Incorporate hash-to-curve by reference #35
Conversation
|
(Also, this PR may have some bearing on #25) |
rather than redefining S-SWU and Elligator-2 in this document
suite_string is a fixed parameter of an ECVRF suite, so it is contextually defined whenever ECVRF_hash_to_curve is invoked. Thus, no need to take it as a function argument.
this makes all invocations of Hash orthogonal, including the invocations inside hash-to-curve. This corresponds to the updates to hash-to-curve which move the domain separation string to the end of the Hash input.
better to have high-entropy string start on a block boundary in MD hashes.
|
Hello again! I've updated this PR to reflect the latest changes to hash-to-curve. This change comprehends the redesign in the hash_to_base function (now called hash_to_field) inside hash-to-curve, which was done partially in response to @reyzin's comments, and it also comprehends the revamped h2c suite naming scheme. The issue with the prior approach to hash_to_base (built on HKDF) was that it was not possible to get a strict guarantee of domain separation between calls to H() inside of HKDF and calls to H() outside. Our redesigned function no longer uses HKDF, which allows us to make this guarantee (see further discussion in /cfrg/draft-irtf-cfrg-hash-to-curve#202). In particular, in the new version every call to H() inside hash_to_field appends the domain separation tag. We decided to append (rather than prepend) for a small bit of extra safety margin when using a Merkle-Damgaard hash function. In particular, this guarantees that in all of hash_to_field's calls to H(), the high-entropy part of the hash's input (in our case, either the message being hashed or the pseudorandom key being re-hashed---rather than the domain separation tag) starts on an input block boundary. This maximizes the amount of entropy that the hash function digests in a single evaluation of the compression function, and in particular avoids the case where the high-entropy string is split across a block boundary. (Dan Boneh pointed out that splitting in this way could invite meet-in-the-middle--style attacks.) To ensure correct domain separation, this PR also changes the way that Finally, because I made the hash input ordering change for the EC spec, I also made the same change for the RSA spec---specifically, reversing the order of inputs to MGF1 and to H in the RSA proof-to-hash algorithm. This is a combination of paranoia's and consistency's sake, but I'm happy to back it out if you'd prefer. |
Hello! I'm helping with the hash-to-durve Internet draft, and I've been chatting with @reyzin about harmonizing our two documents.
To that end, this PR removes the step-by-step descriptions of Elligator 2 and Simplified SWU, and replaces them with references to hash-to-curve ciphersuites.
We (the hash-to-curve authors) are just about ready to push revision -05. This PR preemptively refers to that version of the document, which means xml2rfc will die until the -05 draft is actually published---sorry about that.
Happy to coordinate further, make changes, etc. Please let me know how I can help!