Re: [Cfrg] RGLC on draft-irtf-cfrg-pairing-friendly-curves-07

["Stanislav V. Smyshlyaev" <smyshsv@gmail.com>]

Dear Yumi,

Yes, please take your time to address the concerns.

Regards,
Stanislav

пн, 13 июля 2020 г. в 18:12, Yumi Sakemi <yumi.sakemi@lepidum.co.jp>:

> Dear  Stanislav and CFRG members
>
> Thank you for announcing the comments from Rene.
> After the RG Last Call period, some CFRG members  gave us a lot of
> comments.
>
> We appreciate Rene, Armando, Dan Boneh, and Michael Scott for their
> comments.
>
> Could you wait some time because we would like to consider how to deal
> with it in the draft?
>
> Best regards,
> Yumi
>
> 2020年7月13日(月) 18:18 Michael Scott <mike.scott=40miracl.com@dmarc.ietf.org
> >:
> >
> > Perhaps some of the  reassurance sought on the difficulty of the DLP as
> it arises in the context of pairing-based cryptography might be found in
> the very last paragraph of [BD18] https://eprint.iacr.org/2017/334.pdf
> Appendix B
> >
> > "Practical improvements will continue to come but they will modify only
> the o(1) term. A hypothetical algorithm which would beat SexTNFS needs to
> produce relations faster than by enumerating all elements of a sieving
> space, as it happened in small characteristic with pinpointing, or it would
> have to completely abandon the NFS diagram. Such an algorithm would be a
> great discontinuity, comparable to a possible sub-exponential algorithm for
> DLP on elliptic curves.  "
> >
> > Mike
> >
> >
> > On Mon, Jul 13, 2020 at 12:08 AM Rene Struik <rstruik.ext@gmail.com>
> wrote:
> >>
> >> Dear colleagues:
> >>
> >> Please find below my review of the pairing draft. If this does not
> display well, please send me an offline note and I can send you the
> original text file (before cut-and-paste into this email).
> >>
> >> I hope this helps.
> >>
> >> Review of draft-irtf-cfrg-pairing-friendly-curves-07
> >> Reviewer: Rene Struik
> >> Assessment: not ready
> >>
> >> Summary:
> >> The draft provides domain parameters for a few curves used with
> pairing-based cryptography and provides some test vectors.
> >>
> >> General remarks:
> >> a) While the draft suggests multiple times that the exTNFS attack
> (2016) negatively impacted the bit-security level of various proposed
> domain parameter sets for pairing-based curves, it does not provide any
> detail on this attack itself, nor any reassurances that potential
> extensions of these (only 4-yr old!) attacks on the general discrete
> logarithm problem of composite degree extension fields GF(p^t) for small
> composite t>1 would not be in the cards. This diminishes trust in the
> claimed security of these curves and their "fitness for use" in practice.
> the only use of these attacks is simply providing lengthy tables with
> claimed revised security levels. Why should one have confidence in this, do
> advances in solving the DLP in small degree extension fields provide the
> kiss of death for pairings (or if not: why not?), etc?
> >> b) The draft has 6 1/2 pages of references and 3 1/2 pages of tables of
> "adopted parameters" on a total of 27 pages of main body text. It seems one
> should be able to considerably prune both tables and references (which now
> come across as unwieldy). A good starting point may be to consider that
> availability of a library or standardization does not necessarily imply
> that schemes are actually deployed.
> >> c) It is unclear what motivated change in co-authorship of this draft,
> e.g., when considering changes between rev04 and rev07 of this draft. It
> seems more customary to credit minor contributions in the acknowledgement
> section than by change of authorship.
> >> d) Lots of specification details seems adhoc and even motivated by a
> particular company's conventions. For CFRG, it may be more appopriate to
> specify curves, finite fields, and objects that live herein, in a more
> systematic way, rather than reinventing the wheel, thereby fostering reuse
> and maintainability.
> >> e) I am curious why this draft's intended status is "experimental" (vs.
> "informational", as is far more common for IRTF documents).
> >>
> >> Detailed comments:
> >> 1) Section 1.2 (and also elsewhere) seems to conflate standardization
> of parameters, availability of libraries, and actual deployment, where
> there is an unusual prominence (for an IRTF document) of company names.
> Wouldn't it make more sense to describe potential applications of pairing
> based cryptography in more technical terms, e.g., in terms of facilitating
> aggregate signatures, remote attestation, etc., and provide a brief
> description (and a technical reference)?
> >> 2) Section 1.3: the main point of the extTNFS attack is that it tries
> and solve the DLP in low-degree extension field GF(p^t) for small composite
> t>1 faster. To bring this point accross, I suggest changing reference to
> "by the attack" (l. 5 of Section 1.3) by something more closely reflecting
> this.
> >> 3) Section 2.3, 4th para (top of p. 8): elaborate on the "BN curves
> always have order 6 twists" remark (this seemed to have been copied ad
> verbatim from the [BD18] paper).
> >> 4) Section 2.4, 4th para: it would be good to mention that parameter t
> must be 1 (mod 3), since otherwise p is not an integer.
> >> 5) Section 2.5: the representation conventions are highly confusing,
> esp. for extension fields. Why not define everything in terms of a prime
> field GF(p) and extension field GF(p^t), with fixed irreducible polynomial
> f(z) of degree t over GF(p)? This has been successfully used with elliptic
> curve specifications (NIST, ISO, ANSI, BSI) not tailored to pairing based
> crypto. This would also avoids questions that now immediately come up (such
> as whether defining GF(p^{d'}) in terms of GF(p^{d}) and "inductively
> applying the above convention" does yield an unambigous definition. Since
> all finite fields of fixed size are isomorphic, it would be much easier to
> stick to the standard way of doing this. This would also avoid messy tower
> of extension field arguments and messy representations of elements hereof
> (e.g., in Section 4.4). See also Appendix J on data conversions of the lwig
> draft referenced in this draft. As final  note, the data conversions in
> that lwig draft require specifying bit/octet encodings (which, in the
> pairing case, seem to be most-significant-byte-first (MSB) and
> most-significant-bit-first (msb).
> >> 6) Section 3.1, 4th para: it is unclear what the meaning of "best
> known" is: is this "best-known" (i.e., most well-known) or "simply the
> best"? Given the description, the first meaning should be the correct one...
> >> 7) Section 3.2: what is missing is a section that actually describes
> the attack, rather than simply plugging in some implied numbers based on a
> paper (presumably [BD18]). Why not add some verbiage that explains this in
> simple but roughly accurate terms ("The exTNFS Attack", or, better,
> "Attacks on DLP over Low-Degree Extension Fields", or even better, "Solving
> the DLP in Finite Fields" (there has been lots of progress there for
> mid-size base fields too)). This is a CFRG document, so one would expect
> something that provides insight, rather than simply a bombardment of
> tables, some selection criteria, and a filtered list. Wouldn't the
> objective of this whole effort be to educate the CFRG audience on
> pairing-based crypto, rather than (say, obtaining an RFC number from an SDO
> and marketing this as an implied "authoritative" approval stamp)?
> >> 8) Section 3.2: I remember that Francisco Rodriguez-Henriquez (fix name
> in references) presented attacks at the CHES 2013 rump sessions, where
> question was whether this spelled trouble for pairing-based crypto. While I
> do not have his presentation then on file, it may be good to dig this up or
> ask him, and contemplate on wider implications of DLP progress in general
> (see also first general review remark).
> >> 9) Section 3.2, 2nd para: A natural question is what one could say
> about DLP complexity for GF(p^k), in terms of dependency on p and k.
> Unfortunately, this section does not provide any insight on this (it only
> provides a single numerical value for BLS48 curves, without any context). I
> would suspect the reader audience would appreciate such insight, without
> need to wed through a whole forest (6 1/2 pages: far too much reference
> stuffing!) of references by himself without any guidance as to whether this
> would be time well-spent or lost.
> >> 10) Section 4: as stated before, the selection criteria seem somewhat
> arbitrary, since conflate specification text, libraries, with actual
> deployment. Moreover, the most important criteria should probably be
> security and speed given particular security strength, and potential
> support for finite field arithmetic on platforms (speaking of which: why
> not devote a section on whether one can actually implement GF(p^k) securely
> using finite field libraries, including modular reductions, side channels,
> etc.?). The term "adoption status" seems, in any event, misleading.
> >> 11) Section 4.1, Table on pp. 12-15: if one strikes out domain parms
> rendered immediately suspect by the exTNFS paper on DLP, this kills off 8
> out of 10 entries on p. 12 (and far more if one stikes out suspect values
> accross the entire table). This makes me wonder what the technical reason
> is for including this entire table. To the casual reader it now suggests
> that there are huge numbers of implementations out there, whereas - perhaps
> - most of those should be switched off immediately...
> >> 12) Section 4.1.2: once again, I am wondering why there is so much
> emphasis on libraries here. Isn't this an IRTF/CFRG document?
> >> 13) Section 4.2.1: The extension field GF(p^{12}) can also be described
> via GF(p) and degree-12 polynomial f(w):=(w^6-1)^2+1. This would allow
> using simple conventions used in Lidl et al's finite field book [2]. It
> also allows description of an element x of GF(p^{12}) as vector (x_{11},
> ..., x_1, x_0) of coefficients of GF(p) with this irreducible polynomial.
> Note here that u+1:=w^6 and v:=w^2, so one can easily internally use the
> more complex tower field stuff in the draft, while sticking to simple and
> easy to maintain standard constructions (known for 2 centuries) for
> specifications (so, nobody looses out if one has a slim interface that does
> this conversion back and forth, if necessary).
> >> 14) Section 4.2.1, bottom of p. 18: shouldn't the cofactor h be such
> that h*r= # E'(GF(p^2))? {please also fix Et and use E' notation as
> elsewhere in the draft}
> >> 15) Section 4.2.1, parameter b' (bottom of p. 19): if one uses the
> complicated tower construction, why then not also mention the value of u in
> the enumeration? Is one actually sure this value is uniquely defined (e.g.,
> I did not check but wondered what would happen if one replaces u by -u in
> the tower construction)? Same with end of Section 4.2.2...
> >> 16) Section 4.2.2, 5th para: the statement "CP8_544 is more efficient"
> is hard to interpret without context (e.g., half the cost, cost-1, cost -
> o(log log log n)).
> >> 17) Section 4.2.2, bottom of p. 20: with parms BN462, why not simply
> introduce base point G, parameter n, h, etc., once and for all in Section
> 2.1, without trying to repeat their definition in Section 4.2.2 (and later
> sections)?
> >> 18) Section 4.2.2, top of p. 21: the formula for h seems incorrect (G2
> is defined over GF(p^2), whereas the formula refers to a curve defined over
> GF(p^8).
> >> 19) The security consideration section (Section 5) is rather slim:
> (speculation on my side) is the reason to label this draft as
> "experimental" that design strength vs. actual strength is somewhat in
> limbo due to progress on DLP problem? Why suddenly squeeze in a point
> validation routine if no context is given at all of where and how pairing
> based crypto is used? Wit point validation, what if an octet representation
> is outside GF(p) boundary? (while the forelast para seems to imply an
> attack one is completely left in the dark what is at stake here). Not sure
> whether it is the role of CFRG documents to legitimize "BN254 use ... to
> keep interoperability". The end of the first para ("as of 2020, as far as
> we know, there are no fatal attacks that significantly reduce the security
> of pairing-friendly curves after exTNFS") is entirely non-reassuring to me:
> it is only four years after the DLP attack that necessitated to strike out
> half of the entries in the table earlier on in the paper, not that many
> people work on pairing-based algorithmic cryptanalysis in the first place,
> etc., etc. Where does this confidence come from (shouldn't one be more
> modest here, technically speaking???). The Cheon attack is not explained
> and cannot be evaluated at all, since no context on elliptic arithmetic is
> given at all in the draft.
> >> 20) Secion 5, 3rd-last para: Why would the Montgomery ladder suddenly
> come to the rescue to salvage side channel resistance? Why refer to RFC
> 7748: whereas pairing-friendly curves are all Weierstrass curves, the
> curves in RFC 7748 are all Montgomery curves with completely different
> underlying detail on differential-addition chains). It seems that an entire
> section should be devoted to how implementations coul avoid SCA attacks,
> esp. since some operations take place in huge extension fields GF(p^t)...
> >> 21) Appendix C seems to convey a particular encoding used by ZCash. I
> don't think it is the role of CFRG to make those the standard way of doing
> things. This being said, technically that representation is a tiny tweak of
> what the SECG1 specification already stipulated in 2001 (with SEC1, one can
> extract the affine/compressed encoding of an affine point and whether this
> relates to the point at infinity from the leftmost octet (0x04, 0x02 or
> 0x03, vs. 0x00), which more or less 1-1 corresponds to the (C_bit, I_bit,
> S_bit) combinations. If so, reinventing yet another representation is hard
> to defend.
> >> 22) The parity bit notation for finite fields is highly non-standard,
> compared to, e.g., what has been standard usage with compressed points for
> curves over prime fields or binary extension fields. Even if this would
> have some uses, why not defining things once and for all for all extension
> fields of an odd prime field, so that this is a simple extension. See also
> Appendix H of [1] (parity function for any field GF(p^k), where p odd).
> This should also help in limiting side channel leakage from the first-half
> vs. last-half of [0,p-1] test.
> >>
> >> Editorial comments:
> >>
> >> 1) Section 2.1, first para: replace "F_q" by GF(q), stipulate that
> extension degree n>0.
> >> 2) Section 2.1, first para: with defining equation, use more common
> domain parameters a and b (i.e., lowercase instead of upper case).
> Elsewhere, do use common nomenclature used with NIST, ANSI, SECG, ISO for 2
> decades, including n for prime-order subgroup, h for co-factor, mention
> irreducible polynomial f(z) with extension field, denote fixed base point
> by P (instead of BP), etc. If one wishes, refer to Appendix B.1 of [1].
> >> 3) Section 2.1, 2nd para: "point on" should be "point of".
> >> 4) Section 2.1, first/3rd para: isn't it simpler to define curve over
> GF(q) and then introduce curve with same domain parms, but then defined
> over extension field GF(q^k)?
> >> 5) Section 2.1, 3rd para: "group law which" should be "group law that",
> "reflection about x-axis" should be "reflection around x-axis", with
> "unique third point of intersection [R]" (i.e., give this a name, here R),
> with [a]P, stipulate that [0]P is the identity element and that
> [-a]P=-([a]P), etc.
> >> 6) Section 2.1, terminology: fix E(F_{q^k}) (i.e., add paranthesis),
> fix that this refers to GF(q^k)-rational points (rather than GF(q)-rational
> points, same with cardinalities.
> >> 7) Section 2.1, terminology: with co-factor h, doesn't one need
> gcd(h,n)=1 (so, as to ensure unique order-n subgroup)?
> >> 8) Sectioon 2.2, 2nd para "is called embedding degree of E over GF(q)"
> (i.e., add curve and field over which this is defined)
> >> 9) Section 2.2, 2nd para: the term "twist" is not defined (but often
> used elsewhere in the draft), neither is the term GF(p^k)* (nonzero
> elements of GF(p^k).
> >> 10) Section 2.3, 2nd para: replace "prime p" by "prime number p (where
> p at least five)".
> >> 11) Section 2.3, 3rd para (top of p. 8): write "the multiplicative
> group..." or, better still, simply state that b is a primitive element of
> GF(p) (and add this to terminology).
> >> 12) Section 2.4, 4th para: "parameterized" should read "parameters".
> >> 13) Section 3.1, 3rd para: "paiting-based" should be "pairing-based"
> (i.e., fix the typo "t" --> "r").
> >> 14) Section 3.1, 4th para: "to solve" should read "for solving".
> >> 15) Section 3.2, 1st para: "the security level(s)" (i.e., make plural),
> "... correspond" (i.e., use corresponding verb conjugation).
> >> 16) Section 4.2, 2nd para: reword "more prudent option" as "more
> conservative option".
> >> 17) Section 4.2.1, 4th para: "categorized as M-type" ("as" instead of
> "into").
> >>
> >> Ref:
> >> [1] draft-ietf-lwig-curve-representations-10
> >> [2] R. Lidl, Niederreiter, "Finite Fields", Cambridge University Press,
> ...
> >>
> >> On 2020-06-19 1:50 p.m., Stanislav V. Smyshlyaev wrote:
> >>
> >> Dear CFRG participants,
> >>
> >> This message is starting 2 weeks RGLC on
> draft-irtf-cfrg-pairing-friendly-curves-07 ("Pairing-Friendly Curves"),
> that will end on July 4th 2020. If you've read the document and think that
> it is ready (or not ready) for publication as an RFC, please send a message
> in reply to this email or directly to CFRG chairs (cfrg-chairs@ietf.org).
> If you have detailed comments, these would also be very helpful at this
> point.
> >>
> >>
> >> P.S.: The review on behalf of Crypto Review Panel was done by Chloe
> Martindale, the comments have been addressed by the authors of the draft,
> see https://mailarchive.ietf.org/arch/browse/crypto-panel/
> >>
> >>
> >> Thank you,
> >>
> >> Stanislav, for CFRG chairs
> >>
> >>
> >> _______________________________________________
> >> Cfrg mailing list
> >> Cfrg@irtf.org
> >> https://www.irtf.org/mailman/listinfo/cfrg
> >>
> >>
> >> --
> >> email: rstruik.ext@gmail.com | Skype: rstruik
> >> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
> >>
> >> _______________________________________________
> >> Cfrg mailing list
> >> Cfrg@irtf.org
> >> https://www.irtf.org/mailman/listinfo/cfrg
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
>
>
>
> --
> Yumi Sakemi, Ph. D.
> Lepidum Co. Ltd.
>
> E-Mail: yumi.sakemi@lepidum.co.jp
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>