requirements and guidelines for alternative hash_to_base functions

closes cfrg#165
kwantam · Oct 26, 2019 · 350f034 · 350f034
1 parent 79e2b9d
commit 350f034
Showing 1 changed file with 106 additions and 8 deletions.
diff --git a/draft-irtf-cfrg-hash-to-curve.md b/draft-irtf-cfrg-hash-to-curve.md
@@ -90,13 +90,61 @@ informative:
     author:
       -
         org: Standards for Efficient Cryptography Group (SECG)
+  FIPS180-4:
+    title: "Secure Hash Standard (SHS)"
+    target: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
+    date: Aug, 2015
+    author:
+      -
+        org: National Institute of Standards and Technology (NIST)
   FIPS186-4:
     title: "FIPS Publication 186-4: Digital Signature Standard"
     target: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
     date: Jul, 2013
     author:
       -
         org: National Institute of Standards and Technology (NIST)
+  FIPS202:
+    title: "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions"
+    target: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
+    date: Aug, 2015
+    author:
+      -
+        org: National Institute of Standards and Technology (NIST)
+  SP.800-185:
+    title: "SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash"
+    target: https://doi.org/10.6028/NIST.SP.800-185
+    date: Dec, 2016
+    author:
+      -
+        ins: J. Kelsey
+        name: John Kelsey
+        org: NIST Computer Security Division
+      -
+        ins: S. Chang
+        name: Shu-jen Chang
+        org: NIST Computer Security Division
+      -
+        ins: R. Perlner
+        name: Ray Perlner
+        org: NIST Computer Security Division
+  BLAKE2X:
+    title: BLAKE2X
+    target: https://blake2.net/blake2x.pdf
+    date: Dec, 2016
+    author:
+      -
+        ins: J-P. Aumasson
+        name: Jean-Philippe Aumasson
+      -
+        ins: S. Neves
+        name: Samuel Neves
+      -
+        ins: Z. Wilcox-O'Hearn
+        name: Zooko Wilcox-O'Hearn
+      -
+        ins: C. Winnerlein
+        name: Christian Winnerlein
   Icart09:
     title: How to Hash into Elliptic Curves
     seriesinfo:
@@ -1331,6 +1379,12 @@ The hash\_to\_base function hashes a string msg of any length into an element of
 field F. This function is parametrized by the field F ({{bg-curves}}) and by H,
 a cryptographic hash function that outputs b bits.
 
+Implementors MUST NOT use rejection sampling to generate a uniformly
+random element of F.
+The reason is that these procedures are difficult to implement in constant time,
+and later well-meaning "optimizations" may silently render an implementation
+non-constant-time.
+
 ## Security considerations {#hashtobase-sec}
 
 For security, hash\_to\_base should be collision resistant and its output distribution
@@ -1341,7 +1395,8 @@ a cryptographic hash function H which satisfies the following properties:
 resistance, where k is the target security level in bits. (This is needed for a
 birthday bound of approximately 2^(-k).)
 2. H is modeled as a random oracle, so care should be taken when instantiating it.
-Hash functions in the SHA-2 and SHA-3 families are typical and RECOMMENDED choices.
+Hash functions in the SHA-2 {{FIPS180-4}} and SHA-3 {{FIPS202}} families are
+typical and RECOMMENDED choices.
 
 For example, for 128-bit security, b >= 256 bits; in this case, SHA256 would
 be an appropriate choice for H.
@@ -1374,12 +1429,6 @@ method for applying domain separation.
 
 {{hashtobase-impl}} details the hash\_to\_base procedure.
 
-Note that implementors SHOULD NOT use rejection sampling to generate a uniformly
-random element of F.
-The reason is that these procedures are difficult to implement in constant time,
-and later well-meaning "optimizations" may silently render an implementation
-non-constant-time.
-
 ## Performance considerations {#hashtobase-perf}
 
 The hash\_to\_base function uses HKDF-Extract to combine the
@@ -1441,7 +1490,48 @@ Steps:
 8. return u
 ~~~
 
-# Deterministic Mappings  {#mappings}
+## Alternative hash\_to\_base functions {#hashtobase-alt}
+
+The hash\_to\_base function is suitable for use with a wide range of hash functions,
+including SHA-3 {{FIPS202}}, BLAKE2 {{!RFC7963}}, and others.
+In some cases, however, implementors may wish to replace the HKDF-based function
+defined in this section with one that uses a different pseudorandom generator,
+e.g., a function based on an extendable-output function like cSHAKE {{SP.800-185}}
+or BLAKE2X {{BLAKE2X}}.
+This section briefly describes the REQUIRED way of doing so.
+
+The security considerations of {{hashtobase-sec}} continue to apply.
+In particular:
+
+- The alternative hash\_to\_base function MUST give collision resistance
+  commensurate with the security level of the target elliptic curve.
+
+- The alternative hash\_to\_base function MUST NOT use rejection sampling,
+  and it MUST output an element of F whose statistical distance from uniform
+  is commensurate with the security level of the target elliptic curve.
+  It is strongly RECOMMENDED to follow the guidelines for controlling bias
+  given in {{hashtobase-sec}}.
+
+- The alternative hash\_to\_base function MUST support domain separation
+  via a supplied domain separation tag.
+  For example, a hash\_to\_base function based on cSHAKE might set S,
+  the cSHAKE customization bit string argument, to the DST value.
+
+- The underlying pseudorandom generator MUST be designed for use in applications
+  where cryptographic randomness is required.
+  For example, an extendable-output function proved indifferentiable from a
+  random oracle (under some reasonable assumption) would be an appropriate
+  choice, as would a secure stream cipher.
+
+The efficiency considerations of {{hashtobase-perf}} should also be followed.
+In particular, it SHOULD be possible to hash one msg with multiple ctr values
+without requiring multiple passes over msg.
+
+Finally, the Suite ID value MUST be modified to indicate that an alternative
+hash\_to\_base function is being used.
+{{suiteIDformat}} gives details.
+
+# Deterministic Mappings {#mappings}
 
 The mappings in this section are suitable for constructing either nonuniform
 or random oracle encodings using the constructions of {{roadmap}}.
@@ -2201,6 +2291,14 @@ Fields MUST be chosen as follows:
 - HASH\_ID: a human-readable representation of the hash function used in
   hash\_to\_base ({{hashtobase}}).
 
+  If a suite uses an alternative hash\_to\_base function ({{hashtobase-alt}}),
+  a short descriptive name MUST be chosen for that function using only the
+  allowed characters listed above.
+  That name MUST be appended to the HASH\_ID field, separated by a colon.
+  For example, a hash\_to\_base function based on cSHAKE-128 might use the
+  short name "h2b/cshake128", and a reasonable value for the HASH\_ID field
+  would be "SHA3/256:h2b/cshake128".
+
 - MAP\_ID: a human-readable representation of the map\_to\_curve function
   ({{mappings}}).