IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

Shoko YONEZAWA <yonezawa@lepidum.co.jp> Fri, 29 March 2019 10:03 UTC

Return-Path: <yonezawa@lepidum.co.jp>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7DB9120265 for <cfrg@ietfa.amsl.com>; Fri, 29 Mar 2019 03:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lepidum-co-jp.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AeW6XDXER9F6 for <cfrg@ietfa.amsl.com>; Fri, 29 Mar 2019 03:02:57 -0700 (PDT)
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29B1F120074 for <cfrg@irtf.org>; Fri, 29 Mar 2019 03:02:56 -0700 (PDT)
Received: by mail-pl1-x635.google.com with SMTP id b65so805727plb.6 for <cfrg@irtf.org>; Fri, 29 Mar 2019 03:02:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lepidum-co-jp.20150623.gappssmtp.com; s=20150623; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=qPyCp/C9MnwbLMOcpQaj5fvmdqcjr92w6dAKpnX3Qwg=; b=gg9h8/VGqFTW8lLBb7L2h7F78nLl+rDetdpk1d4dGe5IcrtorH+w+BzErOnZYSo4Hr l2cYgD9oz7DBmFxk9QIOuKMYZqjHJjmTUrYwoEuois2ViN676ghmOfv1p8L62nKk5fMe x5DjoDVUfanmYbAjLRkz1pLj52T4Xr30nfDSwoKPsia55+25B4JKa1cIpqbMQTWVm4i1 X1pcgFPF/RGAgZQ/9q395nYVCsViF1Yl38pXnGia9iazjtZEV25GHab1cKoKOxHQvGF5 6TEWnoN50YdUimJE275YzJCOLQHmsx8Tpj2reVO28kOa0vfk7d2T4vMEXVE4bpD+nNkr eSeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=qPyCp/C9MnwbLMOcpQaj5fvmdqcjr92w6dAKpnX3Qwg=; b=KhXwIgDHrb/rrH/IAwDq293rN6iE5SoPufDC4kOI7vzD9ZmCAZG77n7q8865O0VJBt QaYcvt9+Zoglkvr+hLZkmZ5Em9Z2VX2sdJjRwzM2jLOZU8Pn9XzCzKDE7zg/z2VPjp1i NIGaKlYYOfFJ6ryA+eSU4HP0lbpf7YLdQHqLQ92G6uL7Zu4GsqfDVESa07yP0MB2tNZJ zdteqVTMCNCz+g5HPcW/BVZLu6ucf5MbsaSS4RlA88i9IADrG024tVBlrxmmNtnsvQya WK1RWysp4Pc3JXAQCq/aAttY3Ybj3XeZbmyWmx+ugHX+bE+Viq2c1zFbR/HsaYicbtgy xdaQ==
X-Gm-Message-State: APjAAAXCEJayuz8QdrQxHsqTkzDRsizhyT6FQwd9NR9HMH8WDlT5ZwzR JjLJaaehYS0/rRCVcrYhLANVp6oA6LEx9ASJUcZBUhFzqQPMQcFi7iOfEK0l08kBi58LDLzwfUB 419kvYaJGH9ZBMLlZNAnuXD32DZXBzhhmK//VLqeNCg57L6/mvh7S6gyhTFQ=
X-Google-Smtp-Source: APXvYqym2MA59z5i022ItI7fdhG/Um2caSC1N1fYjUVPCoRoDvHODb0SsfnQ0YvT54jPWpxVft1VHw==
X-Received: by 2002:a17:902:848c:: with SMTP id c12mr47574223plo.207.1553853775800; Fri, 29 Mar 2019 03:02:55 -0700 (PDT)
Received: from [192.168.30.77] ([150.249.212.66]) by smtp.gmail.com with ESMTPSA id 75sm3180528pfr.55.2019.03.29.03.02.54 for <cfrg@irtf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 Mar 2019 03:02:55 -0700 (PDT)
From: Shoko YONEZAWA <yonezawa@lepidum.co.jp>
To: cfrg@irtf.org
References: <155231848866.23086.9976784460361189399@ietfa.amsl.com> <737ea2b3-74e3-d02e-a44d-c44cca5db036@lepidum.co.jp> <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com> <CAEseHRqh4d0VaeSaj4CWr_ZxJbbpm33ZaLF-aYGBjVowFNLFeQ@mail.gmail.com> <c57bbf7b-3177-eb64-a3c0-26842fccbb89@lepidum.co.jp> <CAEseHRrVomCo6KD7gidCRBzKJDzFZRQ+q0+PjfBr8tQT4dVpMQ@mail.gmail.com> <b016d1f6-68e4-9728-c738-ab72c593dfd1@lepidum.co.jp> <CAEseHRoLGFbf74HT9n2beryc9Liqf2Hz+_rh-yo6Q8hNqwCvNQ@mail.gmail.com>
Message-ID: <17e2c039-3c20-21a6-0201-4278c988c060@lepidum.co.jp>
Date: Fri, 29 Mar 2019 19:02:52 +0900
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAEseHRoLGFbf74HT9n2beryc9Liqf2Hz+_rh-yo6Q8hNqwCvNQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/G0PPmoUJBZVj6-0QDiEi1lIijqQ>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 10:03:01 -0000

Hi Mike,

This difference is probably caused by representation of an extension field.
We encoded the generator G' = (x', y') where x' = a'*u + b' and y' = 
c'*u + d' by

x' : a'*p + b' (in Z) and
y' : c'*p + d' (in Z),

whereas zkcrypto encoded it like

x' : a' || b' and
y' : c' || d'.

We followed the convention shown in IEEE 1363a-2004.

As you suggested, it is helpful to describe a',b',c',d' as well as x', y'.
We add these value in the next version.

Thank you again,
Shoko

On 2019/03/28 20:11, Michael Scott wrote:
> OK. However for the BL381 curve for example the G2 generator point does not
> appear to be the same as the one given here...
> 
> https://github.com/zkcrypto/pairing/tree/master/src/bls12_381
> 
> Also it would help if the individual components of x' and  y' were
> highlighted. For example if x'=a'u+b' it would be useful to know were a'
> ends and b' begins.
> 
>   Also as in the above link it would I think be good practice to state
> exactly how the values for G1 and G2 were arrived at.
> 
> Mike
> 
> On Thu, Mar 28, 2019 at 7:27 AM Shoko YONEZAWA <yonezawa@lepidum.co.jp>
> wrote:
> 
>> Hi Mike,
>>
>> Thank you again for the feedback.
>>
>>   > It would be helpful for implementors to know if the curves support an
>>   > M-Type or D-Type twist.
>>   >
>>   > BLS381 and BN462 are both M-Type. BLS48_581 is D-Type.
>>
>> As the information for implementers,
>> we add the description of M-type or D-type for each curve.
>>
>>   > Also I think a standard should also include a generator point for G2 for
>>   > interoperability, as well as for G1. For example an implementation of
>> BLS
>>   > short signature probably requires a generator in G2.
>>
>> The generator point for G2 is described as a base point G' = (x', y')
>> in our draft.
>> We revise the description for clarification.
>>
>> Best,
>> Shoko
>>
>> On 2019/03/21 0:48, Michael Scott wrote:
>>> A couple of further observations..
>>>
>>> It would be helpful for implementors to know if the curves support an
>>> M-Type or D-Type twist.
>>>
>>> BLS381 and BN462 are both M-Type. BLS48_581 is D-Type.
>>>
>>> Also I think a standard should also include a generator point for G2 for
>>> interoperability, as well as for G1. For example an implementation of BLS
>>> short signature probably requires a generator in G2.
>>>
>>> Mike
>>>
>>> On Tue, Mar 19, 2019 at 3:39 AM Shoko YONEZAWA <yonezawa@lepidum.co.jp>
>>> wrote:
>>>
>>>> Dear Mike,
>>>>
>>>> Thank you very much for your comments.
>>>>
>>>>> The suggested curves do not appear to meet the requirement for subgroup
>>>>> security which is indicated as being a desirable property in section
>>>> 3.1 -
>>>>> “One has to choose parameters so that the cofactors of G_1, G_2 and G_T
>>>>> contain no prime factors smaller than |G_1|, |G_2| and |G_T|”..
>>>>>
>>>>> The case could be made that subgroup security is not so important, but
>> if
>>>>> so the text in 3.1 should be modified to reflect this point of view.
>>>>
>>>> As you pointed out, we found that our suggested curves are not
>>>> subgroup-secure.
>>>> For standardization, we focus on the existing implementations as well as
>>>> sufficient security.
>>>> We think it impractical to choose a completely new parameter and
>>>> implement it from now.
>>>> Therefore, we would like to recommend the current parameters we
>>>> described in the draft with modifying our description of subgroup
>> security.
>>>>
>>>> We are keeping watching the research activity and ready to change
>>>> parameters if a critical attack for pairing-friendly curves which don't
>>>> meet subgroup security is found.
>>>>
>>>>> Another point – the BLS381 curve was chosen for a very particular
>> (albeit
>>>>> important) application where it is a requirement that r-1 has a factor
>> of
>>>>> 2^m for a large value of m. Curves chosen with application-specific
>>>>> benefits should I suggest be considered carefully if proposed as more
>>>>> general purpose standards. Note that this particular application
>>>>> disadvantages BN curves, as due to the form of its formula for r, this
>>>>> particular condition is much harder to achieve.
>>>>
>>>> We guess that BLS12-381 is chosen for the efficient computation of their
>>>> zero-knowledge proof. Nonetheless, we think BLS12-381 has sufficient
>>>> performance for general purpose.
>>>>
>>>> Best regards,
>>>> Shoko
>>>>
>>>> On 2019/03/15 3:52, Michael Scott wrote:
>>>>> Another point..
>>>>>
>>>>> For the BLS curves, the cofactor h in G_1 is calculated here as
>>>>> ((t-1)^2)/3, and this will work fine as a co-factor, where a random
>> point
>>>>> on the curve over the base field can be multiplied by this co-factor to
>>>>> create a point of order r in G_1. But this co-factor is unnecessarily
>>>> large.
>>>>>
>>>>> The same can be achieved by using (t-1) as a co-factor, due to the
>>>>> structure of pairing friendly fields. This will be twice as fast.
>>>>>
>>>>>
>>>>> Mike
>>>>>
>>>>>
>>>>> However to
>>>>>
>>>>> On Thu, Mar 14, 2019 at 3:21 PM Michael Scott <mike.scott@miracl.com>
>>>> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I greatly welcome this proposal, and would not want to slow its
>> progress
>>>>>> in any way. It is long overdue that pairing-friendly curves be
>>>>>> standardized, before unsuitable de-facto standards emerge, which may
>>>> not be
>>>>>> ideal, but which may nevertheless become widely deployed.
>>>>>>
>>>>>> However I make the following observations about the particular curves
>>>>>> suggested.
>>>>>>
>>>>>> The suggested curves do not appear to meet the requirement for
>> subgroup
>>>>>> security which is indicated as being a desirable property in section
>>>> 3.1 -
>>>>>> “One has to choose parameters so that the cofactors of G_1, G_2 and
>> G_T
>>>>>> contain no prime factors smaller than |G_1|, |G_2| and |G_T|”.
>>>>>>
>>>>>> The case could be made that subgroup security is not so important, but
>>>> if
>>>>>> so the text in 3.1 should be modified to reflect this point of view.
>>>>>>
>>>>>> The curve BN462 is not sub-group secure, as in G_T (p^4-p^2+1) /r has
>>>>>> small factors of 2953, 5749 and 151639045476553 (amongst others). I
>>>> didn’t
>>>>>> check G_2.
>>>>>>
>>>>>> The curve BLS381 has the same problem, as (p^4-p^2+1) /r has small
>>>> factor
>>>>>> of 4513, 584529700689659162521 and more. Again I didn’t check G_2
>>>>>>
>>>>>> The curve BLS48-581 has the same problem, as (p^4-p^2+1) /r has a
>> small
>>>>>> factor of 76369, and probably others. Again I didn’t check for G_2
>>>>>>
>>>>>> The draft does point out that for BLS curves, when hashing to a point
>> in
>>>>>> G_1, multiplication by a small co-factor h>1 will always be necessary.
>>>>>>
>>>>>> In my opinion sub-group security in G_T is particularly important if
>> it
>>>> is
>>>>>> desirable to offload the pairing calculation to an untrusted server,
>>>> and so
>>>>>> it is a feature I would consider useful in a standard curve. In our
>>>>>> experience finding such curves is relatively easy (although finding
>>>> curves
>>>>>> that are sub-group secure in both G_2 and G_T is more problematical)..
>>>>>>
>>>>>> Another point – the BLS381 curve was chosen for a very particular
>>>> (albeit
>>>>>> important) application where it is a requirement that r-1 has a factor
>>>> of
>>>>>> 2^m for a large value of m. Curves chosen with application-specific
>>>>>> benefits should I suggest be considered carefully if proposed as more
>>>>>> general purpose standards. Note that this particular application
>>>>>> disadvantages BN curves, as due to the form of its formula for r, this
>>>>>> particular condition is much harder to achieve.
>>>>>>
>>>>>>
>>>>>> Mike
>>>>>>
>>>>>> On Wed, Mar 13, 2019 at 10:33 AM Shoko YONEZAWA <
>> yonezawa@lepidum.co.jp
>>>>>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi there,
>>>>>>>
>>>>>>> Thank you for your comments to our pairing-friendly curve draft.
>>>>>>> We submitted a new version.
>>>>>>>
>>>>>>> According to Kenny's comments,
>>>>>>> we added the following description to the new version.
>>>>>>>
>>>>>>> - Pseudo-codes for pairing computation
>>>>>>> - Example parameters and test vectors of each curve
>>>>>>>
>>>>>>> We now published our working draft on GitHub,
>>>>>>> together with the BLS signature group.
>>>>>>> Please feel free to submit issues. Your comments are really
>>>> appreciated.
>>>>>>>
>>>>>>> https://github.com/pairingwg/pfc_standard/
>>>>>>>
>>>>>>> Best,
>>>>>>> Shoko
>>>>>>>
>>>>>>> -------- Forwarded Message --------
>>>>>>> Subject: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
>>>>>>> Date: Mon, 11 Mar 2019 08:34:48 -0700
>>>>>>> From: internet-drafts@ietf.org
>>>>>>> Reply-To: internet-drafts@ietf.org
>>>>>>> To: i-d-announce@ietf.org
>>>>>>>
>>>>>>>
>>>>>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>>>>>> directories.
>>>>>>>
>>>>>>>
>>>>>>>             Title           : Pairing-Friendly Curves
>>>>>>>             Authors         : Shoko Yonezawa
>>>>>>>                               Sakae Chikara
>>>>>>>                               Tetsutaro Kobayashi
>>>>>>>                               Tsunekazu Saito
>>>>>>>            Filename        :
>>>> draft-yonezawa-pairing-friendly-curves-01.txt
>>>>>>>            Pages           : 28
>>>>>>>            Date            : 2019-03-11
>>>>>>>
>>>>>>> Abstract:
>>>>>>>        This memo introduces pairing-friendly curves used for
>> constructing
>>>>>>>        pairing-based cryptography.  It describes recommended
>> parameters
>>>> for
>>>>>>>        each security level and recent implementations of
>> pairing-friendly
>>>>>>>        curves.
>>>>>>>
>>>>>>>
>>>>>>> The IETF datatracker status page for this draft is:
>>>>>>>
>>>>
>> https://datatracker.ietf.org/doc/draft-yonezawa-pairing-friendly-curves/
>>>>>>>
>>>>>>> There are also htmlized versions available at:
>>>>>>>
>> https://tools.ietf.org/html/draft-yonezawa-pairing-friendly-curves-01
>>>>>>>
>>>>>>>
>>>>
>> https://datatracker.ietf.org/doc/html/draft-yonezawa-pairing-friendly-curves-01
>>>>>>>
>>>>>>> A diff from the previous version is available at:
>>>>>>>
>>>>>>>
>>>>
>> https://www.ietf.org/rfcdiff?url2=draft-yonezawa-pairing-friendly-curves-01
>>>>>>>
>>>>>>>
>>>>>>> Please note that it may take a couple of minutes from the time of
>>>>>>> submission
>>>>>>> until the htmlized version and diff are available at tools.ietf.org..
>>>>>>>
>>>>>>> Internet-Drafts are also available by anonymous FTP at:
>>>>>>> ftp://ftp.ietf.org/internet-drafts/
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> I-D-Announce mailing list
>>>>>>> I-D-Announce@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/i-d-announce
>>>>>>> Internet-Draft directories: http://www.ietf.org/shadow.html
>>>>>>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Cfrg mailing list
>>>>>>> Cfrg@irtf.org
>>>>>>> https://www.irtf.org/mailman/listinfo/cfrg
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>> --
>>>> Shoko YONEZAWA
>>>> Lepidum Co. Ltd.
>>>> yonezawa@lepidum.co.jp
>>>> TEL: +81-3-6276-5103
>>>>
>>>
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> https://www.irtf.org/mailman/listinfo/cfrg
>>>
>>
>> --
>> Shoko YONEZAWA
>> Lepidum Co. Ltd.
>> yonezawa@lepidum.co.jp
>> TEL: +81-3-6276-5103
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
> 

-- 
Shoko YONEZAWA
Lepidum Co. Ltd.
yonezawa@lepidum.co.jp
TEL: +81-3-6276-5103

v2.23.0 | Report a Bug | By Email