Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friendly-curves-07

Armando Faz <armfazh@cloudflare.com> Wed, 08 July 2020 12:21 UTC

Return-Path: <armfazh@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C13BF3A0955 for <cfrg@ietfa.amsl.com>; Wed, 8 Jul 2020 05:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i5nZFx4drYNJ for <cfrg@ietfa.amsl.com>; Wed, 8 Jul 2020 05:21:57 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 726A73A0958 for <cfrg@irtf.org>; Wed, 8 Jul 2020 05:21:57 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id k15so26741223lfc.4 for <cfrg@irtf.org>; Wed, 08 Jul 2020 05:21:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=cGUi+Z5AWYwJKQwq4juMWgips16Uvib9eLc5Ku27pf0=; b=iWTgQyz6ubdVRIzaGDEwrbBffJyGEPVSR/M1KZs+G0yI8QICAU40v9Y/023QoUEjhY UtQo1c4vI5v2HKCrTKS4V5VaU7p13BkVN/O5oNdTrj74FsnPz0QNZ8AveeVIy1AhAVoY qwd/2yDIWxLP0yK26i5FwbKxh3GCzzkokeGUQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=cGUi+Z5AWYwJKQwq4juMWgips16Uvib9eLc5Ku27pf0=; b=R2yB9QigB0KqiCaNIDyshSfmm1AEwkoRa+idWFM/BLNwg5CTjwL3zsz/Ocq3kNWki5 +wiPZyK1DeCKjS3siVKhi9WHvbHrMBlxTl56lvrw6kkoe1FNZR9ZL1WYczL6CjhS1+GQ 0HFqSjJLGgulTcJ3V8qJwJhBWT91HZkqxkFz3My1+Of7SMyPV/QO5+Gj3hj8KGQAZr6m FuXcdUBd6+Ipqp925J99zYGtAPj5aVpX7KE3d3h7g5jYnZB+IyFrcynWQR5YWjx1t+O9 uOlX68DsvhK8dnJc5qxUVtzzeiuRMRc/SEkuZnBrL64LkAr6L1FzPkpM9Lzwst1docIV s4hA==
X-Gm-Message-State: AOAM532uDGLM9dw+/cTHllxmrMdTWW9MNhIgJN7wQ8jrU9X1pvpYHOWu PdigkzGgi6WxDgrOnwSXd87d2sBcyHp5axD4vmEJmolV6Pr8aw==
X-Google-Smtp-Source: ABdhPJx3WtIYvNd8hNVYA0gcCHO2ksIGXjcesdqw/Q1G77Fy+SgLp7gHN9ZhXY+2egkT5ZaeC7b45W536HNhU4Njrno=
X-Received: by 2002:ac2:5691:: with SMTP id 17mr36748212lfr.209.1594210914001; Wed, 08 Jul 2020 05:21:54 -0700 (PDT)
MIME-Version: 1.0
From: Armando Faz <armfazh@cloudflare.com>
Date: Wed, 8 Jul 2020 05:21:43 -0700
Message-ID: <CABZxKYmyYbOXG9Lo8vNZANn=x+DhZR0qztAg+JbYnLdoxVrsTQ@mail.gmail.com>
To: cfrg@irtf.org
Cc: cfrg-chairs@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003a14ea05a9ed2736"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/5R3YzUekQTqpJxatVVsrksNDoms>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friendly-curves-07
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2020 12:22:00 -0000

Dear authors,

The following comments are about the current pairing-friendly-curves-07.

I have two main observations, one regarding the choice of curves and the
other
is about hashing to curves. I also left some minor comments. Feel free to
reach
me if something is unclear.

First, I invite the authors to reconsider the curve recommended for the
128-bit level.
My suggestion is to use a BLS12 curve with a 461-bit prime replacing the BN
curve with a 462-bit prime.
This choice is motivated by:
1) both of them provide the same security levels as according to the last
column of Table 1 in [GMT19]

Curve log(p) log(r) Sec-Estimate
---------------------------------
BN    462    462    2^134
BLS12 461    308    2^134

Also, the fact that log(r) is shorter for the BLS12 instance impacts on
shorter scalars.

2) The operation counts to compute a pairing favor the BLS12 instance. The
conclusion arrived in [BD19] mentions that both BLS12 and KSS16 have
shorter
operation counts for the 128-bit level:

   "Finally, for the curves ensuring 128 bits of security, we estimated the
   complexity of the optimal ate pairing for each proposed curve and
concluded
   that BLS12 and, more surprisingly, KSS16 are the most efficient choices."

The operation counts appear in Table 14.
      cy-sqr     | com-sqr     | log(p)
-----------------------------------------
BN    19553M + I | 17774M + 4I | 461 bits
BLS12 16003M + I | 14028M + 6I | 461 bits
KSS16 26076M + I | –           | 340 bits

Another advantage of using a BLS12 instance is that implementations can
move
from BLS12-381 to BLS12-461 just by replacing the field arithmetic layer.
According to Table 1 of the draft, the curve BLS12-461 is currently
supported by
Miracl and can be easily included in RELIC. Any application already
implementing BLS12-381 can switch to BLS12-461 with small changes in the
code.
A generic BLS12 implementation can support both fields, allowing reuse code
bases.

Moreover, I encourage the use of the subgroup-secure BLS12 instance,
(i.e. the one reported in Sec 7.5 of [BD19]. The Hamming weight is increased
in 5 bits, which is approximately 200 more multiplications (using rough
estimations), it does seem to have a big penalty regarding performance.
This is also noted in Section A.3 of https://eprint.iacr.org/2015/247.

   "In the case of PBC, achieving subgroup security introduces a small but
    noticeable overhead in the pairing (see Section 4). On the other hand,
    the potential savings offered by subgroup-secure curves are far greater
    in the context of PBC; here we can possibly save large elliptic curve
    or finite field group exponentiations".


My second suggestion is to include suites for hashing to G1 and G2 because
this
is a common requirement in cryptographic protocols. (Methods are already
defined in the hash_to_curve draft, so it might just require to define the
corresponding suites).


Finally, your selection policy excludes curves at 192-bit level, however,
the
fact that there are few implementations of these instances does not seem a
sufficient motivator for not recommending secure instances. Some instances
have
already proposed. For example, [BD19] and https://eprint.iacr.org/2019/485
list a number of instances. Also, cryptographic libraries such as RELIC and
Miracl are mature enough to include the new instances easily.


Minor comments:

Section 2.2: You can start by defining what a bilinear pairing is and its
properties with respect to abstract groups. After that you can describe how
these groups are instantiated using the torsion-r subgroups of elliptic
curves.


Note the distinction between:
F_q-rational points are those with coordinates in F_q.
and F_q^k-rational points are those with coordinates in F_q^k.

    E(F_q^k):  the group of rational points of E.
   #E(F_q^k):  the number of rational points of E.


Both BN, BLS, and KSS are families of pairing-friendly curves. Consider to
rewrite sentences like this one: "A BN curve [BN05] is one of the
instantiations of pairing-friendly curves proposed in 2005".

This sentence is redundant as p is prime.
 " b is an element of a multiplicative group (F_p)^* of order (p - 1)"

order 6 twists. -> order-6 twists.

embeddiing -> embedding

paiting-based crytography -> pairing-based cryptography

rewrite: the only known attacks thus far attack the discrete logarithm
problem
directly, so we focus on the discrete logarithm in this memo.

rewrite: There has since been research into the minimum bit length of the
parameters of pairing-friendly curves

In Appendix A, make explicit the isomorphism between E and E' as this helps
implementers. There is a subtle distinction when computing the pairing
entirely with both points on the twist.
(see Theorem 1 of https://eprint.iacr.org/2009/615).

Armand -> Armando

-- 
Armando Faz
Cloudflare Inc.