mike Hamburg <>
Cc: Hugo Krawczyk <>, CFRG <>, "Hao, Feng" <>
References: <> <> <> <> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <> <> <> <20210410151254.7ze5pt4lpvblhk3f@muon> <> <> <>
From: Rene Struik <>
Message-ID: <>
Date: Sat, 10 Apr 2021 16:05:11 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------9832BCCF9B3AA3FC9765A0CB"
Content-Language: en-US
Archived-At: <>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 10 Apr 2021 20:05:24 -0000

Hi Mike:

Arguments as to why something is implausible would not even be necessary 
if one could simply rule out specific corner cases by design. This is, 
to my understanding, the point Feng Hao tried to bring across (and a 
reason for me to weigh-in).

{heading back outside due to unseasonably warm weather of 22 oC right 
now in Toronto}

On 2021-04-10 3:09 p.m., Mike Hamburg wrote:
> Hi Rene,
> I’m not sure about specific PAKEs, but typically a password would be 
> hashed through a salted KDF construction like Argon2 or PBKDF2, and 
> some protocols include a nonce as well.  For honest users, this means 
> that (unless the hash is truly terrible, i.e. fails to roughly 
> preserve entropy) the identity will never be encountered, even if the 
> hash or map-to-curve is subtly backdoored.
> The argument breaks down if an active adversary can find a salt/nonce 
> such that hash(pw, salt) maps to the identity point for many passwords 
> pw.  This is unlikely to happen even if the hash is broken, because 
> the salt is typically short.  But even so, I’m not sure this is unique 
> to the identity element: at least if the client confirms first, then 
> the adversary just needs to find a salt such that dlog(hash(pw1, 
> salt), hash(pw2, salt)) is known — or better yet, such that dlog 
> relations are known for a large set of passwords — in order to break 
> SPEKE or CPace's security.
> Again, I’m sympathetic to the idea that returning the identity 
> complicates error handling.  At least for some protocols, we have to 
> forbid sending it to keep the protocol contributive (or for other 
> reasons), so the identity would cause an error, which might be the 
> only possible error in some code paths.  We could instead specify a 
> hash_to_curve that’s uniform over non-identity elements.  This could 
> be achieved by eg computing (1 + (hash1 mod p-1)) * cofactor * 
> map_to_curve(hash2), at least if you can keep low-order elements out 
> of map_to_curve(h2).  If a low-order element is an image, you could 
> use (1 + (hash1 mod p-1)) * cofactor * (map_to_curve(hash2) + Q), 
> where Q is the precomputed lexicographically least point such that no 
> low-order point is an image.
> This is slower, but if you’re going to scalarmul again anyway, then 
> you could fold the multiplies together so that the leading term costs 
> basically nothing.  Or, since most protocols don’t actually need 
> uniformity, just do the analysis and drop the leading term.
> But I don’t think this is convincing.  The counterargument 
is: uniform 
> maps to G are already analyzed, already implemented, simpler, and 
> preferable in some cases (again, at least for PAK), and the security 
> implications are pretty much negligible, and are likely to remain 
> negligible even if the hash is broken.  So it’s just not worth 
> re-doing at the map to curve level.  It’s easier to just say: if in 
> your protocol you don’t want the identity to come out of 
> hash_to_curve, then detect it and replace it with the generator.  Or 
> again, drop uniformity and use cofactor * (map_to_curve + Q).
> Cheers,
> — Mike
>> On Apr 10, 2021, at 2:51 PM, Rene Struik < 
>> <>> wrote:
>> Hi Hugo:
>> It would be of interest what the impact of a "broken" hash function 
>> in the hash to curve construction on the security of password based 
>> schemes would be. In the case of mappings that always yield a 
>> high-order point, the impact may not immediately be obvious, while 
>> with mappings that do not preclude low-order points this might show 
>> more readily, also to offline observers. This may be an interesting 
>> addition to security proof papers that now focus mostly on idealized 
>> functionality (such as random oracles).
>> As an aside, as I noted in my email of yesterday [1],  mappings that 
>> fix a particular image point for a specific input are trivial if the 
>> construction itself has "free variables" one could fix after the fact 
>> (e.g., pick delta such that delta*H("Hugo123")^2=t0), thereby 
>> yielding an immediate attack, irrespective of hash function 
>> functionality. See specific comment a) in [1].
>> All in all, it seems that guaranteeing that curve mappings would 
>> never yield low-order points seems prudent, esp. if it comes at 
>> roughly the same computational cost as ones that do not give those 
>> assurances.
>> Best regards, Rene
>> Ref: [1] 
>> On 2021-04-10 1:27 p.m., Hugo Krawczyk wrote:
>>> Feng, you say:
>>> > On the other hand, from the perspective of a higher layer protocol 
>>> (say CPace, OPAQUE and PAK), it’s simply impossible to handle 
>>> exception. As soon as map-to-curve hits the small subgroup, the 
>>> password in a PAKE system will be compromised. Therefore, the above 
>>> warning is self-defeating and not meaningful.
>>> If I understand correctly, you are saying that in the case of 
>>> password protocols, the unlikely event of (a correctly designed, 
>>> correctly implemented) hash-to-curve mapping some value to the 
>>> identity has irrecoverable consequences that are specific to the 
>>> PAKE setting.
>>> I wanted to comment that in the case of OPAQUE, you could check 
>>> during password registration that a user's password maps to the 
>>> identity and ask to choose a new password (we are used to websites 
>>> rejecting some passwords). However, when that happens, the website 
>>> should immediately (*) sound an alarm to be heard across the 
>>> universe. You would have found a preimage of the identity under a 
>>> RO-modeled hash function. Either you are observing an event with 
>>> probability, say, 2^{-256}, or you are observing a hugely more 
>>> probable event: Someone broke the one-wayness of the hash function. 
>>> (The same alarm should go off if it just happens in a run of any 
>>> other protocol.)
>>> (*) Of course, you should first check that you really have a 
>>> preimage of the identity under the hash - the most probable event to 
>>> produce such a result is an implementation error.
>>> Hugo
>>> PS: When you have an analysis that assumes a uniform distribution 
>>> and then decide to deviate from it as a way to "enhance" the design, 
>>> you may be introducing subtle weaknesses. An historic example 
>>> (irrelevant to the cases we are discussing here but illustrating the 
>>> principle) is Enigma's avoidance  of encrypting letters to 
>>> themselves - something Turing was fast to exploit
>>> <>
>>> On Sat, Apr 10, 2021 at 11:13 AM < 
>>> <>> wrote:
>>>     Hello Feng,
>>>     "Hao, Feng" <
>>>     <>> wrote:
>>>     > Rsw also gave a similar example of having all zeros for the hash.
>>>     > Let me clarify that we are not – and shouldn’t be - concerned with
>>>     > any of such cases since the values are uniformly distributed
>>>     within
>>>     > their respective range.
>>>     Right. And the argument is precisely the same for hash-to-curve!
>>>     Let me be perfectly clear: the property that hash_to_curve gives
>>>     is that the output is a uniformly* distributed point in the (big)
>>>     prime-order subgroup of the target elliptic curve.
>>>     At the risk of seeming didactic (in which case, apologies): the
>>>     identity element is indeed an element of the target group G.
>>>     Put another way: fix a generator g of group G of prime order q.
>>>     Then,
>>>     hash_to_curve returns g^r in G, for r sampled uniformly* at random
>>>     in 0 <= r < q. Under the assumption that discrete log is hard in G,
>>>     hash_to_curve does not reveal r. Under the preimage and collision
>>>     resistance of the underlying hash function, one cannot choose any
>>>     particular r or find two inputs that hash to the same r.
>>>     I hope this helps clarify the security properties, and why focus
>>>     on low-order points at intermediate steps of the computation is not
>>>     relevant to the security of hash_to_curve as specified.
>>>     * uniformly except for some statistical distance less than 2^-100.
>>>     Regards,
>>>     -=rsw
>>>     _______________________________________________
>>>     CFRG mailing list
>>> <>
>>>     <>
>>> _______________________________________________
>>> CFRG mailing list
>> -- 
>>  | Skype: rstruik
>> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
>> _______________________________________________
>> CFRG mailing list
>> <>

email: | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867