Re: [Cfrg] BLS standard draft

Eric Rescorla <ekr@rtfm.com> Wed, 13 February 2019 05:19 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 984A9130F65 for <cfrg@ietfa.amsl.com>; Tue, 12 Feb 2019 21:19:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id czZjO4cWwAua for <cfrg@ietfa.amsl.com>; Tue, 12 Feb 2019 21:19:43 -0800 (PST)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1A2612426E for <cfrg@irtf.org>; Tue, 12 Feb 2019 21:19:42 -0800 (PST)
Received: by mail-lf1-x12f.google.com with SMTP id j1so769699lfb.10 for <cfrg@irtf.org>; Tue, 12 Feb 2019 21:19:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ad8QX2OaAQrLvy9B23zIr2QTFmzB04N8v+AU1jNUBQc=; b=Nw08tzubX7MnasDB8ML/KIH8/NTCfh1XzGHUx/gebXSfmmUqyUFZGAdnU/mAqZe+R/ d1kH9bwDPkZpUgWzMFuldlWqQk3iw1haeczE3+k9+xorra3LQ2D+8OYvCUedqhrNVtUQ nIbrRX7NOBv1n8ErZKop6xqq54f2ab6u/BihmQpoEHMDVUdpOwYUCLfGZODRG4Q+XXG1 78mbqJ9bM/RCl+bma3wFjEDhS1PdOpmSSC6cdAinxQ1znVejX7R1qCwXzMF4rijtIHRc VxGP6TDLrc0KyNB9IielbdYI6Z2VcPA2ymyXTEyfo3MI+EFicF0+3PzwGFR5SlivMKUA K9Vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ad8QX2OaAQrLvy9B23zIr2QTFmzB04N8v+AU1jNUBQc=; b=mKaALdmaTPg6P7I8JqKLTOiqDKqrVQMZm5HkuGRbKRTs9IJZi5hNNZlLb1cUDtxhMm Ng4UKwCNRH9Pxvvz0os6AsxGrXpr3sb3NYb5wGnaKNb33WDjGjrV+DQZu7FM5/JP+rbr wkXJ8azqz1lV6/2PMMAoXldf595ijy8oN/ppD8yw7Kxd25CTG6GQc+TYdq3HOuqaBa9k LIZd7gLTg4AwwEF6WsgYz41ak35NeVgMVgGz4/3fxj2QXSNlBUt+uPjYYwDAqYHzxyAL TmCaJg/bLivXQc11ErPE7dxV8cdZd+GK3uxCr3LTNRMecu+vz3hilhnhD++45w3153qG lQ9A==
X-Gm-Message-State: AHQUAubcWKrMR66Zx1oX06HLlc2/RLG0VjnrQTjADjkZ+4daouIY0Kzj GEgQpgTDVkBMxgIE0GatIZCPsrAt5BB1Slpyat0pJA==
X-Google-Smtp-Source: AHgI3IZOZqz97PakyUgM16REeVKbQ4hT2j8ZWv+nfH9pS9C/Ub0Rokr5w0l6PSj1mYw+1wajV+pujU7BTK5N7xu/60Y=
X-Received: by 2002:a19:5013:: with SMTP id e19mr2244278lfb.89.1550035181029; Tue, 12 Feb 2019 21:19:41 -0800 (PST)
MIME-Version: 1.0
References: <CACnav0oBNCt7VwR5_kvf7HqqVFF33iKv5y3mqeWnwx2UVHhD=g@mail.gmail.com> <CAND9ES1bYNC2V5oCHVXO4CO6iG5QBh+N51K4Mjdu6T3aBxF08A@mail.gmail.com> <CAEseHRqWTQppCOnF2KyZEKZyf4bhYr2nwuE6pHATnq84ttnLXg@mail.gmail.com> <CAHOTMV+0diByqDczj_uEDHZMW+uqzvVCDpi_2fSrr3N=F5tjMA@mail.gmail.com>
In-Reply-To: <CAHOTMV+0diByqDczj_uEDHZMW+uqzvVCDpi_2fSrr3N=F5tjMA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 12 Feb 2019 21:19:03 -0800
Message-ID: <CABcZeBMeO=qrcpOZiPunJJSVUesS8j18Cg5zdiYPqc9CQ77P=g@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Cc: Michael Scott <mike.scott@miracl.com>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000005ae9e70581bfb007"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EwdQkFJ1LOwYGteG-jzgoRm_DNs>
Subject: Re: [Cfrg] BLS standard draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2019 05:19:46 -0000

FWIW, I have more than once wanted a scheme with the properties of BLS. I'm
not an expert in this area, but assuming that BLS is still the state of the
art here, it seems like it would be useful to document it in CFRG.

-Ekr


On Mon, Feb 11, 2019 at 6:57 AM Tony Arcieri <bascule@gmail.com> wrote:

> On Mon, Feb 11, 2019 at 3:52 AM Michael Scott <mike.scott@miracl.com>
> wrote:
>
>> 1) Pairing-based crypto threw open the doors to lots of nice new crypto
>> possibilities, enabling stuff that we couldn't do before
>> 2) Gradually post-quantum crypto is catching up and demonstrating
>> capabilities that mirror some (but not all) of these achievements
>>
>
> I'd agree with this: it is great people are working on post-quantum
> cryptography, but I do not view the threat as particular urgent (i.e. 10+
> years away, if ever), and therefore think it makes sense to continue to
> work on pre-quantum and post-quantum schemes in parallel.
>
> Furthermore I'd like to add that pairings-based signature schemes like
> this have somewhat unique and highly useful properties around offline
> signature aggregation and small signature sizes. At least to my knowledge,
> there is no post-quantum secure equivalent of bilinear pairings (perhaps
> I'm mistaken?), so if we focus exclusively on post-quantum schemes we leave
> all of these benefits on the table, even in the event large QCs capable of
> attacking this class of elliptic curve prove to be intractable.
>
> --
> Tony Arcieri
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>