MIME-Version: 1.0
References: <CACnav0oBNCt7VwR5_kvf7HqqVFF33iKv5y3mqeWnwx2UVHhD=g@mail.gmail.com>
 <CAND9ES1bYNC2V5oCHVXO4CO6iG5QBh+N51K4Mjdu6T3aBxF08A@mail.gmail.com>
 <CAEseHRqWTQppCOnF2KyZEKZyf4bhYr2nwuE6pHATnq84ttnLXg@mail.gmail.com>
 <CAHOTMV+0diByqDczj_uEDHZMW+uqzvVCDpi_2fSrr3N=F5tjMA@mail.gmail.com>
In-Reply-To: <CAHOTMV+0diByqDczj_uEDHZMW+uqzvVCDpi_2fSrr3N=F5tjMA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 12 Feb 2019 21:19:03 -0800
Message-ID: <CABcZeBMeO=qrcpOZiPunJJSVUesS8j18Cg5zdiYPqc9CQ77P=g@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Cc: Michael Scott <mike.scott@miracl.com>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000005ae9e70581bfb007"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EwdQkFJ1LOwYGteG-jzgoRm_DNs>
Subject: Re: [Cfrg] BLS standard draft
Precedence: list

--0000000000005ae9e70581bfb007
Content-Type: text/plain; charset="UTF-8"

FWIW, I have more than once wanted a scheme with the properties of BLS. I'm
not an expert in this area, but assuming that BLS is still the state of the
art here, it seems like it would be useful to document it in CFRG.

-Ekr


On Mon, Feb 11, 2019 at 6:57 AM Tony Arcieri <bascule@gmail.com> wrote:

> On Mon, Feb 11, 2019 at 3:52 AM Michael Scott <mike.scott@miracl.com>
> wrote:
>
>> 1) Pairing-based crypto threw open the doors to lots of nice new crypto
>> possibilities, enabling stuff that we couldn't do before
>> 2) Gradually post-quantum crypto is catching up and demonstrating
>> capabilities that mirror some (but not all) of these achievements
>>
>
> I'd agree with this: it is great people are working on post-quantum
> cryptography, but I do not view the threat as particular urgent (i.e. 10+
> years away, if ever), and therefore think it makes sense to continue to
> work on pre-quantum and post-quantum schemes in parallel.
>
> Furthermore I'd like to add that pairings-based signature schemes like
> this have somewhat unique and highly useful properties around offline
> signature aggregation and small signature sizes. At least to my knowledge,
> there is no post-quantum secure equivalent of bilinear pairings (perhaps
> I'm mistaken?), so if we focus exclusively on post-quantum schemes we leave
> all of these benefits on the table, even in the event large QCs capable of
> attacking this class of elliptic curve prove to be intractable.
>
> --
> Tony Arcieri
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

--0000000000005ae9e70581bfb007
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>FWIW, I have more than once wanted a scheme with the =
properties of BLS. I&#39;m not an expert in this area, but assuming that BL=
S is still the state of the art here, it seems like it would be useful to d=
ocument it in CFRG.<br></div><div><br></div><div>-Ekr</div><div><br></div><=
/div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">O=
n Mon, Feb 11, 2019 at 6:57 AM Tony Arcieri &lt;<a href=3D"mailto:bascule@g=
mail.com">bascule@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gm=
ail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,=
204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr">On Mon, Feb 11=
, 2019 at 3:52 AM Michael Scott &lt;<a href=3D"mailto:mike.scott@miracl.com=
" target=3D"_blank">mike.scott@miracl.com</a>&gt; wrote:</div><div class=3D=
"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px=
 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D=
"ltr"><div dir=3D"ltr"><div>1) Pairing-based crypto threw open the doors to=
 lots of nice new crypto possibilities, enabling stuff that we couldn&#39;t=
 do before</div><div>2) Gradually post-quantum crypto is catching up and de=
monstrating capabilities that mirror some (but not all) of these achievemen=
ts</div></div></div></blockquote><div><br></div><div>I&#39;d agree with thi=
s: it is great people are working on post-quantum cryptography, but I do no=
t view the threat as particular urgent (i.e. 10+ years away, if ever), and =
therefore think it makes sense to continue to work on pre-quantum and post-=
quantum schemes in parallel.</div><div><br></div><div>Furthermore I&#39;d l=
ike to add that pairings-based signature schemes like this have somewhat un=
ique and highly useful properties around offline signature aggregation and =
small signature sizes. At least to my knowledge, there is no post-quantum s=
ecure equivalent of bilinear pairings (perhaps I&#39;m mistaken?), so if we=
 focus exclusively on post-quantum schemes we leave all of these=C2=A0benef=
its on the table, even in the event large QCs capable of attacking this cla=
ss of elliptic curve prove to be intractable.</div></div><div><br></div>-- =
<br><div dir=3D"ltr" class=3D"gmail-m_6579392683421008497gmail_signature">T=
ony Arcieri<br></div></div>
_______________________________________________<br>
Cfrg mailing list<br>
<a href=3D"mailto:Cfrg@irtf.org" target=3D"_blank">Cfrg@irtf.org</a><br>
<a href=3D"https://www.irtf.org/mailman/listinfo/cfrg" rel=3D"noreferrer" t=
arget=3D"_blank">https://www.irtf.org/mailman/listinfo/cfrg</a><br>
</blockquote></div>

--0000000000005ae9e70581bfb007--