Re: [Cfrg] Fwd: I-D Action: draft-kasamatsu-bncurves-00.txt
Kohei Kasamatsu <kasamatsu.kohei@po.ntts.co.jp> Wed, 29 January 2014 11:03 UTC
Return-Path: <kasamatsu.kohei@po.ntts.co.jp>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDF761A035D for <cfrg@ietfa.amsl.com>; Wed, 29 Jan 2014 03:03:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.073
X-Spam-Level:
X-Spam-Status: No, score=0.073 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ASFrmwPh3ySM for <cfrg@ietfa.amsl.com>; Wed, 29 Jan 2014 03:03:13 -0800 (PST)
Received: from mail12.ics.ntts.co.jp (mail12.ics.ntts.co.jp [210.232.35.65]) by ietfa.amsl.com (Postfix) with ESMTP id 9D9401A0235 for <cfrg@irtf.org>; Wed, 29 Jan 2014 03:03:13 -0800 (PST)
Received: from sadoku34.silk.ntts.co.jp (sadoku34 [10.7.18.34]) by mail12.ics.ntts.co.jp (8.14.4/8.14.4/NTTSOFT) with ESMTP id s0TB376U027738; Wed, 29 Jan 2014 20:03:07 +0900 (JST)
Received: (from root@localhost) by sadoku34.silk.ntts.co.jp (8.13.8/NTTSOFT) id s0TB37nT006626; Wed, 29 Jan 2014 20:03:07 +0900 (JST)
Received: from ccmds32.silk.ntts.co.jp [10.107.0.32] by sadoku34.silk.ntts.co.jp with SMTP id WAA06625; Wed, 29 Jan 2014 20:03:07 +0900
Received: from mail147.silk.ntts.co.jp (ccmds32.silk.ntts.co.jp [127.0.0.1]) by ccmds32.silk.ntts.co.jp (8.14.3/8.14.3) with ESMTP id s0TB360F029252; Wed, 29 Jan 2014 20:03:06 +0900
Received: from mail147.silk.ntts.co.jp (localhost.localdomain [127.0.0.1]) by mail147.silk.ntts.co.jp (8.14.5/8.14.5/NTTSOFT) with ESMTP id s0TB33EE022715; Wed, 29 Jan 2014 20:03:03 +0900
Received: from ccmds32 (mail145.silk.ntts.co.jp [10.107.0.145]) by mail147.silk.ntts.co.jp (8.14.5/8.14.5/NTTSOFT) with SMTP id s0TB33FX022712; Wed, 29 Jan 2014 20:03:03 +0900
Message-ID: <52E8DFBD.2070406@po.ntts.co.jp>
Date: Wed, 29 Jan 2014 20:02:21 +0900
From: Kohei Kasamatsu <kasamatsu.kohei@po.ntts.co.jp>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Laura Hitt <lhitt@21ct.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <20140110051303.25816.17055.idtracker@ietfa.amsl.com> <52E05C7C.2030400@po.ntts.co.jp> <04920BD67C651C469D0387704CD7692A8F3048D915@21ct-exg07.21technologies.com>
In-Reply-To: <04920BD67C651C469D0387704CD7692A8F3048D915@21ct-exg07.21technologies.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-CC-Mail-RelayStamp: CC-Mail-V4.3-Client
X-CC-Mail-RelayStamp: CC-Mail-V4.3-Server
Cc: "kobayashi.tetsutaro@lab.ntt.co.jp" <kobayashi.tetsutaro@lab.ntt.co.jp>, "kawahara.yuto@lab.ntt.co.jp" <kawahara.yuto@lab.ntt.co.jp>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-kasamatsu-bncurves-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2014 11:03:16 -0000
Hi Laura, Thank you for your comments. > Regarding your statement in Section 6, "The elliptic curve that > supports a bilinear map requires the hardness of solving following > problems, since the security of pairing-based cryptographic > primitives is based on hardness of these problems." You then list > the ECDLP, ECDHP, BDHP, ECDLP with auxiliary inputs. > > I would be hesitant to say ALL pairing-based cryptographic primitives > are based on the hardness of those problems...perhaps it's true, but > it's conceivable that a pairing-based scheme could be based on > another hard problem, such as solving the isogeny problem or co-gap > DH. (See, for example, Section 6 of "Evaluating Large Degree > Isogenies and Applications to Pairing Based Cryptography" by Broker, > Charles, Lauter, or "Improved algorithm for the isogeny problem for > ordinary elliptic curves" by Galbraith & Stolbunov.) We agree with it. As you say, there are pairing-based cryptographic primitives based on the hardness of different problems from these described in our draft. We would like to change "The elliptic curve that supports a bilinear map requires the hardness of solving following problems, since the security of pairing-based cryptographic primitives is based on hardness of these problems." to "Pairing-based cryptographic primitives are often based on the hardness of the following problems, so when the elliptic curves from this document are used in such schemes, these problems would apply." Does the modification despel the concern? Best, Kohei KASAMATSU (2014/01/24 3:13), Laura Hitt wrote: > Hi Kohei, > > Regarding your statement in Section 6, "The elliptic curve that supports a bilinear map requires the hardness of solving following problems, since the security of pairing-based cryptographic primitives is based on hardness of these problems." You then list the ECDLP, ECDHP, BDHP, ECDLP with auxiliary inputs. > > I would be hesitant to say ALL pairing-based cryptographic primitives are based on the hardness of those problems...perhaps it's true, but it's conceivable that a pairing-based scheme could be based on another hard problem, such as solving the isogeny problem or co-gap DH. (See, for example, Section 6 of "Evaluating Large Degree Isogenies and Applications to Pairing Based Cryptography" by Broker, Charles, Lauter, or "Improved algorithm for the isogeny problem for ordinary elliptic curves" by Galbraith & Stolbunov.) > > Best, > Laura > > -----Original Message----- > From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Kohei Kasamatsu > Sent: Wednesday, January 22, 2014 6:04 PM > To: cfrg@irtf.org > Cc: kobayashi.tetsutaro@lab.ntt.co.jp; kawahara.yuto@lab.ntt.co.jp > Subject: [Cfrg] Fwd: I-D Action: draft-kasamatsu-bncurves-00.txt > > Hi cfrg folks, > > > Elliptic curves with a special map called a pairing allow cryptographic primitives to achieve functions or efficiency which cannot be realized by conventional mathematical tools. For example, ZSS signature is one of these primitives. > > We have recently submitted an I-D on Barreto-Naehrig curves (BN-curves) which provide efficient operations of a pairing. > The I-D specifies parameters of BN-curves which are particularly useful for realization of efficient cryptographic schemes based on pairing and parameters of BN-curves which are compliant with ISO/IEC 15946-5. > > We will propose I-Ds on computation of pairing and pairing-based primitives in order to contribute to IETF community in the near future. > > We would appreciate your comments and suggestions on our I-D and works. > > Best, > Kohei KASAMATSU > -------- Original Message -------- > Subject: I-D Action: draft-kasamatsu-bncurves-00.txt > Date: Thu, 09 Jan 2014 21:13:03 -0800 > From: internet-drafts@ietf.org > Reply-To: internet-drafts@ietf.org > To: i-d-announce@ietf.org > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > > Title : Barreto-Naehrig Curves > Authors : Kohei Kasamatsu > Satoru Kanno > Tetsutaro Kobayashi > Yuto Kawahara > Filename : draft-kasamatsu-bncurves-00.txt > Pages : 15 > Date : 2014-01-09 > > Abstract: > Elliptic curves with pairing are useful tools for constructing > cryptographic primitives. In this memo, we specify domain parameters > of Barreto-Naehrig curve (BN-curve) [5]. The BN-curve is an elliptic > curve suitable for pairings and allows us to achieve high security > and efficiency of cryptographic schemes. This memo specifies domain > parameters of two 254-bit BN-curves [1] [2] which allow us to obtain > efficient implementations and domain parameters of 224, 256, 384, and > 512-bit BN-curves which are compliant with ISO/IEC 15946-5[3]. > Furthermore, this memo organizes differences between types of > elliptic curves specified in ISO document and often used in open > source softwares, which are called M-type and D-type > respectively[21]. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-kasamatsu-bncurves/ > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-kasamatsu-bncurves-00 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > I-D-Announce mailing list > I-D-Announce@ietf.org > https://www.ietf.org/mailman/listinfo/i-d-announce > Internet-Draft directories: http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg > > -- Kohei KASAMATSU NTT Software Corporation TEL: +81 45 212 7908 FAX: +81 45 212 9800 E-mail: kasamatsu.kohei@po.ntts.co.jp
- [Cfrg] Fwd: I-D Action: draft-kasamatsu-bncurves-… Kohei Kasamatsu
- Re: [Cfrg] I-D Action: draft-kasamatsu-bncurves-0… Michael Hamburg
- Re: [Cfrg] Fwd: I-D Action: draft-kasamatsu-bncur… Laura Hitt
- Re: [Cfrg] Fwd: I-D Action: draft-kasamatsu-bncur… Kohei Kasamatsu
- Re: [Cfrg] I-D Action: draft-kasamatsu-bncurves-0… Kohei Kasamatsu
- Re: [Cfrg] Fwd: I-D Action: draft-kasamatsu-bncur… Kohei Kasamatsu
- Re: [Cfrg] I-D Action: draft-kasamatsu-bncurves-0… Mike Hamburg
- Re: [Cfrg] Fwd: I-D Action: draft-kasamatsu-bncur… Laura Hitt
- Re: [Cfrg] I-D Action: draft-kasamatsu-bncurves-0… Kohei Kasamatsu