### Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friendly-curves-07

Armando Faz <armfazh@cloudflare.com> Wed, 08 July 2020 12:21 UTC

Return-Path: <armfazh@cloudflare.com>

X-Original-To: cfrg@ietfa.amsl.com

Delivered-To: cfrg@ietfa.amsl.com

Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id C13BF3A0955
for <cfrg@ietfa.amsl.com>; Wed, 8 Jul 2020 05:21:59 -0700 (PDT)

X-Virus-Scanned: amavisd-new at amsl.com

X-Spam-Flag: NO

X-Spam-Score: -2.099

X-Spam-Level:

X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no

Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=cloudflare.com

Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id i5nZFx4drYNJ for <cfrg@ietfa.amsl.com>;
Wed, 8 Jul 2020 05:21:57 -0700 (PDT)

Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com
[IPv6:2a00:1450:4864:20::12b])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 726A73A0958
for <cfrg@irtf.org>; Wed, 8 Jul 2020 05:21:57 -0700 (PDT)

Received: by mail-lf1-x12b.google.com with SMTP id k15so26741223lfc.4
for <cfrg@irtf.org>; Wed, 08 Jul 2020 05:21:57 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=cloudflare.com; s=google;
h=mime-version:from:date:message-id:subject:to:cc;
bh=cGUi+Z5AWYwJKQwq4juMWgips16Uvib9eLc5Ku27pf0=;
b=iWTgQyz6ubdVRIzaGDEwrbBffJyGEPVSR/M1KZs+G0yI8QICAU40v9Y/023QoUEjhY
UtQo1c4vI5v2HKCrTKS4V5VaU7p13BkVN/O5oNdTrj74FsnPz0QNZ8AveeVIy1AhAVoY
qwd/2yDIWxLP0yK26i5FwbKxh3GCzzkokeGUQ=

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
bh=cGUi+Z5AWYwJKQwq4juMWgips16Uvib9eLc5Ku27pf0=;
b=R2yB9QigB0KqiCaNIDyshSfmm1AEwkoRa+idWFM/BLNwg5CTjwL3zsz/Ocq3kNWki5
+wiPZyK1DeCKjS3siVKhi9WHvbHrMBlxTl56lvrw6kkoe1FNZR9ZL1WYczL6CjhS1+GQ
0HFqSjJLGgulTcJ3V8qJwJhBWT91HZkqxkFz3My1+Of7SMyPV/QO5+Gj3hj8KGQAZr6m
FuXcdUBd6+Ipqp925J99zYGtAPj5aVpX7KE3d3h7g5jYnZB+IyFrcynWQR5YWjx1t+O9
uOlX68DsvhK8dnJc5qxUVtzzeiuRMRc/SEkuZnBrL64LkAr6L1FzPkpM9Lzwst1docIV
s4hA==

X-Gm-Message-State: AOAM532uDGLM9dw+/cTHllxmrMdTWW9MNhIgJN7wQ8jrU9X1pvpYHOWu
PdigkzGgi6WxDgrOnwSXd87d2sBcyHp5axD4vmEJmolV6Pr8aw==

X-Google-Smtp-Source: ABdhPJx3WtIYvNd8hNVYA0gcCHO2ksIGXjcesdqw/Q1G77Fy+SgLp7gHN9ZhXY+2egkT5ZaeC7b45W536HNhU4Njrno=

X-Received: by 2002:ac2:5691:: with SMTP id 17mr36748212lfr.209.1594210914001;
Wed, 08 Jul 2020 05:21:54 -0700 (PDT)

MIME-Version: 1.0

From: Armando Faz <armfazh@cloudflare.com>

Date: Wed, 8 Jul 2020 05:21:43 -0700

Message-ID: <CABZxKYmyYbOXG9Lo8vNZANn=x+DhZR0qztAg+JbYnLdoxVrsTQ@mail.gmail.com>

To: cfrg@irtf.org

Cc: cfrg-chairs@ietf.org

Content-Type: multipart/alternative; boundary="0000000000003a14ea05a9ed2736"

Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/5R3YzUekQTqpJxatVVsrksNDoms>

Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friendly-curves-07

X-BeenThere: cfrg@irtf.org

X-Mailman-Version: 2.1.29

Precedence: list

List-Id: Crypto Forum Research Group <cfrg.irtf.org>

List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>,
<mailto:cfrg-request@irtf.org?subject=unsubscribe>

List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>

List-Post: <mailto:cfrg@irtf.org>

List-Help: <mailto:cfrg-request@irtf.org?subject=help>

List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>,
<mailto:cfrg-request@irtf.org?subject=subscribe>

X-List-Received-Date: Wed, 08 Jul 2020 12:22:00 -0000

Dear authors, The following comments are about the current pairing-friendly-curves-07. I have two main observations, one regarding the choice of curves and the other is about hashing to curves. I also left some minor comments. Feel free to reach me if something is unclear. First, I invite the authors to reconsider the curve recommended for the 128-bit level. My suggestion is to use a BLS12 curve with a 461-bit prime replacing the BN curve with a 462-bit prime. This choice is motivated by: 1) both of them provide the same security levels as according to the last column of Table 1 in [GMT19] Curve log(p) log(r) Sec-Estimate --------------------------------- BN 462 462 2^134 BLS12 461 308 2^134 Also, the fact that log(r) is shorter for the BLS12 instance impacts on shorter scalars. 2) The operation counts to compute a pairing favor the BLS12 instance. The conclusion arrived in [BD19] mentions that both BLS12 and KSS16 have shorter operation counts for the 128-bit level: "Finally, for the curves ensuring 128 bits of security, we estimated the complexity of the optimal ate pairing for each proposed curve and concluded that BLS12 and, more surprisingly, KSS16 are the most efficient choices." The operation counts appear in Table 14. cy-sqr | com-sqr | log(p) ----------------------------------------- BN 19553M + I | 17774M + 4I | 461 bits BLS12 16003M + I | 14028M + 6I | 461 bits KSS16 26076M + I | – | 340 bits Another advantage of using a BLS12 instance is that implementations can move from BLS12-381 to BLS12-461 just by replacing the field arithmetic layer. According to Table 1 of the draft, the curve BLS12-461 is currently supported by Miracl and can be easily included in RELIC. Any application already implementing BLS12-381 can switch to BLS12-461 with small changes in the code. A generic BLS12 implementation can support both fields, allowing reuse code bases. Moreover, I encourage the use of the subgroup-secure BLS12 instance, (i.e. the one reported in Sec 7.5 of [BD19]. The Hamming weight is increased in 5 bits, which is approximately 200 more multiplications (using rough estimations), it does seem to have a big penalty regarding performance. This is also noted in Section A.3 of https://eprint.iacr.org/2015/247. "In the case of PBC, achieving subgroup security introduces a small but noticeable overhead in the pairing (see Section 4). On the other hand, the potential savings offered by subgroup-secure curves are far greater in the context of PBC; here we can possibly save large elliptic curve or finite field group exponentiations". My second suggestion is to include suites for hashing to G1 and G2 because this is a common requirement in cryptographic protocols. (Methods are already defined in the hash_to_curve draft, so it might just require to define the corresponding suites). Finally, your selection policy excludes curves at 192-bit level, however, the fact that there are few implementations of these instances does not seem a sufficient motivator for not recommending secure instances. Some instances have already proposed. For example, [BD19] and https://eprint.iacr.org/2019/485 list a number of instances. Also, cryptographic libraries such as RELIC and Miracl are mature enough to include the new instances easily. Minor comments: Section 2.2: You can start by defining what a bilinear pairing is and its properties with respect to abstract groups. After that you can describe how these groups are instantiated using the torsion-r subgroups of elliptic curves. Note the distinction between: F_q-rational points are those with coordinates in F_q. and F_q^k-rational points are those with coordinates in F_q^k. E(F_q^k): the group of rational points of E. #E(F_q^k): the number of rational points of E. Both BN, BLS, and KSS are families of pairing-friendly curves. Consider to rewrite sentences like this one: "A BN curve [BN05] is one of the instantiations of pairing-friendly curves proposed in 2005". This sentence is redundant as p is prime. " b is an element of a multiplicative group (F_p)^* of order (p - 1)" order 6 twists. -> order-6 twists. embeddiing -> embedding paiting-based crytography -> pairing-based cryptography rewrite: the only known attacks thus far attack the discrete logarithm problem directly, so we focus on the discrete logarithm in this memo. rewrite: There has since been research into the minimum bit length of the parameters of pairing-friendly curves In Appendix A, make explicit the isomorphism between E and E' as this helps implementers. There is a subtle distinction when computing the pairing entirely with both points on the twist. (see Theorem 1 of https://eprint.iacr.org/2009/615). Armand -> Armando -- Armando Faz Cloudflare Inc.

- [Cfrg] RGLC on draft-irtf-cfrg-pairing-friendly-c… Stanislav V. Smyshlyaev
- Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friend… Stanislav V. Smyshlyaev
- Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friend… Armando Faz
- Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friend… rsw
- Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friend… Armando Faz
- Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friend… Rene Struik
- Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friend… Michael Scott
- Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friend… Yumi Sakemi
- Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friend… Stanislav V. Smyshlyaev
- Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friend… Marek Jankowski
- Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friend… Yumi Sakemi
- Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friend… Yumi Sakemi
- Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friend… Yumi Sakemi