Re: [CFRG] Asking the advice on the draft of pairing-friendly curves

Yumi Sakemi <yumi.sakemi@lepidum.co.jp> Mon, 28 December 2020 07:41 UTC

Return-Path: <yumi.sakemi@lepidum.co.jp>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B34333A110E for <cfrg@ietfa.amsl.com>; Sun, 27 Dec 2020 23:41:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lepidum-co-jp.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bsq0ESffwoeq for <cfrg@ietfa.amsl.com>; Sun, 27 Dec 2020 23:41:57 -0800 (PST)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EBF43A110D for <cfrg@irtf.org>; Sun, 27 Dec 2020 23:41:57 -0800 (PST)
Received: by mail-ot1-x32c.google.com with SMTP id a109so8524423otc.1 for <cfrg@irtf.org>; Sun, 27 Dec 2020 23:41:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lepidum-co-jp.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=+2CRhnWeIfixi5YXSrru90et6c7pB2pvG7tUBsdJoh0=; b=lcUCSwtxp42ViTHUG+lrNCJsqb+p10AbPAAEH/MWBM47XGBBe+kzZWyZUmGwWP8PYv i8GPDYXnx5EubWNMhnq7ZeGZeCZ5Gz8usZeYN5zelOPN0u0CIEWW2+foRhFPFgy6f/rw RYSv5JoScPYH9OZOh5xz+02NZm4UL6nLhnRQu4+VsTphdh7zdkCvsrx+C6dp7/dN4vww Jc+JtHHAoBJHF4YVcuMripqQ72jr8BxxlimjclqddJIR22Fz8M9WpLRUSA42fPEb4kaP qtJ0LaoCZ37RmAe+5pJefdgUwOYqKBBkTduiP4mVYf9gxcN07bvPro0ilkROmFyKBO5R rBTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=+2CRhnWeIfixi5YXSrru90et6c7pB2pvG7tUBsdJoh0=; b=GOfck3WDYq5hP2E2Pn9rL6vyfVwvTFZjgovrG58A5GY7HpmWELZybuOR3zJSCYheez ZlNH5pe5DnNDwjSMMLTN6iZfF7rg8vLCnt4w2QEghiDLs3BqNT3NL9QQi3TUXN//Hbj6 6nj/pkjLikEoTg+X6gc2Ho1G0PLY+T8N3J9cax0xYp/DHJphasubdg/9nVFwRk/RJ3iO Ov6itUASWf52XahRclpAUn43cAqUXDB34Pw1HYm2Yau8ASzQV8vbgxPwcAOzw+XlDgXF fLgl6fiS4EUIfdUWMWDj6BtiVSzFJtwm0wpf+Zb5Lmp9l1Bgd/HoaIr2qN0oViZX9rNc YApQ==
X-Gm-Message-State: AOAM533CE95qw5tjx7JaaLwMjQpAUpXkJe6g/XTfxBq3WTOxtvVg0tgT 6eV445wmTCvDDNPf83Crj3vBorSqXs2/mojNOehY5Q==
X-Google-Smtp-Source: ABdhPJy48BGKnfrlrfPA2ONcN2OFS/YhyalVn3wq7WLF8h0En1OpfEdourKvLxB2xfhtNraj1MPwdiuZfkASYaXzGRc=
X-Received: by 2002:a9d:7419:: with SMTP id n25mr33334717otk.280.1609141316574; Sun, 27 Dec 2020 23:41:56 -0800 (PST)
MIME-Version: 1.0
References: <CAA4D8KZei_Cd+FhdgTH8MKOk2g126vFJihpEYJ23ZL3QfG3uGA@mail.gmail.com> <CAEseHRpUUCV_aAAYdAxrw4wKDDDr-JbTQYnWihnp+18P2-VRBw@mail.gmail.com>
In-Reply-To: <CAEseHRpUUCV_aAAYdAxrw4wKDDDr-JbTQYnWihnp+18P2-VRBw@mail.gmail.com>
From: Yumi Sakemi <yumi.sakemi@lepidum.co.jp>
Date: Mon, 28 Dec 2020 16:41:46 +0900
Message-ID: <CAA4D8KZekFEikWaFpfwu3ZNYkObs_B4Z4Vw-sjEX-MRcYr8GdA@mail.gmail.com>
To: Michael Scott <mike.scott@miracl.com>
Cc: CFRG <cfrg@irtf.org>, Tetsutaro Kobayashi <tetsutaro.kobayashi.dr@hco.ntt.co.jp>, "Riad S. Wahby" <rsw@cs.stanford.edu>, SAITO Tsunekazu <tsunekazu.saito.hg@hco.ntt.co.jp>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NAPEGgohozuQ6W-stQGPw392B3s>
Subject: Re: [CFRG] Asking the advice on the draft of pairing-friendly curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Dec 2020 07:42:00 -0000

Dear Prof. Scott

Thank you for your encouraging message!!
We are very grateful for your support of our activities.

In addition, we glad to know your strong motivation about the pairing
technologies.
We will proceed to meet your expectations.

Best regards,
Yumi

2020年12月23日(水) 23:04 Michael Scott <mike.scott@miracl.com>om>:
>
>  I would like to voice my strong support for this effort.
>
> Since pairings arrived as a new cryptographic tool in the year 2000, they have transformed cryptography and flung open may new doors to new avenues of research. If RSA was a cryptographic lump hammer, pairings are a Swiss army knife.
>
> Alternative technologies have followed behind, some of them post-quantum secure, but they have not as yet filled many of the niches currently occupied by pairings.
>
> A good example of an application area would be Functional encryption, which I mention because an email popped into my Inbox just yesterday concerning an interesting event associated with the Real World crypto conference in January – see https://cryptohackathon.eu/
>
> It needs to be recognised that for reasons not entirely clear to me, many regard pairings with suspicion. They have a largely undeserved reputation of being slow. Many papers seem to like to boast that their scheme works “without pairings”, as some kind of badge of honour. In fact pairing-based schemes are completely practical.
>
> More seriously their security has been called into question, due to some impressive cryptanalysis. I must admit I was surprised and deeply impressed when pairings based on small characteristic super-singular curves were spectacularly blown out of the water. I was also impressed, although much less surprised, when methods were found to exploit the particular form of discrete log problem that arises in the context of large characteristic non-supersingular pairing-friendly curves. This has lead to the adoption of modest increases in parameter sizes.
>
> However I would regard this as a natural progression for any new cryptographic primitive. Parameter sizes generally creep up over time as cryptanalytic efforts intensify, before eventually stabilising. Remember 512-bit RSA keys. Observe the current post-quantum crypto scene.
>
> I would suggest that the security of pairings is comparable with that of other discrete log based systems, and some 20 years after their arrival on the cryptographic scene it is certainly time that their power was recognised, and that standard curves should emerge for implementers to work with in confidence. The world urgently needs better cryptography.
>
> Hopefully CFRG will not be found wanting in offering its support for these efforts. Personally I have always found the proposers of this standard to be unfailingly polite and responsive to my feedback.
>
> If de facto standards that have not undergone proper community scrutiny start to emerge (as industry implementers lose patience waiting for “proper” standards), then, well, that would be a pity.
>
>
> Mike Scott
>
>


-- 
Yumi Sakemi, Ph. D.
Lepidum Co. Ltd.

E-Mail: yumi.sakemi@lepidum.co.jp