IETF Logo Mail Archive

[CFRG] Pairing-Friendly Curves: Open Questions Before Draft Update

Nick Sullivan <nicholas.sullivan@gmail.com> Fri, 12 December 2025 16:25 UTC

Return-Path: <nicholas.sullivan@gmail.com>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 31D3D99B15D8 for <cfrg@mail2.ietf.org>; Fri, 12 Dec 2025 08:25:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YV4WM7KOJ34H for <cfrg@mail2.ietf.org>; Fri, 12 Dec 2025 08:25:15 -0800 (PST)
Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E20EB99B15CC for <cfrg@irtf.org>; Fri, 12 Dec 2025 08:25:15 -0800 (PST)
Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-7881b67da53so13986457b3.1 for <cfrg@irtf.org>; Fri, 12 Dec 2025 08:25:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765556715; x=1766161515; darn=irtf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=LOdapvNu1U4T1N1btfruJB5FHn3k1/7Azvqk0RqwklQ=; b=EMTehrprvku+r84FMhb90phX6monoZXiq6vuoB2hWmBx6sEKAbJJyKw/GNPTSprtV/ 2ie9bM/ySq++eDAndp7xktfBI6YHr1n16NoDOpTX6C9/v0xstdD/caxB1gO219hE/71x 9jfOaRG/7+XpYSxG8GXay9zNDqnR92e60piewImJy9xYGS8T0DXgCrGpaj08MRusDsWV L4VoZcm+pFS+YBOHJUPbXc3Qj/grgE2JmGocZfOxD/nEMW7dl+EALM8wwJD7L1ykQmzy +VfUqD5BdgfxOmoK5l+PScGdR3IyqrhXGeq2McUdoLQFQLZQqRcnitY5voCXmPfzJdzM UXkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765556715; x=1766161515; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=LOdapvNu1U4T1N1btfruJB5FHn3k1/7Azvqk0RqwklQ=; b=s3erpzho1F/zPFJo1DHx44jFSyFnXMaRzTIMMcyT8h5I0TRRS4eUANVkPCJUf+sA+U xXsiST14IaREHBubUzP8rfagXzg82q/HTvPq5FvfcMYwHR1+kaxWLJKl4OME9eXcc86L VdOZo+B9mh2J3m+vYJSE83B1y+dDra3qHFnrCBC4iCyKzvAmL+qGTzVypLTZMgg//Xrp gAhiSRC7AYzPnzYXRd75uGJLkmY64pPUxFvY5928oSXVKK7ltts4jCSBofa7v3ZmtRuY xEGHAYxC3PYo3gq7s7xU5zAl0kQj6ub3dkGqQ+/wRrYGKDBgW+bRpuZas+0XUIKSHe63 JeEg==
X-Gm-Message-State: AOJu0YwgXnyRZ3rjZFkPlD/hKbTXbuanEBy04WGYXAU6JxU3HsYGkLkz tXSncKhDlEl+PrOzRFdgW2fysAv5TlrD88rJfZfZBmB+RwvkpYMPcM5ypS7BoERhFXb/s8UOax1 xbenMqs7K87Qgx4J/RfIgCbFD3D0+T/GoPTMFqudCGucl+94=
X-Gm-Gg: AY/fxX4yweZxS7eBnjMwImFwKVCFVJ0/E9vV1TXJfdmBSBlf93E0TRGJlFA/BjWPemJ fKWT4C7gqruJhaLA/fRdaw/ApAOnCDXOzGwkiewfe0XHUi9eht7QFhtS9ORWpoMONKb1HXbsnjo MGTaONpP98bU/AZtI3T5wd/cGDxIqYGK5OF2RSJj0MmoWgx40RhWGEGzWTk/YuKhtJBNxqpLLFG az59ZuaLUqYQ69GUKvZcFTszMUiUckuXhGJFx8PAhJvFkmgmdx6DGDv7t1E/w60nEnxz78gFtHL 2yhel3kic56Sh3v+2Q22d88mNRA=
X-Google-Smtp-Source: AGHT+IE31a1KHMjXkQSHrf046i7NUHf0LpTQDzvVCgrbCwSfkBEhpKMwaWvj2kvA+IAFMR1Uc7YTsH9I/4K3ZYEMfiM=
X-Received: by 2002:a05:690c:d0e:b0:787:d3ea:6c2a with SMTP id 00721157ae682-78e68460664mr19322907b3.68.1765556714933; Fri, 12 Dec 2025 08:25:14 -0800 (PST)
MIME-Version: 1.0
From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Fri, 12 Dec 2025 17:25:03 +0100
X-Gm-Features: AQt7F2qMSngX409b38psexXlSMkf-CCOit7rZ8osbzTY4UlKfPclJl9mBRZL-Q4
Message-ID: <CAOjisRy=_=+rGpjX-3=1uDNfhBrzKggrw+Ts8QVdebeGAtU3xg@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000d3131c0645c3b4af"
Message-ID-Hash: 3AM4JLKUCU257Q3YLVPXTSDLKJO7573A
X-Message-ID-Hash: 3AM4JLKUCU257Q3YLVPXTSDLKJO7573A
X-MailFrom: nicholas.sullivan@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; header-match-cfrg.irtf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Pairing-Friendly Curves: Open Questions Before Draft Update
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/IC5u8A5XJvHVJpNFWJhovcn5xd0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Dear CFRG Participants,

Following the IETF 124 presentation on the pairing-friendly curves draft (
https://datatracker.ietf.org/doc/draft-irtf-cfrg-pairing-friendly-curves/)
we’re working with the authors and new contributors to bring this work to
closure.` Before preparing an updated version or scheduling an interim, we
want to confirm group consensus around several open questions raised during
reviews since the last RGLC and again recently:

Document scope and structure

   - Should the draft stay focused on curve parameters and test vectors, or
   also include interface guidance, serialization formats, or tutorial
   content? Should nonessential background material (e.g. pairing formulae,
   curve surveys) be moved to an appendix or companion document? Should the
   draft’s title or positioning be updated to reflect this narrower focus?

Curve selection

   - Is the current set of curves appropriate? Some suggest narrowing to
   BLS12-381 plus one BLS24 and one BLS48 to target 128-, 192-, and 256-bit
   security levels. Others recommend removing BN curves that may no longer
   meet security or deployment criteria. A shared rationale is needed for
   inclusion or removal. Should this document support only BLS-style use
   cases, or also applications like ZKPs or IBE?

Interfaces and related primitives

   - Should the draft describe expected abstractions or interfaces (e.g.
   mapping to G1/G2, referencing hash-to-curve), or should it remain neutral
   and defer to other specs like RFC 9380? Should the draft specify a minimal
   pairing API (e.g. function signature or domain separation guidance), or
   leave that entirely to downstream specs?

Serialization

   - The current draft allows both compressed and uncompressed encodings,
   including identity elements. Concerns were raised about interoperability
   and risks from optional encodings. Should the draft specify a simpler,
   consistent serialization format for implementers? Should identity points be
   disallowed or tightly constrained?

Framing and utility

   - To support adoption, should the draft explicitly document security
   assumptions (e.g. resistance to DLP via exTNFS), implementation risks (e.g.
   subgroup checks), and what classes of protocols these curves are
   appropriate for? Should test vectors include intermediate values or results
   for multiple encodings?

Please respond on the list with input on any of the above. Once we’ve
collected feedback, we’ll open issues in the GitHub repo and evaluate
whether a short interim is needed.

Thanks,
Nick (for the chairs)

Relevant threads:
https://mailarchive.ietf.org/arch/msg/cfrg/KmqSMLWzuj7MSGNuv3PiReZ-jVE/
https://mailarchive.ietf.org/arch/msg/cfrg/-1nTbbVRlkP5wV2odEYFac-jK08/
https://mailarchive.ietf.org/arch/msg/cfrg/OOwChBvt4vjJrfUYEF0g_ENbSlc/
https://mailarchive.ietf.org/arch/msg/cfrg/JnyN9-G6vIGSMuWyyqoWNNdQ6Xk/
https://mailarchive.ietf.org/arch/msg/cfrg/wypZbN6YlgqL7KmrvGojFBarMqY/
https://mailarchive.ietf.org/arch/msg/cfrg/Mr3oRJpwbRd-czt50ksAOkrNuTo/

v2.46.0 | Report a Bug | By Email | System Status