IETF Logo Mail Archive

[CFRG] Re: Pairing-Friendly Curves: Open Questions Before Draft Update

Jack Grigg <ietf@jackgrigg.com> Tue, 16 December 2025 00:46 UTC

Return-Path: <me@jackgrigg.com>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DE7D29B03220 for <cfrg@mail2.ietf.org>; Mon, 15 Dec 2025 16:46:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2rSag5XZlUi2 for <cfrg@mail2.ietf.org>; Mon, 15 Dec 2025 16:46:25 -0800 (PST)
Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.85.218.51]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 30DAF9B03219 for <cfrg@irtf.org>; Mon, 15 Dec 2025 16:46:25 -0800 (PST)
Received: by mail-ej1-f51.google.com with SMTP id a640c23a62f3a-b79af62d36bso774692766b.3 for <cfrg@irtf.org>; Mon, 15 Dec 2025 16:46:25 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765845978; x=1766450778; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=5TUD5NxBFQl3aVccbl/7HCD8oOcKndaQuAA/ifFZqh8=; b=Drqjnl5gLXX925fwKPSd6uNV4vKCdt/cXiBbckyfD7D8e5Tx6Qqa/Y51lSAD8xD1sX zSnt0d4QnLykTynhyBuReZS2AyYKu9eFns3DJe5MMuDd8Ky/1XsB83auDUl+U7cJhWXP welPKSRUU8z4m939ky4B5a2Ax2fS7j3rmsZtFEBP1hq88PHxS0pOsNjwmm2duF6KpfYl cgJ7XZWRTQAsklqcO/iivB5qx+CxTb91j22diYBJyjD2i0x7KHK6NTQ5fw+50nij6ZSJ Ghvd23ELYj+lP5TkOYyJQgOt1ajuoSX3GehYUmi26vbWDxBzJzdVlI5ic9IlhfQfgdNs fMbA==
X-Gm-Message-State: AOJu0YwV8L4BSeHDDHSSKyLhkaZva26MmHdyWB8rPHD9Ss4jy3QYmUGr hWnvpqnRtEr3ztjruZR/BE4wZskpUCtqPqmAa/ETP/bf1fOFOKYMSmuDzP3cITCpxQ+IAT5SPhu yVkseyNw/CRc+JSTkgM9NMct1yc5KHyc6UYc6PPMkLg==
X-Gm-Gg: AY/fxX4Kt8dH6VVfYvxhUn/loevpOB4hY8lqNP7NhiXxuv5WN0izbYImGdDU+NYP3yB JR6/DsQMIBfRdgqWH0Zz42+l79r4dlftb+rnWDF8V5qj5oIPgjVWpAj7xeCkEfj0XcLGPvmk6ad lCMlAhlm2IA8UB7jwNd+vvWRyQa5Uhmwi3TpjitnxxxIVf24PJC1j5PQ61UXYUC+AgAFqa/BQIS NArgF3e7JWwZTr0nzRhe5vE8/GFDjeEybZ2Aq5E50PoHSDJJHGppeKXA1PXWkKXJEPFRENA
X-Google-Smtp-Source: AGHT+IEeGgHYUE0WDOFh+qgHQRI94qXG4qUWpmqt2eJVhwFJKSn4FRnMs6lpHCSwcDLaGDsmtRQBCihUyyx9h34cejI=
X-Received: by 2002:a17:907:7ba6:b0:b7c:fe7c:e36e with SMTP id a640c23a62f3a-b7d235c6b75mr1350970466b.11.1765845977800; Mon, 15 Dec 2025 16:46:17 -0800 (PST)
MIME-Version: 1.0
References: <CAOjisRy=_=+rGpjX-3=1uDNfhBrzKggrw+Ts8QVdebeGAtU3xg@mail.gmail.com> <B70B1FC1-BEF1-4C18-B5EB-B42703A9BE7C@alkaline-solutions.com>
In-Reply-To: <B70B1FC1-BEF1-4C18-B5EB-B42703A9BE7C@alkaline-solutions.com>
From: Jack Grigg <ietf@jackgrigg.com>
Date: Tue, 16 Dec 2025 00:46:05 +0000
X-Gm-Features: AQt7F2pNc-UQKQLNz8-o01-4Mg-m8mDw28la1qSD-5mrGmDud7WXbKcAj5X8jY4
Message-ID: <CAPC=aNXqh=pmB9a8No-h=ME4hTF9ssvn_MkcxM5sg9R+0hCGkw@mail.gmail.com>
To: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003ca7420646070e05"
Message-ID-Hash: KFTLXIDDSEL7OTQKCXYW6GHSSDR3XBLU
X-Message-ID-Hash: KFTLXIDDSEL7OTQKCXYW6GHSSDR3XBLU
X-MailFrom: me@jackgrigg.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; header-match-cfrg.irtf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: ietf@jackgrigg.com
Subject: [CFRG] Re: Pairing-Friendly Curves: Open Questions Before Draft Update
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-KRy4O7QNfDLklD7wbITxtQ3PA0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi, Zcash developer here.

On Mon, 15 Dec 2025, 11:36 pm David Waite, <david=
40alkaline-solutions.com@dmarc.ietf.org> wrote:

> WRT serialization around BLS-12-381:
>
> - draft-irtf-cfrg-bbs-signatures-09 appendix B.2 duplicates the point
> encoding and decoding, and the algorithm uses this binary representation to
> serialize points as messages in the signature algorithm (with constraints,
> discussed below under the curve selection topic)
>
> - draft-ietf-cose-bls-key-representations-08 references this, and also
> applies a delta to the BBS definition as the prescribed way to represent
> BLS48-581 points in JWK/CWK documents
>
> - draft-irtf-cfrg-bls-signature-06 instead references a historical version
> of a rust crate README.
>
> Also, the document originally referenced by paring-friendly-curves for the
> ZCash work (for its own appendix describing this representation) appears to
> have moved or disappeared - I believe because the above mentioned README.md
> has since been edited.
>

The [ZCashRep] reference taken in July 2017 is indeed outdated because our
BLS12-381 implementation was extracted into its own crate in the many
intervening years. The correct URL is now:

https://github.com/zkcrypto/bls12_381/blob/main/README.md#curve-description

The specification for the serialization format that
draft-irtf-cfrg-bls-signature-06 referenced as [ZCash] (incorrect
capitalization by the way, it should be Zcash in all places) is now here:

https://docs.rs/bls12_381/latest/bls12_381/notes/serialization/index.html

However, I would treat both of these as informative references. For a
normative reference to how Zcash specifies and serializes BLS12-381, you
should reference the Zcash Protocol Specification. The precise reference is:

[Zcash] D.-E. Hopwood, S. Bowe, T. Hornby, and N. Wilcox, "BLS12-381",
Zcash Protocol Specification, Version 2025.6.1 [NU6.1],  Section 5.4.9.2, <
https://zips.z.cash/protocol/protocol.pdf#blspairing>

The URL with anchor is a stable reference to the latest version of that
part of the spec (we take great care to ensure those anchors don't break).

It would be great if we could reference this representation definitively in
> one place, without indicating ZCash as a possibly more authoritative work,
> and ideally without other dependent specs needing to constrain or expand
> upon the format. I don’t think any of the three documents I’ve referenced
> above are ideal though - I think that the serialization should be in this
> document or one split out from it.
>
> My preference as an implementor would be not to split out the point
> representation - or to have pairing-friendly-curves normatively reference
> the document that these were split into. As much as possible we should
> encourage a single serialization for valid points on a particular curve.
>
> I suspect such representations are also useful for documenting and
> leveraging test vectors.
>

FYI in case CFRG was not already aware, we have test vectors here for G1
and G2 compressed and uncompressed encodings (in a concatenated binary
form, but it would be trivial to convert them into a text form):

https://github.com/zkcrypto/bls12_381/tree/main/src/tests


> <snip>
>
> Serialization
>
>    - The current draft allows both compressed and uncompressed encodings,
>    including identity elements. Concerns were raised about interoperability
>    and risks from optional encodings. Should the draft specify a simpler,
>    consistent serialization format for implementers? Should identity points be
>    disallowed or tightly constrained?
>
> My take is that we should have a single encoding function per curve that
> produces fixed-length, compressed, non-identity elements - and a decoding
> function that fails on uncompressed and identity elements.
>
> In the BLS case, that encoding should be a subset of the ZCash-based
> serialization, restricting that “C" is always 1 and “I" is always 0. BBS I
> believe constrains the algorithm to only support compressed points, but
> does not constrain serializing infinity.
>

This matches what we specify in the Zcash Protocol Specification.

We do use the uncompressed encoding when storing the verification keys for
the Sapling Spend and Output circuits (as an optimisation to avoid
additional work when loading them from disk, and because we hash-pin these
static files), but the points at infinity never occur proofs, and for
proofs encoded in transactions (i.e. on the wire) we only use compressed
points.

Cheers,
Jack

v2.46.0 | Report a Bug | By Email | System Status