### [CFRG] Asking the advice on the draft of pairing-friendly curves

Yumi Sakemi <yumi.sakemi@lepidum.co.jp> Tue, 22 December 2020 20:05 UTC

Return-Path: <yumi.sakemi@lepidum.co.jp>

X-Original-To: cfrg@ietfa.amsl.com

Delivered-To: cfrg@ietfa.amsl.com

Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 32AA93A1267
for <cfrg@ietfa.amsl.com>; Tue, 22 Dec 2020 12:05:38 -0800 (PST)

X-Virus-Scanned: amavisd-new at amsl.com

X-Spam-Flag: NO

X-Spam-Score: -1.899

X-Spam-Level:

X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no

Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=lepidum-co-jp.20150623.gappssmtp.com

Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id jLDEBOu7w0cO for <cfrg@ietfa.amsl.com>;
Tue, 22 Dec 2020 12:05:34 -0800 (PST)

Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com
[IPv6:2607:f8b0:4864:20::32a])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id BCD4F3A1265
for <cfrg@irtf.org>; Tue, 22 Dec 2020 12:05:34 -0800 (PST)

Received: by mail-ot1-x32a.google.com with SMTP id f16so12996358otl.11
for <cfrg@irtf.org>; Tue, 22 Dec 2020 12:05:34 -0800 (PST)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=lepidum-co-jp.20150623.gappssmtp.com; s=20150623;
h=mime-version:from:date:message-id:subject:to:cc
:content-transfer-encoding;
bh=vFW4JxAtfg3N2OwaCQcCJZnM/0gofkehIlGufP/+01U=;
b=IJ4Ep3Dx+NwX3CMWBnBVFgCwUG3W+NE3gXHrJBUUXUhuRZovvsRXTr+yVY4UNhOURK
/E3qdgO1R9zVgbGsBaN0fySYVbV+8IgpO+ryUrhZenRpq/9rSS6F1Jc9IMku0LD5foeQ
8nw1MbTypmYgOaEBBtle5dDcP5IICOMrHO52FmcQBYABGwoysjf1pyqwCli42omgBGHU
y5Y0SsI1Iyr7oMj71/cmGKAXOehk/J0bivk6L2tBkbSTNchrjKVNlGXdTKbGVwiageXk
TAZ0MOfXS8yqarHh7TK8ewY/bIjCYpk1IQFB7llzGeHkE+G1tNH456iW1WxT6DVMHBCb
3+5g==

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc
:content-transfer-encoding;
bh=vFW4JxAtfg3N2OwaCQcCJZnM/0gofkehIlGufP/+01U=;
b=CO+YN8IWzPnfH6f4zzIGarZUW/gz4ztLS9CgDpG0hqX1KJADM5CNCSwtsG4A5AsApC
e/Js9+SWhe10tmghLLHkQdT8dw88Y3nzuoQlRctUSviUCw6Ljkz2EHshXSFF6495Wgd9
DW3/aD/VK/mnkLUggBvOASbkDucnN1nxkkvcvXQDCLKzbVmTmSPIGuIu9AdWtokAvDiL
Us4jSuWLKmiGOXaP9HoL6i4KZGPCVVop3Se8EkWiNlvFHCPBamiZHTP/Ez+yVTvAVA4R
RfPOj51TxdPE4CvDwAuScUakkTDh18DpwG/51lHZavWV38XXzcKUL4PH+Ki/EZEQHofF
9wdA==

X-Gm-Message-State: AOAM532iBtshs7/Uq1Z4EMbpJrgzoL3KDHo/iN5Fnt+olLodkkUYlGAX
HBk8j+bi6SeZtpYJtn2OiWHPkOC7meAaPFJOLeZHbAkhISMa0tca

X-Google-Smtp-Source: ABdhPJyPnDP8nQFtAbW8pvncXNapONNyCFd09sOH8DNQK2c4MK/GK9IE3wVXDi3WA72UUS3y0ht+DyJQEAcZoR0a1zo=

X-Received: by 2002:a9d:7419:: with SMTP id n25mr17624993otk.280.1608667532734;
Tue, 22 Dec 2020 12:05:32 -0800 (PST)

MIME-Version: 1.0

From: Yumi Sakemi <yumi.sakemi@lepidum.co.jp>

Date: Wed, 23 Dec 2020 05:05:22 +0900

Message-ID: <CAA4D8KZei_Cd+FhdgTH8MKOk2g126vFJihpEYJ23ZL3QfG3uGA@mail.gmail.com>

To: CFRG <cfrg@irtf.org>

Cc: Tetsutaro Kobayashi <tetsutaro.kobayashi.dr@hco.ntt.co.jp>,
SAITO Tsunekazu <tsunekazu.saito.hg@hco.ntt.co.jp>,
"Riad S. Wahby" <rsw@cs.stanford.edu>

Content-Type: text/plain; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable

Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/2i183zl28y4fK54oIwqEfEVVu0U>

Subject: [CFRG] Asking the advice on the draft of pairing-friendly curves

X-BeenThere: cfrg@irtf.org

X-Mailman-Version: 2.1.29

Precedence: list

List-Id: Crypto Forum Research Group <cfrg.irtf.org>

List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>,
<mailto:cfrg-request@irtf.org?subject=unsubscribe>

List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>

List-Post: <mailto:cfrg@irtf.org>

List-Help: <mailto:cfrg-request@irtf.org?subject=help>

List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>,
<mailto:cfrg-request@irtf.org?subject=subscribe>

X-List-Received-Date: Tue, 22 Dec 2020 20:05:38 -0000

Dear CFRG members We have asked CFRG chairs about our response to Rene's comments and received their advice. Following their advice, we would like to explain again the purpose of our standardization of pairing-friendly curves, the selection process, and how to respond to Rene's comments in RGLC. After that, we would like to ask the advice of the CFRG members. For more information about Rene's comments, please refer to the following URL https://mailarchive.ietf.org/arch/msg/cfrg/pW71h3yUETnqedHsH0m3rwzPnm4/ First, the purpose and stance of our activities. Our purpose is to standardize the secure parameters of pairing-friendly curves. Due to the attack by Kim in CRYPTO 2016, the BN254 curve which is widely used is no longer secure enough. >From the viewpoints of the future internet, the number of cryptographic applications using pairing is increasing in recent years, and the types of curves, parameters, and security are varied. Some of these still have weak parameters in their implementations, so we strongly believe that it is pressing to standardize the secure pairing-friendly curves. For more information, from the standpoint of the authors of this draft, we would like to remind our viewpoints based on our draft as a following. - We believe that it is important to have a standardized specification that can refer to secure parameters of pairing-friendly curves. - Since the IETF and IRTF focus on implementation, we would like to know if it is implemented/used in the real world. - For detailed calculation methods and data conversion methods, refer to appropriate standardization documents without mentioning them, in order to increase readability without making the draft unnecessarily long. - To avoid the risk of violating patents and losing the range of accelerating methods freely chosen by implementers by including detailed calculation methods. Note: There is no patent on the parameters of the pairing-friendly curves, but we are well aware that there is a patent on the calculation method for acceleration. - The position of this draft is not educational, but rather that the detailed calculation methods can be useful to implementers with appropriate citations. In addition, we received a lot of comments from Rene, which were very detailed we are very grateful for the comments from Rene, as they were very valuable in terms of improving the quality of the technical documentation of our draft. The comments were carefully discussed among the authors, and the comments were reflected as appropriate. However, if a comment is not in line with our writing policy, we will indicate the reason on GitHub. For more information on responding to comments, please refer to the following URL https://github.com/cfrg/draft-irtf-cfrg-pairing-friendly-curves/issues Also, this draft has passed the Expert Review. In the Expert Review, we were advised to add some technical descriptions, and we reflected them. We believe that the quality of the document from a technical point of view can be guaranteed for the RFC. In addition, it was pointed out that the selection process of the parameters may have been biased by a certain organization. However, you can see from the following discussion with CFRG members that we have an appropriate process regarding selection of parameters and that we accept comments widely. (1) Armando's email: agree with BN462 https://mailarchive.ietf.org/arch/msg/cfrg/sIzv6XLNuL8VHor5voO1ybO__oI/ (2) Chloe's email: comments for the CP curve and agree with our recommended curves https://mailarchive.ietf.org/arch/msg/cfrg/eAn3_8XpcG4R2VFhDtE_pomPo2Q/ (3-1) Scott's email: about another curve. Comments on expanding polynomials and elliptic coefficients https://mailarchive.ietf.org/arch/msg/cfrg/AWyX-JqAMZRaSiQvZbXezO83QZI/ (3-2) A reply from Kenny Paterson, the chair at the time, about the selection of the curve to post. https://mailarchive.ietf.org/arch/msg/cfrg/19XqFwzdUXcn0CgsaShNbqrc1zs/ (3-3) Agreed with BLS12-381 from Scott. https://mailarchive.ietf.org/arch/msg/cfrg/WHLTC50jx7CzS9H0kZp6Fae6tJs/ (4) Asking for BLS24 from Scott' https://mailarchive.ietf.org/arch/msg/cfrg/0Ms6CmcOlsnZ1WyBjbLdoh8t8jc/ Secondly, Rene claims that not all comment responses have been answered. We are addressing each and every his comment and responding to all of them. In fact, we have responded to every comment, and for the ones that have not been reflected in the draft, we have included the reason on GitHub, but since it was pointed out that it is difficult to check on GitHub, we will attach it at the end of this email, even though it is long. As shown above, we have reviewed our stance and activities for standardization regarding the current parameters of pairing-friendly curves and presented our response to Rene's comments. We would like to receive your advice on our activities from the CFRG ML members to order to progress 2nd RGLC as a next step. Best regards, Yumi P.S. Followings are our reply comments for Rene's comments in RGLC. --- (Detaild Comments) > Section 1.2 (and also elsewhere) seems to conflate standardization of parameters, > availability of libraries, and actual deployment, where there is an unusual prominence > (for an IRTF document) of company names. Wouldn't it make more sense to describe potential > applications of pairing based cryptography in more technical terms, e.g., in terms of > facilitating aggregate signatures, remote attestation, etc., and provide a brief > description (and a technical reference)? Thank you for your comment! We think no problem that there is no special intention to promote the company names in the draft, and they are shown to indicate the actual adaptive status of the pairing-friendly curves. If need, we expect that it will be pointed out again in the future standardization process (e.g., IRSG Reviews), so we would like to discuss how to update it with the reviewer at that time. > Section 1.3: the main point of the extTNFS attack is that it tries and solve the DLP in > low-degree extension field GF(p^t) for small composite t>1 faster. To bring this point > accross, I suggest changing reference to "by the attack" (l. 5 of Section 1.3) by > something more closely reflecting this. Thank you for your suggestion! We agreed with your comments and added an explanation of the attack. > Section 2.3, 4th para (top of p. 8): elaborate on the "BN curves always have order 6 > twists" remark (this seemed to have been copied ad verbatim from the [BD18] paper). I greatly appreciate the pointing out. I couldn't find that it was a copy because it was written by the previous author. I have rewritten the entirety of the relevant sentence. > Section 2.4, 4th para: it would be good to mention that parameter t must be 1 (mod 3), > since otherwise p is not an integer. Thank you for your suggestion! We revised the part pointed out according to your comments. > Section 2.5: the representation conventions are highly confusing, esp. for extension > fields. Why not define everything in terms of a prime field GF(p) and extension field > GF(p^t), with fixed irreducible polynomial f(z) of degree t over GF(p)? This has been > successfully used with elliptic curve specifications (NIST, ISO, ANSI, BSI) not > tailored to pairing based crypto. This would also avoids questions that now immediately > come up (such as whether defining GF(p^{d'}) in terms of GF(p^{d}) and "inductively > applying the above convention" does yield an unambigous definition. Since all finite > fields of fixed size are isomorphic, it would be much easier to stick to the standard > way of doing this. This would also avoid messy tower of extension field arguments and > messy representations of elements hereof (e.g., in Section 4.4). See also Appendix J on > data conversions of the lwig draft referenced in this draft. As final note, the data > conversions in that lwig draft require specifying bit/octet encodings (which, in the > pairing case, seem to be most-significant-byte-first (MSB) and most-significant-bit->first (msb). Thanks for your comments. Your proposed extension field seems to be simple, but there are many different ways to construct an extension field GF(p^12). Since BN254 with the embedding degree 12 was a major parameter, efficient construction methods for GF(p^12) have been researched. >From the viewpoint of practical use, we adopted the construction method with (Fp-Fp2-Fp6-Fp12) using tower fields , which has also been used in implementations such as mcl library. In addition, we use MSB-first (the big-endian encoding), so we've written that. > Section 3.1, 4th para: it is unclear what the meaning of "best known" is: is this > "best-known" (i.e., most well-known) or "simply the best"? Given the description, the > first meaning should be the correct one… Thank you for your comments! We revised the part pointed out according to your comments. > Section 3.2: what is missing is a section that actually describes the attack, rather > than simply plugging in some implied numbers based on a paper (presumably [BD18]). Why > not add some verbiage that explains this in simple but roughly accurate terms ("The > exTNFS Attack", or, better, "Attacks on DLP over Low-Degree Extension Fields", or even > better, "Solving the DLP in Finite Fields" (there has been lots of progress there for > mid-size base fields too)). This is a CFRG document, so one would expect something that > provides insight, rather than simply a bombardment of tables, some selection criteria, > and a filtered list. Wouldn't the objective of this whole effort be to educate the CFRG > audience on pairing-based crypto, rather than (say, obtaining an RFC number from an SDO > and marketing this as an implied "authoritative" approval stamp)? Thank you for your suggestion! We agreed with your comments and added an explanation of the attack. > Section 3.2: I remember that Francisco Rodriguez-Henriquez (fix name in references) > presented attacks at the CHES 2013 rump sessions, where question was whether this > spelled trouble for pairing-based crypto. While I do not have his presentation then on > file, it may be good to dig this up or ask him, and contemplate on wider implications > of DLP progress in general (see also first general review remark). Thanks for the reference information. On the other hand, the rump session is not a peer-reviewed presentation, so it is difficult for us to refer to it. Also, since CHES 2013 is before exTNFS (Kim's attack) was proposed, we believe that if the impact of Francisco's presentation is significant, it would be carried over into the research of exTNFS. > Section 3.2, 2nd para: A natural question is what one could say about DLP complexity > for GF(p^k), in terms of dependency on p and k. Unfortunately, this section does not > provide any insight on this (it only provides a single numerical value for BLS48 > curves, without any context). I would suspect the reader audience would appreciate such > insight, without need to wed through a whole forest (6 1/2 pages: far too much > reference stuffing!) of references by himself without any guidance as to whether this > would be time well-spent or lost. Thank you for your comment. As you point out, there are a lot of citations, but we would like to summarize based on a fact shown in related papers. The reason is to avoid mistakes and misleading for the readers by re-writing the content of the paper. Therefore, we believe that a description of the impact of the attack, which is a fact shown in [BD18], is sufficient for the draft. > Section 4: as stated before, the selection criteria seem somewhat arbitrary, since > conflate specification text, libraries, with actual deployment. Moreover, the most > important criteria should probably be security and speed given particular security > strength, and potential support for finite field arithmetic on platforms (speaking of > which: why not devote a section on whether one can actually implement GF(p^k) securely > using finite field libraries, including modular reductions, side channels, etc.?). The > term "adoption status" seems, in any event, misleading. Thanks for your comment. This comment has already been answered as General Remarks by e-mail. > Section 4.1, Table on pp. 12-15: if one strikes out domain parms rendered immediately > suspect by the exTNFS paper on DLP, this kills off 8 out of 10 entries on p. 12 (and > far more if one stikes out suspect values accross the entire table). This makes me > wonder what the technical reason is for including this entire table. To the casual > reader it now suggests that there are huge numbers of implementations out there, > whereas - perhaps - most of those should be switched off immediately... Thanks for the suggestion! Based on your suggestion, we have removed the parameters of the 100-bit security level from Table 1. On the other hand, we have summarized the parameters removed from Table1 as a separate table and showed them in the appendix, because we believe that it would be a useful information for implementers to indicate in which libraries the parameters of the 100-bit security level are in. The problem with the size of Table1 has been pointed out by other CFRG members, but we haven't found a solution to it. We feel that your suggestions have made more readable and we greatly appreciate you. > Section 4.2.1: The extension field GF(p^{12}) can also be described via GF(p) and > degree-12 polynomial f(w):=(w^6-1)^2+1. This would allow using simple conventions used > in Lidl et al's finite field book [2]. It also allows description of an element x of > GF(p^{12}) as vector (x_{11}, ..., x_1, x_0) of coefficients of GF(p) with this > irreducible polynomial. Note here that u+1:=w^6 and v:=w^2, so one can easily > internally use the more complex tower field stuff in the draft, while sticking to > simple and easy to maintain standard constructions (known for 2 centuries) for > specifications (so, nobody looses out if one has a slim interface that does this > conversion back and forth, if necessary). Thanks for your suggestion. Please refer to the answer to the fifth technical comment regarding the reasons for adopting the construction of the extension fields. > Section 4.2.1, bottom of p. 18: shouldn't the cofactor h be such that h*r= # E'(GF > (p^2))? {please also fix Et and use E' notation as elsewhere in the draft} Thank you for your comment! We revised the part pointed out. > Section 4.2.1, parameter b' (bottom of p. 19): if one uses the complicated tower > construction, why then not also mention the value of u in the enumeration? Is one > actually sure this value is uniquely defined (e.g., I did not check but wondered what > would happen if one replaces u by -u in the tower construction)? Same with end of > Section 4.2.2... Thanks for your question. In our draft, the parameter u is given as a polynomial, because it is the element in the extension field. That is, it does not have a numerical value. > Section 4.2.2, 5th para: the statement "CP8_544 is more efficient" is hard to interpret > without context (e.g., half the cost, cost-1, cost - o(log log log n)). Thanks for pointing out. We have added the results of comparing the performance between BN462 and CP8_544, based on the paper. > Section 4.2.2, bottom of p. 20: with parms BN462, why not simply introduce base point > G, parameter n, h, etc., once and for all in Section 2.1, without trying to repeat > their definition in Section 4.2.2 (and later sections)? Thanks for your suggestion! Based on the suggestion, we modified the description of terminology and deleted the apparently repeat definitions, such as parameter n, h, etc. > Section 4.2.2, top of p. 21: the formula for h seems incorrect (G2 is defined over GF > (p^2), whereas the formula refers to a curve defined over GF(p^8). Thank you for your comments! We revised the part pointed out. > The security consideration section (Section 5) is rather slim: (speculation on my side) > is the reason to label this draft as "experimental" that design strength vs. actual > strength is somewhat in limbo due to progress on DLP problem? Why suddenly squeeze in a > point validation routine if no context is given at all of where and how pairing based > crypto is used? Wit point validation, what if an octet representation is outside GF(p) > boundary? (while the forelast para seems to imply an attack one is completely left in > the dark what is at stake here). Not sure whether it is the role of CFRG documents to > legitimize "BN254 use ... to keep interoperability". The end of the first para ("as of > 2020, as far as we know, there are no fatal attacks that significantly reduce the > security of pairing-friendly curves after exTNFS") is entirely non-reassuring to me: it > is only four years after the DLP attack that necessitated to strike out half of the > entries in the table earlier on in the paper, not that many people work on pairing > -based algorithmic cryptanalysis in the first place, etc., etc. Where does this > confidence come from (shouldn't one be more modest here, technically speaking???). The > Cheon attack is not explained and cannot be evaluated at all, since no context on > elliptic arithmetic is given at all in the draft. Thanks for your comments! There are multiple items in the comment, and we will answer below. Regarding the comments related to the draft type "experimental", please be assured that we will discuss the change to "informational" with the CFRG chairs. The application of pairing is shown in Section 1, so we have added a citation of Section 1. As you pointed out, the description allowing the use of BN254 is inappropriate as an IRTF draft, so we have removed that statement. As for attacks outside GF(P) boundary of the octet string, there are fears of the signature forgery. Since you concerned about the description of "as far as we know...", we revised it more properly. We write our draft based on the investigation result of the conference papers, so we revised it as "as far as we've investigated the top cryptographic conferences in the past...". We added the explanation of the Cheon algorithm. > Secion 5, 3rd-last para: Why would the Montgomery ladder suddenly come to the rescue to > salvage side channel resistance? Why refer to RFC 7748: whereas pairing-friendly curves > are all Weierstrass curves, the curves in RFC 7748 are all Montgomery curves with > completely different underlying detail on differential-addition chains). It seems that > an entire section should be devoted to how implementations coul avoid SCA attacks, esp. > since some operations take place in huge extension fields GF(p^t)... Thanking for pointing that out! Thanks to your point, we found that the readers may not immediately understand by RFC 7748 that the montgomery ladder can be applied to Weierstrass curves. So we decided to refer to another reference that specifies the detailed algorithm of montgomery ladder. > Appendix C seems to convey a particular encoding used by ZCash. I don't think it is the > role of CFRG to make those the standard way of doing things. This being said, > technically that representation is a tiny tweak of what the SECG1 specification already > stipulated in 2001 (with SEC1, one can extract the affine/compressed encoding of an > affine point and whether this relates to the point at infinity from the leftmost octet > (0x04, 0x02 or 0x03, vs. 0x00), which more or less 1-1 corresponds to the (C_bit, > I_bit, S_bit) combinations. If so, reinventing yet another representation is hard to > defend. > The parity bit notation for finite fields is highly non-standard, compared to, e.g., > what has been standard usage with compressed points for curves over prime fields or > binary extension fields. Even if this would have some uses, why not defining things > once and for all for all extension fields of an odd prime field, so that this is a > simple extension. See also Appendix H of [1] (parity function for any field GF(p^k), > where p odd). This should also help in limiting side channel leakage from the first > -half vs. last-half of [0,p-1] test. Thanks for your comments! We do not wish to propose the ZCash representation as a new convention in our draft. Our motivation is to describe the ZCash representation as a reference to implementers because it is the data convention that has been adopted by many BLS signature implementations. Therefore, to avoid any misunderstanding to the reader, we have clearly written that ZCash representation is a tiny tweak of SEC1 representation. In addition, for your reference, we would like to mention that the parity bit representation is not entirely non-standard, as it is proposed in the IEEE document. IEEE Std 1363a-2004 gives serialization and deserialization procedures for curves over GF(p^m), and the ZCash spec is also very roughly similar to those. (Editorial Comments) > Section 2.1, first para: replace "F_q" by GF(q), stipulate that extension degree n>0. Thank you for your comments! We revised the part pointed out according to your comments. > Section 2.1, first para: with defining equation, use more common domain parameters a > and b (i.e., lowercase instead of upper case). Elsewhere, do use common nomenclature > used with NIST, ANSI, SECG, ISO for 2 decades, including n for prime-order subgroup, h > for co-factor, mention irreducible polynomial f(z) with extension field, denote fixed > base point by P (instead of BP), etc. If one wishes, refer to Appendix B.1 of [1]. Thanks for your suggestions. According to your comment, we changed the domain parameters "A" and "B" to "a" and "b" because a lot of documents related to ECC use "a" and "b". The "a" was used to represent an another parameter, so we also changed the related parts. On the other hand, we are sorry, but we did not change the parameter "BP" that represents the base point BP to P, because we would like to use P as a variable to represent an arbitrary rational point. > Section 2.1, 2nd para: "point on" should be "point of". Thank you for pointing out. I'm sorry, but some standard specifications and textbooks use "on", so I would like to follow them. RFC6090: Fundamental Elliptic Curve Cryptography Algorithms https://tools.ietf.org/html/rfc6090 Hashing to Elliptic Curves https://tools.ietf.org/pdf/draft-irtf-cfrg-hash-to-curve-09.pdf SEC 1: Elliptic Curve Cryptography https://www.secg.org/sec1-v2.pdf Rational Points on Elliptic Curves (Undergraduate Texts in Mathematics) J. H. Silverman, J. T. Tate https://www.amazon.co.jp/Rational-Elliptic-Undergraduate-Mathematics-English-ebook/dp/B00YPPBZYG Handbook of Elliptic and Hyperelliptic Curve Cryptography H. Cohen et al. https://www.amazon.co.jp/dp/B00I60LZPA/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 > Section 2.1, first/3rd para: isn't it simpler to define curve over GF(q) and then > introduce curve with same domain parms, but then defined over extension field GF(q^k)? Thank you for your suggestion! I'm sorry, but I think there is not a big problem because this part has passed Expert Review. > Section 2.1, 3rd para: "group law which" should be "group law that", "reflection about > x-axis" should be "reflection around x-axis", with "unique third point of intersection > [R]" (i.e., give this a name, here R), with [a]P, stipulate that [0]P is the identity > element and that [-a]P=-([a]P), etc. > Section 2.1, terminology: fix E(F_{q^k}) (i.e., add paranthesis), fix that this refers > to GF(q^k)-rational points (rather than GF(q)-rational points, same with cardinalities. > Section 2.1, terminology: with co-factor h, doesn't one need gcd(h,n)=1 (so, as to > ensure unique order-n subgroup)? > Sectioon 2.2, 2nd para "is called embedding degree of E over GF(q)" (i.e., add curve > and field over which this is defined) > Section 2.2, 2nd para: the term "twist" is not defined (but often used elsewhere in the > draft), neither is the term GF(p^k)* (nonzero elements of GF(p^k). > Section 2.3, 2nd para: replace "prime p" by "prime number p (where p at least five)". > Section 2.3, 3rd para (top of p. 8): write "the multiplicative group..." or, better > still, simply state that b is a primitive element of GF(p) (and add this to > terminology). > Section 2.4, 4th para: "parameterized" should read "parameters". > Section 3.1, 3rd para: "paiting-based" should be "pairing-based" (i.e., fix the typo > "t" --> "r"). > Section 3.1, 4th para: "to solve" should read "for solving". > Section 3.2, 1st para: "the security level(s)" (i.e., make plural), "... correspond" > (i.e., use corresponding verb conjugation). > Section 4.2.1, 4th para: "categorized as M-type" ("as" instead of "into"). Thank you for your comments! We revised the part pointed out according to your comments. > Section 4.2, 2nd para: reword "more prudent option" as "more conservative option". Thanks for your comment. I'm sorry, but this sentence was suggested by the Expert Reviewer, so I'd like to keep this expression. -------- -- Yumi Sakemi, Ph. D. Lepidum Co. Ltd. E-Mail: yumi.sakemi@lepidum.co.jp

- [CFRG] Asking the advice on the draft of pairing-… Yumi Sakemi
- Re: [CFRG] Asking the advice on the draft of pair… Michael Scott
- Re: [CFRG] Asking the advice on the draft of pair… Yumi Sakemi
- [CFRG] Fwd: Asking the advice on the draft of pai… Taechan Kim