add two sentences justifying lack of try-and-increment

this addresses cfrg#153
kwantam · Oct 12, 2019 · d45fd69 · d45fd69
1 parent 5bb8937
commit d45fd69
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/draft-irtf-cfrg-hash-to-curve.md b/draft-irtf-cfrg-hash-to-curve.md
@@ -828,6 +828,12 @@ We provide implementation details for each algorithm, describe
 the security rationale behind each recommendation, and give guidance for
 elliptic curves that are not explicitly covered.
 
+This document does not cover rejection sampling methods, sometimes known
+as "try-and-increment" or "hunt-and-peck," because the goal is to describe
+algorithms that can plausibly be made constant time. Use of these rejection
+methods is NOT RECOMMENDED, because they have been a perennial cause of
+side-channel vulnerabilities.
+
 ## Requirements
 
 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",