IETF Logo Mail Archive

[CFRG] Re: Pairing-Friendly Curves: Open Questions Before Draft Update

Watson Ladd <watsonbladd@gmail.com> Mon, 15 December 2025 16:33 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6EA269AC69CF for <cfrg@mail2.ietf.org>; Mon, 15 Dec 2025 08:33:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MzbpLz1Tlhzq for <cfrg@mail2.ietf.org>; Mon, 15 Dec 2025 08:33:17 -0800 (PST)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id DBF059AC69CA for <cfrg@irtf.org>; Mon, 15 Dec 2025 08:33:17 -0800 (PST)
Received: by mail-wr1-x42d.google.com with SMTP id ffacd0b85a97d-42f9ece6387so1479707f8f.0 for <cfrg@irtf.org>; Mon, 15 Dec 2025 08:33:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765816391; x=1766421191; darn=irtf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=skQkhtHq6PWlnk2YtoptDprYzzqLA0d8M91RcqKbssY=; b=T613Sk810Uu2izYW4dLy8mAxthAm84CtKtIqLXvk4ZIdW1grk1EFeDS8at+hQ4Sn6+ eLm/bLNClS4JR3JkNGmLyGjHPnrEEMXjAQTu0CQkFgoVo8hyXzEznJ1g2uaIMeYx2RsO CGs5PwSiQ1k7wy+EUhAwj+J6SDc/kW7y+fN73G6l2F4+wq9zZ98Q06pwa0hEcB29Bh8y ENnhb30MeFJ2TWSxt227/QH6yZoGFi75bwKk1nSSnXeE29TlnNl06/zqncXRCOSxG6SN LKv9s/iaHFuTCzs19j0GE1JUnRcDn3jobX/Y4u9xS9OaB5zx38ruZv6/ULc/RGmQ7ax6 oTqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765816391; x=1766421191; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=skQkhtHq6PWlnk2YtoptDprYzzqLA0d8M91RcqKbssY=; b=dvtnGgDh82Vat/ARWF943BAQtTbJYqQjPuf9i64XH9DzJgjF6nT/uuahpst0SvDrZr 04oxEZ301xTEo2xhNm2WCrWdElOPA15gDUh+0JfCGo2e2CgNYxpnvXTS45xYSo/LzDFv clI2yecM2WwitdEiY7vFca+CGE4vqmOAE7n1Po64BISmaxDGvw6Tm6TRxBP+XuKDfJO0 slTnZnuT9eZf5C3hjXpRHuPC4153eexDcZIzQcPh+m3YWbckTdm9LvzQRhAG/RLeotjf B0yeDmt4WW+rgX1e6wcG0ow4KtBGlDpjUVZiJQQlXtLCJIwKwFiNrQdPiI5C/6i+lzmp QUVw==
X-Gm-Message-State: AOJu0YwbdC/HtdFtDE4+Q08wfsCQkWw2eusQ9K5acQsnRkUNFOq5Eid3 xIaUY93NQx2cNGYp9xu9GVZoZmVdmjXiN1NlefEP5+WFhkGVIVklgjDBdRpIBdfM+SfTWFU8OZi qhdxgKx/lEIu6n98cs89crCOKs5liCzE=
X-Gm-Gg: AY/fxX5SBVL7Uo/qTN4BdPvBXqEXDviQafXpZjlOlTbpQ3eatx7eOxcBnjiJQxdMSCG uwBoYMAw8Iyfm9281H1OcINMrsykBh855luc0+9zgh4TI8sSMkmSspGSNIDMABE2obQk1Ub3UCU oEzSCVQFvGn4vrrOHDXG1ZxuTnIwJUV2wNjMaqFGYV+iQqtqfWgXc5L5x8xvbNdMSl0edWq9AKK LWjHjN1VRjvfBj5uH2IBX92rH4mnHTGLUHmqvwc6kTW4vDTGZrmgvvtVrYcf96Ee5sPvM8n6+jA XHMZC8bQnwF3k38iUD2/IFkL2O3CQL1osHAX+Lvnfvtvzu5vg5GiSXbERmZP
X-Google-Smtp-Source: AGHT+IGyEMgPz94GIVW64fTEkNbBZLIOr02u/FkbJdH7R8teVpQ/EO1svypKNPKIhLkeVVOrrgdA4VPbISpsbEYm8Lg=
X-Received: by 2002:a05:6000:26cc:b0:429:c774:dbfc with SMTP id ffacd0b85a97d-42fb4477504mr13731640f8f.12.1765816391203; Mon, 15 Dec 2025 08:33:11 -0800 (PST)
MIME-Version: 1.0
References: <CAOjisRy=_=+rGpjX-3=1uDNfhBrzKggrw+Ts8QVdebeGAtU3xg@mail.gmail.com>
In-Reply-To: <CAOjisRy=_=+rGpjX-3=1uDNfhBrzKggrw+Ts8QVdebeGAtU3xg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 15 Dec 2025 08:33:00 -0800
X-Gm-Features: AQt7F2pw7yFgMpukINyzOi73-zx1MWasPxy2a-i4rT_B9sAeTBtnj1Zf1CR7KAc
Message-ID: <CACsn0c=3OTLHwszMK6Bjunjq-rbobTt8JxZgy6rRaETz7O9TDQ@mail.gmail.com>
To: Nick Sullivan <nicholas.sullivan@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: PYRVYALDN3CQ2DUJW2ZT3GFKDXLAE2AP
X-Message-ID-Hash: PYRVYALDN3CQ2DUJW2ZT3GFKDXLAE2AP
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; header-match-cfrg.irtf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: Pairing-Friendly Curves: Open Questions Before Draft Update
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/TD9I44-qF7ucKwRetABWqC4TgHw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

On Fri, Dec 12, 2025 at 8:25 AM Nick Sullivan
<nicholas.sullivan@gmail.com> wrote:
>
> Dear CFRG Participants,
>
> Following the IETF 124 presentation on the pairing-friendly curves draft (https://datatracker.ietf.org/doc/draft-irtf-cfrg-pairing-friendly-curves/) we’re working with the authors and new contributors to bring this work to closure.` Before preparing an updated version or scheduling an interim, we want to confirm group consensus around several open questions raised during reviews since the last RGLC and again recently:
>
> Document scope and structure
>
> Should the draft stay focused on curve parameters and test vectors, or also include interface guidance, serialization formats, or tutorial content? Should nonessential background material (e.g. pairing formulae, curve surveys) be moved to an appendix or companion document? Should the draft’s title or positioning be updated to reflect this narrower focus?

I think the draft should include serialization formats. Interface
guidance I am less sure about, but could be welcome. I'm not sure how
formulas are nonessential to help implementors.
>
> Curve selection
>
> Is the current set of curves appropriate? Some suggest narrowing to BLS12-381 plus one BLS24 and one BLS48 to target 128-, 192-, and 256-bit security levels. Others recommend removing BN curves that may no longer meet security or deployment criteria. A shared rationale is needed for inclusion or removal. Should this document support only BLS-style use cases, or also applications like ZKPs or IBE?

I think the document should support the full scope of applications.

>
> Interfaces and related primitives
>
> Should the draft describe expected abstractions or interfaces (e.g. mapping to G1/G2, referencing hash-to-curve), or should it remain neutral and defer to other specs like RFC 9380? Should the draft specify a minimal pairing API (e.g. function signature or domain separation guidance), or leave that entirely to downstream specs?

I don't think we should cover things an already existing spec covers,
but there shouldn't be gaps.

>
> Serialization
>
> The current draft allows both compressed and uncompressed encodings, including identity elements. Concerns were raised about interoperability and risks from optional encodings. Should the draft specify a simpler, consistent serialization format for implementers? Should identity points be disallowed or tightly constrained?

Compressed encodings can be a challenge when decompression is more
expensive than ensuing processing. Choosing only uncompressed could be
fine. Not sure about identity points.
>
> Framing and utility
>
> To support adoption, should the draft explicitly document security assumptions (e.g. resistance to DLP via exTNFS), implementation risks (e.g. subgroup checks), and what classes of protocols these curves are appropriate for? Should test vectors include intermediate values or results for multiple encodings?

I think documenting security assumptions would be really useful.
>
> Please respond on the list with input on any of the above. Once we’ve collected feedback, we’ll open issues in the GitHub repo and evaluate whether a short interim is needed.
>
> Thanks,
> Nick (for the chairs)
>
> Relevant threads:
> https://mailarchive.ietf.org/arch/msg/cfrg/KmqSMLWzuj7MSGNuv3PiReZ-jVE/
> https://mailarchive.ietf.org/arch/msg/cfrg/-1nTbbVRlkP5wV2odEYFac-jK08/
> https://mailarchive.ietf.org/arch/msg/cfrg/OOwChBvt4vjJrfUYEF0g_ENbSlc/
> https://mailarchive.ietf.org/arch/msg/cfrg/JnyN9-G6vIGSMuWyyqoWNNdQ6Xk/
> https://mailarchive.ietf.org/arch/msg/cfrg/wypZbN6YlgqL7KmrvGojFBarMqY/
> https://mailarchive.ietf.org/arch/msg/cfrg/Mr3oRJpwbRd-czt50ksAOkrNuTo/
> _______________________________________________
> CFRG mailing list -- cfrg@irtf.org
> To unsubscribe send an email to cfrg-leave@irtf.org



-- 
Astra mortemque praestare gradatim

v2.46.0 | Report a Bug | By Email | System Status