[Cfrg] Comments on draft-irtf-cfrg-pairing-friendly-curves

Watson Ladd <watsonbladd@gmail.com> Fri, 08 May 2020 18:19 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 667943A118B for <cfrg@ietfa.amsl.com>; Fri, 8 May 2020 11:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wZbj9WvNqXE0 for <cfrg@ietfa.amsl.com>; Fri, 8 May 2020 11:19:02 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C2B53A1189 for <cfrg@irtf.org>; Fri, 8 May 2020 11:19:02 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id x73so2166640lfa.2 for <cfrg@irtf.org>; Fri, 08 May 2020 11:19:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=ihkzd95r8soctWQcTlAnSAKengPm5OcKaANg0G236Gg=; b=EMdRzyot/i6Ld79f3q/Fo73/xnUnaZX3HCdGV9QZgfyoS/MqiwxbQTCC2ihvZfD66S 5mgoSnjW3kti3+hxn2/ApltTOaKDmQM8+sUpl0JYoXAX5+pm7EUZ5FwtJ6eRmh/Yxq8+ ceZPVkw3XzPotMQGV1vJM6AMiEE9alVU7A0cnoX95As0JwgsLNpSMTxmKiHh2AGQB7zF GFRqD215aWo/eUXYkLKT5KYZlcqadCjbhwKpJGrwpsAV/zx3WggPVN+rfgpxWIbaLHdw i+axqc14FHnTa9f5baLK00l9Oh0oP/s+tKewBGB/Vx+XPCTeJCbNwB1nRT6U/K3xrCgI W2ZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=ihkzd95r8soctWQcTlAnSAKengPm5OcKaANg0G236Gg=; b=Lh5uZXJw5NiWZ7/YLKoCHHcxttWlnGoUbtHAXmd5g50fw7uryVf7g0UIjU/ueMeqHb +tNvhqH7WabbjTuEz/gKTXjGBLZ2WFKJAuwqWEPBcrTsa8Gt9tL6zBqWqLZs622pFRGN CH2V2Y7WOLXxhH1KekTQTJG9T9VFEXxMhWH/+xkJAukJqHc3YnUYN6ZRDhsFKkIeHmkb a+7UftdGV1d0Uiz6HC+JPC6uXchRyFw04Jx9vEXivBBfzKiYRByY7OkGUwxcdp3wmWL7 tT4e6S33cSRk+OOh9p09XtawlssgO+X1XbkndegSzL9hvzMEjk7tztCNE6UNKD1CUVCg tmHA==
X-Gm-Message-State: AOAM533sF7pPUwTK4iCGGs9xemQxzTRhFqtQFHZJxxTFzF3Lv0xQtxxB p5PgywX4fFBu/Nj04BJTULtUlYPnSp90IlHlBjDBeboyM9E=
X-Google-Smtp-Source: ABdhPJwkWzYCHgtXEe0A0pBR8Sr41vLvM9BJ5Pi+nJTaDX0ZEi4L2O6jnfB9HVx15AQ5M8V9eSAIqFom+homZG7T8I8=
X-Received: by 2002:a19:cc07:: with SMTP id c7mr2736003lfg.163.1588961940159; Fri, 08 May 2020 11:19:00 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 8 May 2020 14:18:49 -0400
Message-ID: <CACsn0ckfA1WLOA9L8j_9pcOoaVBhjYX4jX2M0Bk78h8eniYA7A@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/8bIZ1_hdJUMyKwuktTBqrCEsN9w>
Subject: [Cfrg] Comments on draft-irtf-cfrg-pairing-friendly-curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2020 18:19:06 -0000

Dear cfrg,

I’ve looked at draft-irtf-cfrg-pairing-friendly-curves and have a few
comments I hope can be addressed before the next version. Cloudflare
has built a number of products and experiments on top of pairing based
curves and would like to see advancement of this draft.  It’s a good
step towards standardization of type III pairings but, to be as useful
as possible for implementors as well as prevent fragmentation, I have
four issues that I think need to be addressed.

One issue that persists is the disconnect between  security levels and
recommendations. At the textual level BLS12-381 is introduced as an
alternative to BN468 at the 128 bit security level, but then the
discussion seems to indicate the security level is really 117 bits. In
practice few people care about  a factor of a thousand difficulty in
breaking, but plenty of people do care about the performance hit of
that bigger base field. It would be nice to have only one
recommendation, and I think it’s pretty clear that BLS12-381 is going
to be much more useful.

This relates to a wider trend that I think I counterproductive: using
single numbers like 128 to denote security levels. What does this
mean?  Naively one might think that the effort to conduct key recovery
on AES-128, find the discrete logarithm of P256 elliptic curves, and
compute the discrete log of a point on the curve from the draft are
the same, since they are all 128 bit security. This is true for
attackers that are only conducting one attack and who have probability
1 of succeeding. Actual attackers have multiple targets and do not
need to have probability 1 of success. For the problem of recovering k
from AES_k(0), each additional target AES_k2(0), AES_k3(0), etc, is
free, and the probability of success goes up linearly with the number
of queries.

In the multitarget scenario contrast recovering the discrete log of Q1
via a distinguished point algorithm doesn’t help with recovering Q2,
etc. By contrast AES is considerably weaker than the discrete
logarithm problem with the same bit security. The probability of
success is then quadratic in the effort: an attacker satisfied with a
success probability of ¼ has to do ¼ the work for AES, but  a full ½
of the work for ECC. These are very different levels of security, so
the use of the same number to describe them is counterproductive.

Similarly, the security of the finite field Diffie-Hellman problem in
medium size extensions is one where an attacker faced with a number of
targets can do a substantial amount of shared work, reducing the cost
of each additional broken key.  Furthermore there is substantial
uncertainty about the runtime, particularly with the sieving step and
search for good polynomials, as well as a lack of good experiments to
quantify the runtime heuristics. The draft does well to mention a few
recent papers to justify the numbers presented, but there is still
substantial uncertainty.  The benign outcome is that the single number
gives no practical insights; the worse outcome is that it guides users
towards poor choices. In light of the advent of quantum computers the
long term security of these curves is broken anyway.

Secondly, the draft presents a real opportunity to be useful to
implementors, that will be missed without additional practical advice
or recommendations. Appendix A omits a particularly efficient
algorithm due to use of affine coordinates and division, and many
applications can make use of optimizations that combine the final
exponentiation across pairings since they are computing a multipairing
product. From experience pseudocode that expresses a reasonably
efficient algorithm, together with information on avoiding side
channels and optimizations for the frequently used optimizations would
be very beneficial. That’s particularly true for handling invalid
inputs safely, a topic frequently neglected but essential for
security.

Both RFC 7748 and RFC 6090 provide this guidance to implementors and
are much more useful for it. Including these extra practical
recommendations is a lot of work, but avoids so much more effort
afterwards when needing to repeat the translation from paper into
pseudocode, as well as hopefully avoiding common security pitfalls.
Bitter experience has shown that pointing to a literature reference
has shortcomings.

Thirdly the security considerations section is woefully inadequate.
What are the considerations implementors should be aware of when
implementing this document and that those who use it should be aware
of? Are there attacks based on invalid data that need to be
considered? How does one validate group elements efficiently? All of
these are important details that I think should be addressed here. RFC
7748 does a decent job and should be looked to as a model.

Lastly there are a number of small tweaks I would make to the English
throughout the document in the interest of readability: fixes to
tense, articles, etc. I suspect the definition of nondegeneracy is
incorrect due to recorded clauses: it should read “e(S, T)=1 for all T
if and only if S=O_E”, etc. I’d be happy to submit a PR with the
changes if I knew where it lived in git.

The table of implementor and standardization choices I don’t think
adds much to the text and should be removed. Likewise, the laundry
list of applications is good motivation, but it could be shortened
without losing too much.

Thanks to the authors for advancing this draft, and I’m happy to
discuss these points further with them or others on the list/contribute text.

Sincerely,

Watson Ladd