ed_map in relic_ed_map.c is insecure

[bitwiseshiftleft]

Hi all,

I was looking for implementations of hashing to elliptic curves, and I found RELIC's ed_map, ep_map etc. The ed_map function appears to have a mostly secure (but not constant-time) implementation of mapping to the curve #if0'd out. What is implemented is just g^hash.

This is very dangerous! Most protocols which hash to the curve need an inverse-sampling requirement, and break instantly and completely if you use g^hash. For example, BLS signatures (if you have pairings on an Ed curve), Dragonfly, SPAKE2, SPAKE2EE and GJKW signatures break completely.

[tfar]

@bitwiseshiftleft Indeed I went for the naiive and insecure solution here when I implemented that. I already looked at https://eprint.iacr.org/2009/226.pdf and Elligator for secure hashing on a curve, but as I had no immediate requirement for that function, I postponed an implementation.

[dfaranha]

This is finally implemented and the issue can now be closed! :)