Re: [Cfrg] I-D Action: draft-yonezawa-pairing-friendly-curves-00.txt

Shoko YONEZAWA <yonezawa@lepidum.co.jp> Fri, 15 February 2019 03:46 UTC

Return-Path: <yonezawa@lepidum.co.jp>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C10613108C for <cfrg@ietfa.amsl.com>; Thu, 14 Feb 2019 19:46:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lepidum-co-jp.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rY-99wp6vTzL for <cfrg@ietfa.amsl.com>; Thu, 14 Feb 2019 19:46:37 -0800 (PST)
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18E5E13103D for <cfrg@irtf.org>; Thu, 14 Feb 2019 19:46:36 -0800 (PST)
Received: by mail-pg1-x52c.google.com with SMTP id w7so4120188pgp.13 for <cfrg@irtf.org>; Thu, 14 Feb 2019 19:46:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lepidum-co-jp.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=0J8p022e63dOFnPTkDh+EMlxeNtwb8rNes60OIVdMQs=; b=vbNpVymnKjfn32Qj4y4gGKaF0iPKMydfBcyeW2T8hLAYmvDK9i/rOoDxLIA2XHaJv+ wOkm09juQ3zc1rt0m0fXyK04xT7oJsW1Iz4lnNVST9S8B9E4rqQzCf+YH99Z7hNoq92j hCHdjsFKpyhh8nkX2gVjpx4O4wSWh/AYTJpFztu/T/KzE7+LMA8wJv4UK0L4nbM0WyW7 PvjrYlMp7srfKdpoF6O6UNbiu/bKr4EqapSVvi1gm5f602sFUKTxpOC78+/1RQiPoBIG qJoAiu7qkI821gNRNHcaxW/JaeRrzUOvhS3pM89Mk6L6mwnP1dlBnNdvFEBmOYgl6vVe 4EEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=0J8p022e63dOFnPTkDh+EMlxeNtwb8rNes60OIVdMQs=; b=SbogmfFmL0WKK0Q2J9Y5b/DSFYsGJX5bdcXutlxHODyS6wV2Lxjt+KHJDBvQhwJRK8 SYGsmJGnlMuymLIz74HE0k64dmh+TpykZTxOKOwE6M2wRhHQSlhziX6D9hr60Euu7cwW U2o5wAL+A/ubsldIpoXWgpFwDNYj3k7aYD+wPPq4cjaHUXJVD1TWKQSrKv37+cL5xmC9 zFyXetJzog0uTH829M7mJuBvsxTsamd4Z8pZj8PJmnsk0MiQakpoMqSLWMFKw4sjRPmX 8MkSlXLLisW3SUaraX51V79le+HRGkyR5TsWUirGf+c8pd97HZCpB4l7ss7AA6IHy1Qb 21/g==
X-Gm-Message-State: AHQUAub/yDW0o7e0ksQVBDZuDqFprvMI9Wki1VJh89tRJi5E15GP06MB H3/wP7Lq14xsSkJmOYAGddMsp1AC6NANzvwy+7tqN/qhBCe6/V2AySJpAOHeNly0ZYnKrdYTk5M oDNqTxjj86g/uqGooaLT8jNh31gKDXCPGo12NjGR17HDVbAKcGflXxiVy6xU=
X-Google-Smtp-Source: AHgI3IbCJ7W4bBqHLqnSQXJtRyywcO9llgLLIwVlgULDXd02GXk87iEIdIRR9/V0hlXmwak6DPa5tA==
X-Received: by 2002:a62:31c1:: with SMTP id x184mr7870069pfx.204.1550202395771; Thu, 14 Feb 2019 19:46:35 -0800 (PST)
Received: from [192.168.30.116] ([150.249.212.66]) by smtp.gmail.com with ESMTPSA id i71sm12222602pfi.170.2019.02.14.19.46.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Feb 2019 19:46:35 -0800 (PST)
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
References: <030efaab-7a2d-8743-89a7-28fe61211cea@lepidum.co.jp> <5DC878C8-148E-4746-9C5C-0F960882194D@rhul.ac.uk>
From: Shoko YONEZAWA <yonezawa@lepidum.co.jp>
Message-ID: <d9c81d0e-3332-c0a8-5c50-68ad1fb1df04@lepidum.co.jp>
Date: Fri, 15 Feb 2019 12:46:31 +0900
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
MIME-Version: 1.0
In-Reply-To: <5DC878C8-148E-4746-9C5C-0F960882194D@rhul.ac.uk>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KBdbcS33ewOHCqMIPF9M91imvNk>
Subject: Re: [Cfrg] I-D Action: draft-yonezawa-pairing-friendly-curves-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2019 03:46:40 -0000

Dear Kenny,

Thank you very much for your comments on our draft.

 > One question I had at this stage: would it be feasible to include a 
short, self-contained description in pseudo-code of how to compute a 
pairing on these curves? I know this may be asking for quite a lot, 
especially as there are different pairings available, and many 
implementation optimisations can be made. However, perhaps a simple and 
not necessarily super-optimised description could be given? This would 
enable people starting from scratch with a suitable curve library to at 
least obtain a working implementation for themselves (which would of 
course be rather slow).

We are going to describe pseudo-code of pairing computation (optimal Ate 
pairing, specifically) for both BN curves and BLS curves
so that readers can imagine the implementation of pairing computation.
This will appear in Appendix.
I will post the description after we complete it.
Your comments are really appreciated.

 > Relatedly, then, it would be useful to include test vectors for this 
"reference implementation".

We are going to include test vectors as well as curve parameters (size, 
order, generator, cofactor etc.) in the next version.
One thing we are worrying is how to represent an element of an extension 
field (G2 and GT) in String.
We will try to find the suitable representation by referring other 
examples and hearing the opinions from users of these curves.

Best regards,
Shoko

On 2019/02/08 21:01, Paterson, Kenny wrote:
> Dear Shoko,
> 
> Thanks for preparing this draft. I think it could be very useful for CFRG to specify some pairing-friendly curves that reflect recent advances in cryptanalysis. We expect additional drafts making use of such curves to come before CFRG for consideration in the near future.
> 
> One question I had at this stage: would it be feasible to include a short, self-contained description in pseudo-code of how to compute a pairing on these curves? I know this may be asking for quite a lot, especially as there are different pairings available, and many implementation optimisations can be made. However, perhaps a simple and not necessarily super-optimised description could be given? This would enable people starting from scratch with a suitable curve library to at least obtain a working implementation for themselves (which would of course be rather slow). Relatedly, then, it would be useful to include test vectors for this "reference implementation".
> 
> Best wishes,
> 
> Kenny
> 
> -----Original Message-----
> From: Cfrg <cfrg-bounces@irtf.org> on behalf of Shoko YONEZAWA <yonezawa@lepidum.co.jp>
> Date: Monday, 28 January 2019 at 14:55
> To: "cfrg@irtf.org" <cfrg@irtf.org>
> Subject: [Cfrg] I-D Action: draft-yonezawa-pairing-friendly-curves-00.txt
> 
>      Hi there,
>      
>      we have submitted an Internet-Draft about pairing-friendly curves.
>      This is a revision of draft-kato-threat-pairing
>      (https://datatracker.ietf.org/doc/draft-kato-threat-pairing/).
>      
>      Our I-D introduces pairing-friendly curves used for constructing
>      highly-functional crypto-based protocols.
>      We describe secure parameters for pairing-frinedly curves
>      reflecting the recent result on the remarkable attack
>      by Kim and Barbulescu.
>      
>      I would be grateful if you are interested in our draft
>      and kindly read it. Your comments are welcome.
>      
>      Thank you,
>      Shoko YONEZAWA
>      
>      ---
>      A New Internet-Draft is available from the on-line Internet-Drafts
>      directories.
>      
>      
>               Title           : Pairing-Friendly Curves
>               Authors         : Shoko Yonezawa
>                                 Sakae Chikara
>                                 Tetsutaro Kobayashi
>                                 Tsunekazu Saito
>      	Filename        : draft-yonezawa-pairing-friendly-curves-00.txt
>      	Pages           : 17
>      	Date            : 2019-01-27
>      
>      Abstract:
>          This memo introduces pairing-friendly curves used for constructing
>          pairing-based cryptography.  It describes recommended parameters for
>          each security level and recent implementations of pairing-friendly
>          curves.
>      
>      
>      The IETF datatracker status page for this draft is:
>      https://datatracker.ietf.org/doc/draft-yonezawa-pairing-friendly-curves/
>      
>      There are also htmlized versions available at:
>      https://tools.ietf.org/html/draft-yonezawa-pairing-friendly-curves-00
>      https://datatracker.ietf.org/doc/html/draft-yonezawa-pairing-friendly-curves-00
>      
>      
>      Please note that it may take a couple of minutes from the time of submission
>      until the htmlized version and diff are available at tools.ietf.org.
>      
>      Internet-Drafts are also available by anonymous FTP at:
>      ftp://ftp.ietf.org/internet-drafts/
>      
>      _______________________________________________
>      Cfrg mailing list
>      Cfrg@irtf.org
>      https://www.irtf.org/mailman/listinfo/cfrg
>      
> 

-- 
Shoko YONEZAWA
Lepidum Co. Ltd.
yonezawa@lepidum.co.jp
TEL: +81-3-6276-5103