[prev in list] [next in list] [prev in thread] [next in thread]
List: cfrg
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
From: "Hao, Feng" <Feng.Hao=40warwick.ac.uk () dmarc ! ietf ! org>
Date: 2021-04-11 18:59:09
Message-ID: AM6PR01MB42783039E9763256D157973AD6719 () AM6PR01MB4278 ! eurprd01 ! prod ! exchangelabs ! com
[Download RAW message or body]
Hi Mike,
Thanks for your comment. I think we can have a more meaningful discussion on this if \
CPace and OPAQUE were concretely defined in the DSA/Schnorr or other MODP groups. \
Both protocols assume a special hash function of hashing a password to an \
non-identity element (base generator) in a designated prime-order group in constant \
time. So far, they depend on the hash-to-curve draft to realize that function, which \
leaves it undefined for DSA/Schorr or other MODP groups. As we can see from the \
example of SPEKE and Dragonfly, doing that in an MODP group is also a non-trivial \
task. I think this is certainly possible to avoid or minimize the effect of small \
subgroups in MODP, e.g., SPEKE, which does this mapping but at the cost of very \
expensive exponentiations because of the use of a safe prime and very long exponents. \
However, I don’t want to speculate how CPace/OPAQUE will want to do this until they \
are actually defined in an MODP setting.
Cheers,
Feng
From: Mike Hamburg <mike@shiftleft.org>
Date: Sunday, 11 April 2021 at 15:59
To: Hao, Feng <Feng.Hao@warwick.ac.uk>
Cc: CFRG <cfrg@irtf.org>, Hugo Krawczyk <hugo@ee.technion.ac.il>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
> On Apr 11, 2021, at 11:19 AM, Mike Hamburg <mike@shiftleft.org> wrote:
> Or, to pull the analysis back to the full group G: the probability of landing in \
> the small subgroup doesn’t depend on its absolute size q. It depends on its size \
> relative to G, which is q/(pq) = 1/p, i.e. it depends only on the size of the large \
> group.
Sorry for the spam: “large group” should read “large prime-order subgroup”. — Mike
[Attachment #3 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Mike,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks for your comment. I think we can have a more meaningful \
discussion on this if CPace and OPAQUE were concretely defined in the DSA/Schnorr or \
other MODP groups. Both protocols assume a special hash function of hashing a \
password to an non-identity element (base generator) in a designated prime-order \
group in constant time. So far, they depend on the hash-to-curve draft to realize \
that function, which leaves it undefined for DSA/Schorr or other MODP groups. As we \
can see from the example of SPEKE and Dragonfly, doing that in an MODP group is also \
a non-trivial task. I think this is certainly possible to avoid or minimize the \
effect of small subgroups in MODP, e.g., SPEKE, which does this mapping but at the \
cost of very expensive exponentiations because of the use of a safe prime and very \
long exponents. However, I don’t want to speculate how CPace/OPAQUE will want to do \
this until they are actually defined in an MODP setting.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Cheers,<o:p></o:p></p>
<p class="MsoNormal">Feng<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span \
style="font-size:12.0pt;color:black">From: </span></b><span \
style="font-size:12.0pt;color:black">Mike Hamburg <mike@shiftleft.org><br> \
<b>Date: </b>Sunday, 11 April 2021 at 15:59<br> <b>To: </b>Hao, Feng \
<Feng.Hao@warwick.ac.uk><br> <b>Cc: </b>CFRG <cfrg@irtf.org>, Hugo \
Krawczyk <hugo@ee.technion.ac.il><br> <b>Subject: </b>Re: [CFRG] Small subgroup \
question for draft-irtf-cfrg-hash-to-curve<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><br>
<br>
> On Apr 11, 2021, at 11:19 AM, Mike Hamburg <mike@shiftleft.org> wrote:<br>
> Or, to pull the analysis back to the full group G: the probability of landing in \
the small subgroup doesn’t depend on its absolute size q. It depends on its \
size relative to G, which is q/(pq) = 1/p, i.e. it depends only on the size of the \
large group.<br> <br>
Sorry for the spam: “large group” should read “large prime-order subgroup”. — \
Mike<o:p></o:p></p> </div>
</div>
</body>
</html>
_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg
--===============7266448770094145875==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic