From d45fd69ef0982fd7d45ad5aa78abc4f78dc0f898 Mon Sep 17 00:00:00 2001 From: "Riad S. Wahby" Date: Fri, 11 Oct 2019 18:27:50 -0700 Subject: [PATCH] add two sentences justifying lack of try-and-increment this addresses #153 --- draft-irtf-cfrg-hash-to-curve.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/draft-irtf-cfrg-hash-to-curve.md b/draft-irtf-cfrg-hash-to-curve.md index f142670c..520fd29c 100644 --- a/draft-irtf-cfrg-hash-to-curve.md +++ b/draft-irtf-cfrg-hash-to-curve.md @@ -828,6 +828,12 @@ We provide implementation details for each algorithm, describe the security rationale behind each recommendation, and give guidance for elliptic curves that are not explicitly covered. +This document does not cover rejection sampling methods, sometimes known +as "try-and-increment" or "hunt-and-peck," because the goal is to describe +algorithms that can plausibly be made constant time. Use of these rejection +methods is NOT RECOMMENDED, because they have been a perennial cause of +side-channel vulnerabilities. + ## Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",