Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reconsider hash_to_F choices in ciphersuite #194

Open
kayabaNerve opened this issue Dec 24, 2022 · 2 comments
Open

Reconsider hash_to_F choices in ciphersuite #194

kayabaNerve opened this issue Dec 24, 2022 · 2 comments
Labels
cryptography An issue involving cryptography/a cryptographic library improvement This could be better

Comments

@kayabaNerve
Copy link
Member

kayabaNerve commented Dec 24, 2022
edited
Loading

Ciphersuite defines five hash_to_F functions.

The issue is the latter two, being insecure due to transcript malleability between the DST and msg.

The aforementioned draft does define Ed25519/Ed448 schemes, yet not a Ristretto scheme. We'd have to define a Ristretto scheme inspired by... Then the issue is the focus of these hash_to_F functions are to be useful, where usefulness is defined by 'canonicity'.

Given Ed25519's frequent habit of naive wide reduction, and its usage in the (presumably upcoming) FROST IETF draft, it's hard to argue it isn't the implicit standard. While the hash to curve draft arguably provides more of a standard, it's not actually intended for scalar fields.

Ed448 does have a DST defined in its EdDSA spec, which could be moved into Ciphersuite. Given how little used Ed448 is, I don't believe we'll find a widely used option anyways. Accordingly, EdDSA's may be optimal

Ideally, we don't offer any naive functions, and can create such a bound in the documentation, preventing the current footgun hash_to_F is (with a typed, distinctly separated dst tag which loses distinction) from being. While FROST does require such naivety, its own hash_to_F function is already defined and can be further written to cover its specifities.
@kayabaNerve kayabaNerve added improvement This could be better cryptography An issue involving cryptography/a cryptographic library labels Dec 24, 2022
@kayabaNerve
Copy link
Member Author

The EdDSA Ed448 hash is bound "Sig448". We accordingly should not use the one from RFC-8032, yet continue looking at the hash to curve draft for it, if we change.

@kayabaNerve
Copy link
Member Author

There is an issue for the IETF draft to specify test vectors for hash_to_scalar: cfrg/draft-irtf-cfrg-hash-to-curve#343

There also is a (partial?) Ristretto suite: https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#name-hashing-to-ristretto255

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cryptography An issue involving cryptography/a cryptographic library improvement This could be better
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kayabaNerve