'Re: [CFRG] [irsg] Spencer Dawkins' No Objection on draft-irtf-cfrg-hash-to-curve-14: (with COMMENT)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List: cfrg
Subject: Re: [CFRG] [irsg] Spencer Dawkins' No Objection on draft-irtf-cfrg-hash-to-curve-14: (with COMMENT)
From: Colin Perkins <csp () csperkins ! org>
Date: 2022-06-17 12:35:58
Message-ID: 63689378-A467-4202-AE7D-321F63BAF34E () csperkins ! org
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

Thanks!
Colin

On 16 Jun 2022, at 17:26, Spencer Dawkins at IETF wrote:

> Hi, Colin,
>
> On Wed, Jun 15, 2022 at 8:52 AM Colin Perkins <csp@csperkins.org> 
> wrote:
>
>> Hi Spencer,
>>
>> The draft-irtf-cfrg-hash-to-curve-16 just submitted looks to address 
>> these
>> comments. Can you please review and confirm?
>>
>
> It does. Thanks to the authors for considering my comments.
>
> Best,
>
> Spencer
>
>
>> Thanks!
>> Colin
>>
>>
>>
>> On 13 May 2022, at 5:50, Spencer Dawkins via Datatracker wrote:
>>> Spencer Dawkins has entered the following ballot position for
>>> draft-irtf-cfrg-hash-to-curve-14: No Objection
>>>
>>> When responding, please keep the subject line intact and reply to 
>>> all
>>> email addresses included in the To and CC lines. (Feel free to cut 
>>> this
>>> introductory paragraph, however.)
>>>
>>>
>>>
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/
>>>
>>>
>>>
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>>
>>> I'm only vaguely aware of how this stuff works, so please keep that 
>>> in
>> mind,
>>> when reading my comments. I hope they are somewhat helpful.
>>>
>>> In this text from the Introduction,
>>>
>>> Unfortunately for implementors, the precise hash function that is
>> suitable for
>>> a given protocol implemented using a given elliptic curve is often
>> unclear from
>>> the protocol's description. Meanwhile, an incorrect choice of hash
>> function can
>>> have disastrous consequences for security.
>>>
>>> I'm not sure I understand (at this point in the document) what the
>> problem is
>>> ("why it's not OK to just pick a hash function"), other than 
>>> "if you do
>> that,
>>> bad things will happen"). Is there a reference you could include 
>>> here,
>> or even
>>> a forward pointer if there's a good place to point to in the draft, 
>>> so
>> that us
>>> non-experts can follow along?
>>>
>>> I learned a lot from googling "rejection sampling methods" while 
>>> reading
>> this
>>> text
>>>
>>> This document does not cover rejection sampling methods, sometimes
>> referred to
>>> as "try-and-increment" or "hunt-and-peck,"
>>>
>>> But the text didn't tell me enough to understand rejection 
>>> sampling
>> methods.
>>> Perhaps a half-sentence explanation, or a reference, would be 
>>> helpful.
>>>
>>> This is nit-ish, but it confused me.
>>>
>>> 5.1.  Security considerations, is only for section 5, is that right?
>> There's
>>> another Security Considerations - section 10 - which starts with 
>>> these
>> two
>>> sentences:
>>>
>>> Section 3.1 describes considerations related to domain separation. 
>>> See
>> Section
>>> 10.4 for further discussion.
>>>
>>> Section 5 describes considerations for uniformly hashing to field
>> elements; see
>>> Section 10.2 and Section 10.3 for further discussion.
>>>
>>> I found myself wondering why some security considerations seem to be 
>>> in
>> Section
>>> 3.1 (which isn't called Security considerations), and others seem 
>>> to be
>> in
>>> Section 5 (shouldn't the second sentence refer to Section 5.1, 
>>> which IS
>> called
>>> Security considerations?), and these considerations outside Section 
>>> 10
>> aren't
>>> complete. If I was looking for all the Security considerations, 
>>> I'd
>> expect to
>>> find them together, and probably in Section 10.
>>>
>>> Do the right thing, of course.
>>>
>>> I'm not picking on BCP 14 language in most of the text, but in 
>>> Section 7,
>>>
>>> Note that in this case scalar multiplication by the cofactor h does 
>>> not
>>> generally give the same result as the fast method, and SHOULD NOT be
>> used.
>>>
>>> I'm not understanding why this is not a MUST - when is it OK to 
>>> use
>> scalar
>>> multiplication, if it usually gives a different result?
>>>
>>> I have roughly the same question in Section 8.5,
>>>
>>> This section defines ciphersuites for curve25519 and edwards25519
>> [RFC7748].
>>> Note that these ciphersuites SHOULD NOT be used when hashing to
>> ristretto255
>>> [I-D.irtf-cfrg-ristretto255-decaf448]. See Appendix B for 
>>> information on
>> how to
>>> hash to that group.
>>>
>>> What if I DO use these ciphersuites inappropriately?
>>>
>>> Very similar text is in 8.6, so I have a very similar question.
>>>
>>> This section defines ciphersuites for curve448 and edwards448 
>>> [RFC7748].
>> Note
>>> that these ciphersuites SHOULD NOT be used when hashing to decaf448
>>> [I-D.irtf-cfrg-ristretto255-decaf448]. See Appendix C for 
>>> information on
>> how to
>>> hash to that group.
>>>
>>> Do the right thing, of course.
>>>
>>> In section 8.9,
>>>
>>> The RECOMMENDED way to define a new hash-to-curve suite is:
>>>
>>> <snipped down to>
>>>
>>> When hashing to an elliptic curve not listed in this section,
>> corresponding
>>> hash-to-curve suites SHOULD be fully specified as described above.
>>>
>>> As a nit, "not listed in this section" might reasonably be read 
>>> as "not
>> listed
>>> in section 8.9". I think you might better say "not listed 
>>> elsewhere in
>> section
>>> 8".
>>>
>>> But beyond that, I don't think you mean "RECOMMENDED" in the 
>>> BCP 14
>> sense. If
>>> this text said
>>>
>>> For elliptic curves not listed elsewhere in section 8, a new
>> hash-to-curve
>>> suite can be defined by <steps 1-8 as they appear in the draft>
>>>
>>> You wouldn't need any of the BCP 14 language in this section, with 
>>> the
>>> attendant "why is this not a MUST", "in what cases would you 
>>> not do
>> this", and
>>> "if you don't do this, what happens?" questions that reviewers 
>>> can't help
>>> asking …
>>

[Attachment #5 (text/html)]

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8">
</head>
<body><div style="font-family: sans-serif;"><div class="plaintext" \
style="white-space: normal;"><p dir="auto">Thanks! <br>
Colin</p>
<br><br><p dir="auto">On 16 Jun 2022, at 17:26, Spencer Dawkins at IETF wrote:</p>
</div><blockquote class="embedded" style="margin: 0 0 5px; padding-left: 5px; \
border-left: 2px solid #5855D5; color: #5855D5;"><div \
id="07FEF8E8-17A9-49A1-A64D-24B1540BCAC4">

<div dir="ltr">
<div dir="ltr">Hi, Colin,&nbsp;</div>
 
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Jun 15, 2022 at 8:52 AM Colin Perkins \
&lt;<a href="mailto:csp@csperkins.org">csp@csperkins.org</a>&gt; wrote: </div> \
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Hi Spencer, 
The draft-irtf-cfrg-hash-to-curve-16 just submitted looks to address these comments. \
Can you please review and confirm? </blockquote> <div> </div>
<div>It does. Thanks to the authors for considering my comments.&nbsp;</div>
<div> </div>
<div>Best,</div>
<div> </div>
<div>Spencer</div>
<div>&nbsp;</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Thanks! Colin 
 
 
 
On 13 May 2022, at 5:50, Spencer Dawkins via Datatracker wrote: 
&gt; Spencer Dawkins has entered the following ballot position for 
&gt; draft-irtf-cfrg-hash-to-curve-14: No Objection 
&gt; 
&gt; When responding, please keep the subject line intact and reply to all 
&gt; email addresses included in the To and CC lines. (Feel free to cut this 
&gt; introductory paragraph, however.) 
&gt; 
&gt; 
&gt; 
&gt; The document, along with other ballot positions, can be found here: 
&gt; <a href="https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/" \
rel="noreferrer" target="_blank">https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/</a> 
 &gt; 
&gt; 
&gt; 
&gt; ---------------------------------------------------------------------- 
&gt; COMMENT: 
&gt; ---------------------------------------------------------------------- 
&gt; 
&gt; I'm only vaguely aware of how this stuff works, so please keep that in mind, 
&gt; when reading my comments. I hope they are somewhat helpful. 
&gt; 
&gt; In this text from the Introduction, 
&gt; 
&gt; Unfortunately for implementors, the precise hash function that is suitable \
for &gt; a given protocol implemented using a given elliptic curve is often \
unclear from &gt; the protocol's description. Meanwhile, an incorrect choice of \
hash function can &gt; have disastrous consequences for security. 
&gt; 
&gt; I'm not sure I understand (at this point in the document) what the problem \
is &gt; ("why it's not OK to just pick a hash function"), other than "if you do \
that, &gt; bad things will happen"). Is there a reference you could include here, \
or even &gt; a forward pointer if there's a good place to point to in the draft, \
so that us &gt; non-experts can follow along? 
&gt; 
&gt; I learned a lot from googling "rejection sampling methods" while reading \
this &gt; text 
&gt; 
&gt; This document does not cover rejection sampling methods, sometimes referred \
to &gt; as "try-and-increment" or "hunt-and-peck," 
&gt; 
&gt; But the text didn't tell me enough to understand rejection sampling methods. 
&gt; Perhaps a half-sentence explanation, or a reference, would be helpful. 
&gt; 
&gt; This is nit-ish, but it confused me. 
&gt; 
&gt; 5.1.&nbsp; Security considerations, is only for section 5, is that right? \
There's &gt; another Security Considerations - section 10 - which starts with \
these two &gt; sentences: 
&gt; 
&gt; Section 3.1 describes considerations related to domain separation. See \
Section &gt; 10.4 for further discussion. 
&gt; 
&gt; Section 5 describes considerations for uniformly hashing to field elements; \
see &gt; Section 10.2 and Section 10.3 for further discussion. 
&gt; 
&gt; I found myself wondering why some security considerations seem to be in \
Section &gt; 3.1 (which isn't called Security considerations), and others seem to \
be in &gt; Section 5 (shouldn't the second sentence refer to Section 5.1, which \
IS called &gt; Security considerations?), and these considerations outside \
Section 10 aren't &gt; complete. If I was looking for all the Security \
considerations, I'd expect to &gt; find them together, and probably in Section \
10. &gt; 
&gt; Do the right thing, of course. 
&gt; 
&gt; I'm not picking on BCP 14 language in most of the text, but in Section 7, 
&gt; 
&gt; Note that in this case scalar multiplication by the cofactor h does not 
&gt; generally give the same result as the fast method, and SHOULD NOT be used. 
&gt; 
&gt; I'm not understanding why this is not a MUST - when is it OK to use scalar 
&gt; multiplication, if it usually gives a different result? 
&gt; 
&gt; I have roughly the same question in Section 8.5, 
&gt; 
&gt; This section defines ciphersuites for curve25519 and edwards25519 [RFC7748]. 
&gt; Note that these ciphersuites SHOULD NOT be used when hashing to ristretto255 
&gt; [I-D.irtf-cfrg-ristretto255-decaf448]. See Appendix B for information on how \
to &gt; hash to that group. 
&gt; 
&gt; What if I DO use these ciphersuites inappropriately? 
&gt; 
&gt; Very similar text is in 8.6, so I have a very similar question. 
&gt; 
&gt; This section defines ciphersuites for curve448 and edwards448 [RFC7748]. \
Note &gt; that these ciphersuites SHOULD NOT be used when hashing to decaf448 
&gt; [I-D.irtf-cfrg-ristretto255-decaf448]. See Appendix C for information on how \
to &gt; hash to that group. 
&gt; 
&gt; Do the right thing, of course. 
&gt; 
&gt; In section 8.9, 
&gt; 
&gt; The RECOMMENDED way to define a new hash-to-curve suite is: 
&gt; 
&gt; &lt;snipped down to&gt; 
&gt; 
&gt; When hashing to an elliptic curve not listed in this section, corresponding 
&gt; hash-to-curve suites SHOULD be fully specified as described above. 
&gt; 
&gt; As a nit, "not listed in this section" might reasonably be read as "not \
listed &gt; in section 8.9". I think you might better say "not listed elsewhere \
in section &gt; 8". 
&gt; 
&gt; But beyond that, I don't think you mean "RECOMMENDED" in the BCP 14 sense. \
If &gt; this text said 
&gt; 
&gt; For elliptic curves not listed elsewhere in section 8, a new hash-to-curve 
&gt; suite can be defined by &lt;steps 1-8 as they appear in the draft&gt; 
&gt; 
&gt; You wouldn't need any of the BCP 14 language in this section, with the 
&gt; attendant "why is this not a MUST", "in what cases would you not do this", \
and &gt; "if you don't do this, what happens?" questions that reviewers can't \
help &gt; asking … </blockquote>
</div>
</div></div></blockquote>
<div class="plaintext" style="white-space: normal;">
</div>

</div>
</body>

</html>

_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

[prev in list] [next in list] [prev in thread] [next in thread] 