Skip to content

Commit

Permalink
Merge pull request #346 from cfrg/revSD
Browse files Browse the repository at this point in the history 
Rev sd
  • Loading branch information
@chris-wood
chris-wood authored Jun 15, 2022
2 parents 05cb350 + 00cbf7b commit 664b135
Showing 1 changed file with 34 additions and 32 deletions.
66 changes: 34 additions & 32 deletions draft-irtf-cfrg-hash-to-curve.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1151,7 +1151,8 @@ as "try-and-increment" or "hunt-and-peck," because the goal is to describe
algorithms that can plausibly be computed in constant time. Use of these rejection
methods is NOT RECOMMENDED, because they have been a perennial cause of
side-channel vulnerabilities. See Dragonblood {{VR20}} as one example of this
problem in practice.
problem in practice, and see {{related}} for a further description of
rejection sampling methods.

This document represents the consensus of the Crypto Forum Research Group (CFRG).

Expand Down Expand Up @@ -1272,7 +1273,7 @@ is not invertible. Thus, the encodings are also not invertible.
In some applications of hashing to elliptic curves, it is important that
encodings do not leak information through side channels.
{{VR20}} is one example of this type of leakage leading to a security vulnerability.
See {{security-considerations}} for further discussion.
See {{security-considerations-constant}} for further discussion.

### Random oracle encodings {#term-rom}

Expand All @@ -1286,7 +1287,7 @@ point on the curve, the other gives a point sampled from a nonuniform distributi

A random-oracle encoding with a uniform output distribution is suitable for use
in many cryptographic protocols proven secure in the random oracle model.
See {{security-considerations}} for further discussion.
See {{security-considerations-props}} for further discussion.

### Serialization {#term-serialization}

Expand Down Expand Up @@ -1333,7 +1334,7 @@ encoding for each oracle being simulated.
In the above example, "RO1" and "RO2" have the same length and thus
satisfy this requirement when used as prefixes.
The algorithms specified in this document take a different approach to ensuring
injectivity; see {{hashtofield-expand}} and {{security-considerations-domain-separation}}
injectivity; see {{hashtofield-expand}} and {{security-considerations-domain-separation-expmsg-var}}
for more details.

# Encoding byte strings to elliptic curves {#roadmap}
Expand Down Expand Up @@ -1415,7 +1416,7 @@ different distributions:
This function is suitable for most applications requiring a random oracle
returning points in G, when instantiated with any of the map\_to\_curve
functions described in {{mappings}}.
See {{security-considerations}} for further discussion.
See {{security-considerations-props}} for further discussion.

~~~ pseudocode
hash_to_curve(msg)
Expand Down Expand Up @@ -1505,7 +1506,7 @@ in brief, this means that execution time and memory access patterns SHOULD NOT
depend on the values of secret inputs, intermediate values, or outputs.
For such constant-time implementations, all arithmetic, comparisons, and
assignments MUST also be implemented in constant time.
{{security-considerations}} briefly discusses constant-time security issues.
{{security-considerations-constant}} briefly discusses constant-time security issues.

Guidance on implementing low-level operations (in constant time or otherwise)
is beyond the scope of this document; readers should consult standard reference
Expand Down Expand Up @@ -1673,11 +1674,10 @@ For example, when hashing to the scalar field for an elliptic curve (sub)group
with prime order r, it suffices to instantiate hash\_to\_field with target field
GF(r).

## Security considerations {#hashtofield-sec}

The hash\_to\_field function is designed to be indifferentiable from a
random oracle {{MRH04}} when expand\_message ({{hashtofield-expand}})
is modeled as a random oracle (see {{security-considerations-hash-to-field}}).
is modeled as a random oracle (see {{security-considerations-hash-to-field}}
for details about its indifferentiability).
Ensuring indifferentiability requires care; to see why, consider a prime
p that is close to 3/4 * 2^256.
Reducing a random 256-bit integer modulo this p yields a value that is in
Expand All @@ -1696,7 +1696,7 @@ L uniform bytes, where
L = ceil((ceil(log2(p)) + k) / 8)
~~~

These uniform bytes are then interpreted as an integer via OS2IP {{RFC8017}}.
These uniform bytes are then interpreted as an integer via OS2IP.
For example, for a 255-bit prime p, and k = 128-bit security,
L = ceil((255 + 128) / 8) = 48 bytes.

Expand All @@ -1713,7 +1713,7 @@ field GF(p^m), hash\_to\_field requires expanding msg into m * L bytes (for L as
For extension fields where log2(p) is significantly smaller than the security
level k, this approach is inefficient: it requires expand\_message to output
roughly m * log2(p) + m * k bits, whereas m * log2(p) + k bytes suffices to
generate an element of GF(p^m) with bias at most 2^-k. In such cases, an
generate an element of GF(p^m) with bias at most 2^-k. In such cases,
applications MAY use an alternative hash\_to\_field function, provided it
meets the following security requirements:

Expand Down Expand Up @@ -1748,7 +1748,7 @@ Parameters:
parameter of the suite (e.g., k = 128).
- expand_message, a function that expands a byte string and
domain separation tag into a uniformly random byte string
(see Section 5.4).
(see Section 5.3).

Inputs:
- msg, a byte string containing the message to hash.
Expand Down Expand Up @@ -2435,7 +2435,7 @@ When a curve admits a fast cofactor clearing method, clear\_cofactor
MAY be evaluated either via that method or via scalar multiplication
by the equivalent h\_eff; these two methods give the same result.
Note that in this case scalar multiplication by the cofactor h does not
generally give the same result as the fast method, and SHOULD NOT be used.
generally give the same result as the fast method, and MUST NOT be used.

# Suites for hashing {#suites}

Expand Down Expand Up @@ -2465,7 +2465,7 @@ A hash-to-curve suite comprises the following parameters:
the polynomial basis used to represent extension field elements.
- k, the target security level of the suite in bits.
(See {{security-considerations-targets}} for discussion.)
- L, the length parameter for hash\_to\_field ({{hashtofield-sec}}).
- L, the length parameter for hash\_to\_field ({{hashtofield}}).
- expand\_message, one of the variants specified in {{hashtofield-expand}}
plus any parameters required for the specified variant (for example, H,
the underlying hash function).
Expand Down Expand Up @@ -2604,7 +2604,7 @@ to P-521 is given in {{straightline-sswu}}.
## Suites for curve25519 and edwards25519 {#suites-25519}

This section defines ciphersuites for curve25519 and edwards25519 {{!RFC7748}}.
Note that these ciphersuites SHOULD NOT be used when hashing to ristretto255
Note that these ciphersuites MUST NOT be used when hashing to ristretto255
{{?I-D.irtf-cfrg-ristretto255-decaf448}}.
See {{appx-ristretto255}} for information on how to hash to that group.

Expand Down Expand Up @@ -2646,7 +2646,7 @@ Optimized example implementations of the above mappings are given in
## Suites for curve448 and edwards448 {#suites-448}

This section defines ciphersuites for curve448 and edwards448 {{!RFC7748}}.
Note that these ciphersuites SHOULD NOT be used when hashing to decaf448
Note that these ciphersuites MUST NOT be used when hashing to decaf448
{{I-D.irtf-cfrg-ristretto255-decaf448}}.
See {{appx-decaf448}} for information on how to hash to that group.

Expand Down Expand Up @@ -2783,7 +2783,8 @@ to the curve E' isogenous to BLS12-381 G2 is given in {{straightline-sswu}}.

## Defining a new hash-to-curve suite {#new-suite}

The RECOMMENDED way to define a new hash-to-curve suite is:
For elliptic curves not listed elsewhere in {{suites}}, a new hash-to-curve
suite can be defined by:

1. E, F, p, and m are determined by the elliptic curve and its base field.

Expand All @@ -2794,7 +2795,7 @@ The RECOMMENDED way to define a new hash-to-curve suite is:

3. Choose encoding type, either hash\_to\_curve or encode\_to\_curve ({{roadmap}}).

4. Compute L as described in {{hashtofield-sec}}.
4. Compute L as described in {{hashtofield}}.

5. Choose an expand\_message variant from {{hashtofield-expand}} plus any
underlying cryptographic primitives (e.g., a hash function H).
Expand All @@ -2808,9 +2809,6 @@ The RECOMMENDED way to define a new hash-to-curve suite is:

8. Construct a Suite ID following the guidelines in {{suiteIDformat}}.

When hashing to an elliptic curve not listed in this section, corresponding
hash-to-curve suites SHOULD be fully specified as described above.

## Suite ID naming conventions {#suiteIDformat}

Suite IDs MUST be constructed as follows:
Expand Down Expand Up @@ -2886,12 +2884,10 @@ This document has no IANA actions.

# Security considerations {#security-considerations}

{{domain-separation}} describes considerations related to domain separation.
See {{security-considerations-domain-separation}} for further discussion.
This section contains additional security considerations about the hash-to-curve mechanisms
described in this document.

{{hashtofield}} describes considerations for uniformly hashing to field elements;
see {{security-considerations-hash-to-field}} and {{security-considerations-expand-xmd}}
for further discussion.
## Properties of encodings {#security-considerations-props}

Each encoding type ({{roadmap}}) accepts an arbitrary byte string and maps
it to a point on the curve sampled from a distribution that depends on the
Expand Down Expand Up @@ -2928,6 +2924,8 @@ by indifferentiable functionalities.
This limitation should be considered when analyzing the security of protocols
relying on the hash\_to\_curve function.

## Hashing passwords {#security-considerations-passwords}

When hashing passwords using any function described in this document, an adversary
who learns the output of the hash function (or potentially any intermediate value,
e.g., the output of hash\_to\_field) may be able to carry out a dictionary attack.
Expand All @@ -2938,6 +2936,8 @@ function to the target elliptic curve.
For collision resistance, the hash underlying the key derivation function
should be chosen according to the guidelines listed in {{hashtofield-expand-xmd}}.

## Constant-time requirements {#security-considerations-constant}

Constant-time implementations of all functions in this document are STRONGLY
RECOMMENDED for all uses, to avoid leaking information via side channels.
It is especially important to use a constant-time implementation when inputs to
Expand Down Expand Up @@ -3055,12 +3055,13 @@ function meeting one of the above criteria.
Applications that use expand\_message\_xmd outside of hash\_to\_field should
ensure domain separation by picking a distinct value for DST.

## Domain separation recommendations {#security-considerations-domain-separation}
## Domain separation for expand\_message variants {#security-considerations-domain-separation-expmsg-var}

As discussed in {{term-domain-separation}}, the purpose of domain separation
is to ensure that security analyses of cryptographic protocols that query
multiple independent random oracles remain valid even if all of these random
oracles are instantiated based on one underlying function H.

The expand\_message variants in this document ({{hashtofield-expand}}) ensure
domain separation by appending a suffix-free-encoded domain separation tag
DST\_prime to all strings hashed by H, an underlying hash or
Expand Down Expand Up @@ -3246,9 +3247,10 @@ If x is the x-coordinate of a point on the elliptic curve, output that
point. Otherwise, generate a new value x in F and try again.
Since a random value x in F has probability about 1/2 of corresponding to
a point on the curve, the expected number of tries is just two.
However, the running time of this method depends on the input string,
which means that it is not safe to use in protocols sensitive to timing
side channels.
However, the running time of this method, which is generally referred
to as a probabilistic try-and-increment algorithm, depends on the input string.
As such, it is not safe to use in protocols sensitive to timing
side channels, as was exemplified by the Dragonblood attack {{VR20}}.

Schinzel and Skalba {{SS04}} introduce a method of constructing
elliptic curve points deterministically, for a restricted class of curves
Expand Down Expand Up @@ -3325,7 +3327,7 @@ The hash\_to\_ristretto255 function MUST be instantiated with an expand\_message
function that conforms to the requirements given in {{hashtofield-expand}}.
In addition, it MUST use a domain separation tag constructed as described
in {{domain-separation}}, and all domain separation recommendations given
in {{security-considerations-domain-separation}} apply when implementing
in {{security-considerations-domain-separation-expmsg-var}} apply when implementing
protocols that use hash\_to\_ristretto255.

~~~ pseudocode
Expand Down Expand Up @@ -3378,7 +3380,7 @@ The hash\_to\_decaf448 function MUST be instantiated with an expand\_message
function that conforms to the requirements given in {{hashtofield-expand}}.
In addition, it MUST use a domain separation tag constructed as described
in {{domain-separation}}, and all domain separation recommendations given
in {{security-considerations-domain-separation}} apply when implementing
in {{security-considerations-domain-separation-expmsg-var}} apply when implementing
protocols that use hash\_to\_decaf448.

~~~ pseudocode
Expand Down

0 comments on commit 664b135

Please sign in to comment.