[prev in list] [next in list] [prev in thread] [next in thread]
List: cfrg
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-hash-to-curve-07.txt
From: "Riad S. Wahby" <rsw () jfet ! org>
Date: 2020-04-28 16:31:15
Message-ID: 20200428163115.gbsmbwul6ykch734 () muon
[Download RAW message or body]
Hi Björn,
Björn Haase <bjoern.m.haase@web.de> wrote:
> Iwould understand a zero-padding that would first insert some
> information that should be maintained confidential and a Z_pad string
> that fills up the remaining rest of the input block of the hash function
> with zeros. However, I did not get the point, why filling the first
> block with zeros should provide any advantage.
Good question! The answer is that this zero block allows one to prove
this construction indifferentiable from a random oracle when the M-D
compression function is modeled as a random oracle (which is effectively
the strongest statement we could hope for in this context).
In particular, prepending a block of zeros instantiates an NMAC
construction, as described in Section 3.5 of the following paper
(the full version linked below gives a security proof).
Coron, Dodis, Malinaud, and Puniya. "Merkle-Damgaard revisited:
How to construct a hash function." Proc. CRYPTO 2005.
https://cs.nyu.edu/~dodis/ps/merkle.pdf
This is discussed in the "Security Considerations" section of the
document. I will go back and double check that Section 5 makes
a clear forward ref to that discussion.
Thanks for the feedback and take care,
-=rsw
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic