Re: [Cfrg] BLS Signature for X.509

"zaki@manian.org" <zaki@manian.org> Sat, 08 October 2016 23:27 UTC

Return-Path: <zaki@manian.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4511E12943B for <cfrg@ietfa.amsl.com>; Sat, 8 Oct 2016 16:27:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manian-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UA3yIn6b4Aqi for <cfrg@ietfa.amsl.com>; Sat, 8 Oct 2016 16:27:20 -0700 (PDT)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C59D129418 for <cfrg@irtf.org>; Sat, 8 Oct 2016 16:27:20 -0700 (PDT)
Received: by mail-io0-x236.google.com with SMTP id r30so79428500ioi.1 for <cfrg@irtf.org>; Sat, 08 Oct 2016 16:27:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manian-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=WIiRY76R/yCjzNc0FKgv5qDMUQEfcqj/+F8TbDfSN74=; b=NxAxi939FRBItgadbzkuScmCmJ/rCCytK8jqv+4D2vvYpz4xorw4AW1uwk+xRgFdX1 L9tNJgiwCgA0DZdO5gJOVgOwlPUvo3YbP1QDYlHrvePFK1rsjsNFuayTa87UGiP9oo5Z A05jQMpN3RUx6MwP8q8GHXeuYmCnFxulTxh+Py/OHboC3SFOf/4s1GbjgjOq+RtowXxN dlIbXsjaYjHXJCbycKHhYbc9H/ax/w9QCFsEd2Utgs3vzZKBbthtvK/SmNOr9ZrnNT+Q FHA9bGEzSKodEz1KjhsDO355+FJX7MZVv+yBY+v8bHsy4TxQUM1Gmdd6LOtxqq/KjoJo OfrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=WIiRY76R/yCjzNc0FKgv5qDMUQEfcqj/+F8TbDfSN74=; b=N7BkfC4JfNL4bY69YvUXbyolr27g9G8Nx+/AtfkTnQhxWSHZY+DpoZHw+mhWqW7Cmi eQOq1mcyFyvEilUcsXI2TIBnALt5Wpht/mqKFEsE6m/Hz7R/meavkoeKFTFQpu5U0y0Y VOGnvcXNrrW8rna8y3vH71Z6tl/RwTiza8YP9ytNKkIfo6XJBAfMDyQsO5AhhMfuEUcJ RAIA0Qo9mkD5CN1pju0GmR5BnvaVWQTD3cDX6fqL/YphwYM8teWbpoSbtjWYQCpJanwA 9jCYjuu1UI+X+MSYBpCfhpwrgUBGLLvcvg4xogoRrAQ5cVzLuKpHO9y6wwjsqV6yA6i2 mkDA==
X-Gm-Message-State: AA6/9RngMQmVXY+oqK0J/Q22EW8ROace+A1BQnuMHTmu59r5vYMTRT/el7zPo40GRuH862HHqY0e6Ywa/T/Wrg==
X-Received: by 10.107.27.66 with SMTP id b63mr25081877iob.26.1475969239363; Sat, 08 Oct 2016 16:27:19 -0700 (PDT)
MIME-Version: 1.0
References: <9E7BD18D-496F-4F93-9DC6-EC49B56825D2@adobe.com> <00F862CA-EBC6-43C5-B3E1-9EEC3BB01A81@adobe.com> <CAKDPBw8Em9Wp=+e9ML2Uqki65bOXzT_UEqK8_xp_W8xMypN=uw@mail.gmail.com> <D94DA7EC-8C8F-4B00-BE42-022CCA3A6E1A@adobe.com> <CAKDPBw9=5T9CefNquaK_FP5-yTyt-o+1XWOaUtqtnXUmDz1PnQ@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF501036BBF@XMB116CNC.rim.net> <E6D9AB05-CB0E-4C91-9049-C22EE6C499AE@adobe.com> <810C31990B57ED40B2062BA10D43FBF50103A08B@XMB116CNC.rim.net>
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF50103A08B@XMB116CNC.rim.net>
From: "zaki@manian.org" <zaki@manian.org>
Date: Sat, 08 Oct 2016 23:27:08 +0000
Message-ID: <CAJQ8TmBowuoWPVdVW9rH1HMQc1zcNY5Kr3rNGpengyPQ-eq6iA@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary=001a113feef0364bb6053e62de1d
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CxfBH4Ar8O6a6Cfwi9xhqtnLMa0>
Subject: Re: [Cfrg] BLS Signature for X.509
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Oct 2016 23:27:24 -0000

Hi all, I'm trying to summarize a number of other recent conversations on
pairing crypto in various corners of the Internet.

My take: CFRG should not be standardizing pairing crypto groups b/c
available implementations offer less than < 128 bits of security  and
systems that rely on these implementations are searching for new curves.
Ideally, these users will coordinate on what groups to use and potentially
then it will make sense to standardize.

There has been a lot discussion of these issues initiated from Trevor
Perrin's post to Modern Crypto.[0]

Paulo Barreto shared a script for estimating the impact of new number sieve
attack on BN curves.[1] I typed it up.

The Zcash devs discussed the impact of these attacks on their curves
here.[2]

Beyond SNARKS, lots of privacy improving technologies in the cryptocurrency
world are interested in pairing based crypto like Lightning Network(Passive
key rotation), MimbleWimble( scalable confidential transactions etc).

I'd suggest that the OP watch developments in this space for candidate
groups and implementations to use in an X.509 setting.

[0] http://moderncrypto.org/mail-archive/curves/2016/000740.html
[1] https://gist.github.com/zmanian/67625108708dea404aa4b86cedde22ec
[2] https://github.com/zcash/zcash/issues/714


On Thu, Oct 6, 2016 at 8:05 AM Dan Brown <danibrown@blackberry.com> wrote:

>
>
>
>
>
>
>
> The risks (as in potential or theoretical risk) of pairing-groups are (1)
> newer (usual for any new crypto), (2) recent progress in finite field DLP
> over certain extension fields, e.g Barbulescu et al. quasi-polynomial time
> [see also http://eprint.iacr.org/2016/914].  Does
> BLS somehow bypass these risks?  Or is there is a choice of pairing-group
> that is not deemed risky?
>
> ------------------------------
>
> *From:* Antonio Sanso [asanso@adobe.com]
>
> *Sent:* Thursday, October 06, 2016 8:20 AM
>
> *To:* Dan Brown
>
> *Cc:* Paul Grubbs; cfrg@irtf.org
>
>
> *Subject:* Re: [Cfrg] BLS Signature for X.509
>
>
>
> hi Dan
>
>
>
> On Oct 5, 2016, at 8:18 PM, Dan Brown <danibrown@blackberry.com> wrote:
>
>
>
>
>
>
>
> Hi Antonio,
>
>
>
>
>
> Can you briefly expand on the advantages of BLS, especially the
> aggregation of chains [citing also a reference]?
>
>
>
>
>
>
>
> here a couple of references
>
>
>
>
>
> http://theory.stanford.edu/~dfreeman/cs259c-f11/finalpapers/aggregatesigs.pdf
>
> https://crypto.stanford.edu/~dabo/papers/aggsurvey.pdf
>
>
>
>
> AFAIU if the signature used is BLS  there is not need to calculate the
> certificate chain since any “node” involved can "fully proof" the “chain” .
>
>
>
>
>
>
>
>   How well are these advantages aligned with IETF needs?  At the moment,
> I’m a little skeptical that the benefits (smaller chains?) outweigh the
> risks (relying on pairing-groups),
> but I could be wrong.
>
>
>
>
>
>
>
> are  you aware of any risk of using BLS. I am not so far….
>
>
>
>
>
>
>
>
>
>
>
>
> Just to be clear, although BLS uses pairing-groups, it does not have any
> escrow worries (unlike IBE etc.), or am I badly mistaken?
>
>
>
>
>
> Is BLS standardized elsewhere (ISO, IEEE 1363*, etc.)?
>
>
>
>
>
> In any event, you could prepare an individual I-D to propose BLS to IETF,
> although I do not how much it would be accepted.
>
>
>
>
>
>
>
> if there is any interest I would be happy to take a stub and write a
> draft. Is there anyone interested to join the effort?
>
>
>
>
> regards
>
>
>
>
> antonio
>
>
>
>
>
>
>
>
>
>
>
>
> Pairing-groups have been proposed for in use IETF before:
>
>
> https://datatracker.ietf.org/doc/draft-budronimccusker-milagrotls/
>
>
> https://datatracker.ietf.org/doc/rfc6508/
>
>
> https://datatracker.ietf.org/doc/rfc6509/
>
>
>
>
>
> Best regards,
>
>
>
>
>
> Dan
>
>
>
>
>
>
>
>
>
>
>
> *From:* Cfrg [mailto:cfrg-bounces@irtf.org <cfrg-bounces@irtf.org>]
> *On Behalf Of *Paul Grubbs
>
> *Sent:* Wednesday, October 05, 2016 1:53 PM
>
> *To:* Antonio Sanso <asanso@adobe.com>
>
> *Cc:* cfrg@irtf.org
>
> *Subject:* Re: [Cfrg] BLS Signature for X.509
>
>
>
>
>
>
>
>
> The IETF does play an important role in the process, but most people (at
> least in the US) won't consider anything in crypto 'standardized' unless it
> involves NIST.
>
>
>
>
>
>
>
>
> On Wed, Oct 5, 2016 at 5:09 AM, Antonio Sanso <asanso@adobe.com> wrote:
>
>
>
> hi Paul,
>
>
>
>
>
>
>
>
> thanks. Isn’t where this group can help though (namely standardization) ?
>
>
>
>
>
>
>
>
>
> regards
>
>
>
>
>
>
>
>
>
> antonio
>
>
>
>
>
>
>
>
>
> On Oct 4, 2016, at 6:01 PM, Paul Grubbs <pag225@cornell.edu> wrote:
>
>
>
>
>
>
>
>
>
>
>
> BLS signatures would be nice for many reasons. The lack of standardized
> pairing groups makes it a little difficult from a deployability
> perspective, I think.
>
>
>
>
>
>
>
>
> On Tue, Oct 4, 2016 at 2:12 AM, Antonio Sanso <asanso@adobe.com> wrote:
>
>
>
> anyome :S ?
>
>
>
>
>
> On Sep 30, 2016, at 8:57 AM, Antonio Sanso <asanso@adobe.com> wrote:
>
>
>
> > hi *,
>
> >
>
> > sorry for the noise.
>
> > I was wondering if it was already discussed the idea to use BSL
> Signature for X.509.
>
> > AFAIK this will avoid certificate chains thanks to the signature
> aggregation property…
>
> > If this was already discussed I apologize.
>
> > If not WDYT about this?
>
> >
>
> > regards
>
> >
>
> > antonio
>
> > _______________________________________________
>
> > Cfrg mailing list
>
> > Cfrg@irtf.org
>
> > https://www.irtf.org/mailman/listinfo/cfrg
>
>
>
> _______________________________________________
>
> Cfrg mailing list
>
> Cfrg@irtf.org
>
> https://www.irtf.org/mailman/listinfo/cfrg
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
> Cfrg mailing list
>
> Cfrg@irtf.org
>
> https://www.irtf.org/mailman/listinfo/cfrg
>
>