domain separation #139
domain separation #139
Conversation
kwantam
requested review from
chris-wood,
armfazh and
samscott89
and removed request for
chris-wood
| This is used to efficiently create independent | ||
| instances of hash_to_base (see discussion above). | ||
|
|
||
| Output: u, an element in F. | ||
|
|
||
| Steps: | ||
| 1. m' = H(msg) || I2OSP(ctr, 1) | ||
| 1. m' = "HASH-TO-CURVE" || H(msg) || I2OSP(ctr, 1) |
There was a problem hiding this comment.
Would we consider making HASH-TO-CURVE shorter (e..g "H2C"/ "HTC"), and potentially truncating H(msg) such that we can fit m' into a single block in the loop below?
E.g. the input to the hash in the loop becomes "H2C" || H(msg)[..len(H) - 6] || I2OSP(ctr, 1) || I2OSP(i, 1) || I2OSP(j, 1)?
There was a problem hiding this comment.
Perhaps in a separate issue?
There was a problem hiding this comment.
we'd have to truncate a reasonable amount to avoid going past one block, because SHA-256 adds at least 65 bits of padding to the end of the message. Specifically, the padding is
- append a single '1' bit
- append k '0' bits where 0 <= k < 512 and bitlen(msg) + 1 + k + 64 is divisible by 512
- append a 64-bit representation of bitlen(msg)
so it would have to be something like H(msg)[..len(H) - 15], which is pretty extreme.
Also, we might want to resolve #137 first, since that would moot this discussion.
There was a problem hiding this comment.
The initial text looks good to me. I think some more clarity and examples would help drive the point home, so approving for now. Thanks, @kwantam!
draft-irtf-cfrg-hash-to-curve.md
Outdated
| by that protocol. | ||
| In practice, this assumption may not hold: commonly, two or more protocols | ||
| may model the same hash function as a random oracle, which violates the above | ||
| assumption if both protocols compute the hash of the same value. |
There was a problem hiding this comment.
Perhaps add:
That is, let R() be a random oracle used by protocols P1 and P2. If P1 and P2 ever query R with the same value x, the assumption above is violated.
And maybe then show how P1 and P2 would use R1 and R2 (as defined below) to address this?
There was a problem hiding this comment.
Yeah, I think the first paragraph is unclear in a couple ways. I'll try to address and incorporate the above.
draft-irtf-cfrg-hash-to-curve.md
Outdated
| ({{term-domain-separation}}) to avoid interfering with other protocols | ||
| that also use the hash\_to\_curve functionality. | ||
| In addition, any protocol that uses two or more hash\_to\_curve functions | ||
| targeting different elliptic curves MUST enforce domain separation between |
There was a problem hiding this comment.
Is the expectation that if one had two hash-to-curve functions H1 and H2 targeting the same curve, then H1 = H2?
There was a problem hiding this comment.
Yes, unless they're explicitly separated. I suppose I should clarify this point.
There was a problem hiding this comment.
I pushed an edit to address this.
draft-irtf-cfrg-hash-to-curve.md
Outdated
| ({{term-domain-separation}}) to avoid interfering with other protocols | ||
| that also use the hash\_to\_curve functionality. | ||
| In addition, any protocol that uses two or more hash\_to\_curve functions | ||
| targeting different elliptic curves MUST enforce domain separation between |
There was a problem hiding this comment.
It'd be good to clarify why this requirement is needed. (That is, to avoid overlapping hash2base output IIUC.)
There was a problem hiding this comment.
I pushed an edit to address this.
|
|
||
| As an example, consider a fictional key exchange protocol named Quux. | ||
| A reasonable choice of tag might be "QUUX-V\<xx\>-CS\<yy\>", where \<xx\> and \<yy\> | ||
| are two-digit numbers indicating the version and ciphersuite, respectively. |
There was a problem hiding this comment.
Would it help to give an example of a protocol that needs domain separation internally, too?
There was a problem hiding this comment.
I pushed an edit to address this.
| This is used to efficiently create independent | ||
| instances of hash_to_base (see discussion above). | ||
|
|
||
| Output: u, an element in F. | ||
|
|
||
| Steps: | ||
| 1. m' = H(msg) || I2OSP(ctr, 1) | ||
| 1. m' = "HASH-TO-CURVE" || H(msg) || I2OSP(ctr, 1) |
There was a problem hiding this comment.
Perhaps in a separate issue?
Co-Authored-By: Christopher Wood <[email protected]>
Co-Authored-By: Christopher Wood <[email protected]>
Co-Authored-By: Christopher Wood <[email protected]>
Co-Authored-By: Christopher Wood <[email protected]>
Co-Authored-By: Christopher Wood <[email protected]>
kwantam
force-pushed
the
domain_separation
branch
from
0400920 to
b500bff
Compare
This essentially captures what's in #124:
add "HASH-TO-CURVE" literal in hash_to_base for H() separation
change ctr argument in encode_to_curve for free separation from hash_to_curve
add a new section in roadmap with requirements for domain separation
add a new definition for domain separation
Note that this does not comprehend #137. I think we can treat that as a separate question for now.