Re: [CFRG] Second RGLC on draft-irtf-cfrg-pairing-friendly-curves

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 13 September 2021 18:52 UTC

Return-Path: <prvs=58906f3e78=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E5D93A14AB for <cfrg@ietfa.amsl.com>; Mon, 13 Sep 2021 11:52:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MqDTrbTDGkBU for <cfrg@ietfa.amsl.com>; Mon, 13 Sep 2021 11:52:49 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA8AD3A14A4 for <cfrg@irtf.org>; Mon, 13 Sep 2021 11:52:48 -0700 (PDT)
Received: from LLE2K16-HYBRD02.mitll.ad.local (lle2k16-hybrd02.llan.ll.mit.edu [172.25.5.146]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 18DIqiwQ355524 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 13 Sep 2021 14:52:44 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=EIN34Zlv2XnJP3jQbLX2E+M7lJ5hFM1jpK4eucc6NS+OYRSGUVc8Cx75Y3Hpw4fKwTL0CigCC77Ygv41kOl/kG998wloD6w9fRUOkOQemZE/BDxKs0Q8ZgZnPfwde5zewZrHU8ZvDI0JJy7abZArJHRtsZUn+EbQBDtRX+eAHud0eIu/1/oJpJi/5sXzwQjlLXeQQkI3VmU/xeLxa7exQCryn+RCOkhZft8vciTgCrjhlaINhhIN5pl2y8PT3pgZMklj3d9nGsSceOZxmEgoK437RW82Gp83q+14UjY+xwg5kRhRLGxq91mtsbkZMmsBzZkiMzvWuhlVrwgYofe9Bw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+FJI+Ki7zZzYt9gkcgfxdeM8rGCHbhLbs6lRpG+GUv4=; b=Ib6++y012tkOhvVpwNOmZIT3MUAMZaVxme1hRbouDYqtIKzNU9mPjyvEWF5AcozEXlPg5BwSndjyyp9kE9oHIkzn06Nv0jL3/qjCMgp6KQQfEs4Dq7mBMXSSwU02seZYmQ8ioV6ToL0b95byq9lBuW3196oqcYh5vmUQRAPjRCDZFKXZTYpBPiSIXCeFnKP9UALHE0Web8Wj/h+odCvwEkJso+gYNiSAMWc+S7D4xBCJkzxD9gcGm/qXr+gNuUJP3pRN+VBT97iB3FCF3sg++wy5ED+kDVL84903Ee744bPWRpR1moPpG3sNYo1rK+/Mb4P/ARqHOYrUxQhP6JP5sQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Yumi Sakemi <yumi.sakemi@infours.co.jp>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Second RGLC on draft-irtf-cfrg-pairing-friendly-curves
Thread-Index: AQHXkFmlX6xp1EMoYEiu3VAB3XIK6qucdzyAgAYGiID//7+FAA==
Date: Mon, 13 Sep 2021 18:52:42 +0000
Message-ID: <9F55A285-A4AC-4935-8A1D-D2B31FC031AA@ll.mit.edu>
References: <CAMr0u6kV-YsAuAMRh6OVArhZ6DftZSCumqYNOQQ5BWq0cgxW3Q@mail.gmail.com> <CACsn0ckkXdVk2maphAoOGm9K6pYkBUOQ+H8sNtpQ5X5Y1k4Yxw@mail.gmail.com> <CAA4D8KZ4=_1qv64MadxeBK85X-oqdwgraGVg2oe0byF2nHeYJQ@mail.gmail.com>
In-Reply-To: <CAA4D8KZ4=_1qv64MadxeBK85X-oqdwgraGVg2oe0byF2nHeYJQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.52.21080801
authentication-results: infours.co.jp; dkim=none (message not signed) header.d=none;infours.co.jp; dmarc=none action=none header.from=ll.mit.edu;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 28ca4f83-da1d-41c0-66d3-08d976e7aab6
x-ms-traffictypediagnostic: CY1P110MB0646:
x-microsoft-antispam-prvs: <CY1P110MB06463CAB6EBFB26181BC606090D99@CY1P110MB0646.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: r0JrftjMPwbLJm5h+x4HhTINM6f9eZEUpmGhnNty4VhrQlMsPFeNrhPscDZExaZtHDSpC+iB44GAazcpzRRruA3QG62QT+rO10j67PZSGwpnhhFqucU4lc0O6gZx56+uzUOOpZ3Uj3qSF34W95TWO1PdTUzsyTOU1wjDGGntuGvELWscokPJ8yUBAH8VgWsTFtiJbcFprfSzZ2GMEfX42lagbENvAi4VeuRGulOrdcnbp7RyQM1q/g/mdWuyk9PQ1zOWFQQ0oVVsKhvVF2KMdPpbC2/IwsVXDIYG+ya1t+WW314IcTpw+yrQRuzUHMvIqM6Vo9LpmzhovNf2qEQamiHOIWm4Ph09LFoLn3iLXiYt2YppANj0kGW0RKeNv2Vjb15Pd96RaaqxBVeHO51D7EMYV9xwp2EcG0P5MHk6VZk1CkQaEDTqh2mofyzOX7IEFOrAz52Q7IUoEkNSmpLd8zk2lp1+FKAIClq6bMvmJ/81NMy96asP6mh4blC+7ToMUe4XoxSrN4Andw5V84ZPOabsVDG2slj3oFNK2W9IUpPRUc8Hs/KKD609xnsWLsRR/g8fO47AYw13oCHMSq8dlNhngBuFU9FuMEeYorJXMBhcWJD2eYLXNfxlbT/Gsyb6M/WFso9e6MvZumhKQ4DCAv2c2ROAOVCZyjk88g0XDpL3zl8/yTbV3KxxkX3RebvhXX0w8zx+dooFHoy3V9ijISmYIZ6zEAQiS0xBFFcqQ6oHHxrUShfABFbYXvqNpW17
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY1P110MB0712.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(64756008)(8936002)(38100700002)(4326008)(66556008)(66446008)(71200400001)(38070700005)(75432002)(33656002)(76116006)(2616005)(6512007)(66616009)(498600001)(6486002)(186003)(66476007)(122000001)(5660300002)(966005)(66574015)(2906002)(83380400001)(6506007)(86362001)(53546011)(99936003)(8676002)(6916009)(66946007)(26005)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: pfix8hj9dyZoAXgtiKP+BSg7BHyKTyGH+V4McRdpUrGAzWw77AOQ5f49w8EQEOgZVVZdEzTa+ju2u3VwKdisbaU8G2t4Xy7zcCv4JT8bgJiqt2L+jTxPaOjCQNfqCLKP0kWe0p6uBwVjnyFmC/Jywxx2t4gljRRUCas2+x7dGOcOLCey7K+HkdlwVOfimA2KCGIiHaMh2GquR7A8Hit2EPLl5PCr+oDirfv54s+aSeYLj28eaCVmo+27yOg/P/9g5SgyFnfraZJ8L/nRPFRdLeK/qiZD7wt5hf1e5sWc8FQULbfuJBAtzowu4mdSAEUSdDGWwHy2+SJQ6avZRWPF7jQWAGr68ddFBFK1yoVz6Hof4QU6F6ZoiLUmAeUv1dWrjJroXsi8RWXQC+gX3UNq5Sm6Oq2fTWGJPQBx9wttvlw690bfjhZL8vSWkyVCx0slZnbsn3YOjEslMpJ5CCMn2TbH8Jt9//5s0EJpreBX1o1Z1M8UoxTHDjPxZzG9fO1HW3fjUJVlfJeujPTEp53WfQHV8Tx8OvZQPFS5mUq90e4+RqFWqMUUIAOmZhzIAyQJOnxkMOCkWn2mqGEsPTN4XowWIp9Pr0xlQdAZsPMdr2FaJWi67ifhjRz/08sYTdv1sp88VzRb/Xl7joWsfUyMK1vfhmX2sZS6ED7VJOSJxJjkIlBRyzE/8CN/8AJWTkDtLQjml9EvHZGl5WUj62sATw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3714389558_465931765"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY1P110MB0712.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 28ca4f83-da1d-41c0-66d3-08d976e7aab6
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Sep 2021 18:52:42.2509 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1P110MB0646
X-Proofpoint-GUID: tT2n9rxGED56UvHK_lMgSW0OL38zh3HL
X-Proofpoint-ORIG-GUID: tT2n9rxGED56UvHK_lMgSW0OL38zh3HL
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-09-13_09:2021-09-09, 2021-09-13 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 malwarescore=0 mlxlogscore=999 phishscore=0 spamscore=0 suspectscore=0 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109030001 definitions=main-2109130114
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Tts72HE0AyJf_eImh2evmcNThzM>
Subject: Re: [CFRG] Second RGLC on draft-irtf-cfrg-pairing-friendly-curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2021 18:52:55 -0000

Based on the current progress in the Quantum Computing research, I conjecture that crypto-threatening quantum computers will come to existence, possibly within a decade or two.

Following that conjecture, the useful lifetime of any product that utilizes pairings is likely to be short: after all the time spent on standardizing and refining the standard, implementing it, deploying, getting consumer market to embrace the technology - I conjecture that the actual time of "safe usage" would be at most a few years. Is it worth it? My answer is "no".

-- 
Regards,
Uri
 

On 9/13/21, 14:44, "CFRG on behalf of Yumi Sakemi" <cfrg-bounces@irtf.org on behalf of yumi.sakemi@infours.co.jp> wrote:

    Dear Rene and Watson

    I'm so sorry for my late reply.
    Thank you for your comments.
    I checked and discussed with my co-authors about comments from Rene and Watson.
    As a result, we came up with the idea that the position of our I-D
    might be different from what Rene and Watson commented on our I-D.
    Below are the stances we understand when making comments from Rene and
    Watson and the positions/stances of our I-D.

    - Rene's stance
    It is the point of view that the I-D should be for educational
    purposes regarding pairing.
    For example, the quality of the I-D is inadequate for a textbook and
    inappropriate for an IRTF draft.

    - Watson's stance
     Standardization of pairing implementation.
     For example, there is a lack of detailed explanation of the
    implementation method in the I-D.

    To be clarified by Prof. Colin and Stanislav in the 2nd RGLC, the
    stance of our activities is to make an informational RFC
    about “secure parameters of pairing-friendly curves” promoting Secure
    Pairing Cryptography on the Internet.

    Kim's attack in 2016 led to a review of the security of pairing-friendly curves
    no matter how there are still many implementations that contain
    insecure parameters.
    To solve this problem, we focus on providing an informative document
    that implementers of
    pairing-based cryptographies can refer to when selecting secure parameters.
    Therefore, it is out of our scope in our I-D that a specific document
    aimed at standardization and education of pairing algorithms.

    We would appreciate it if you could reconfirm the stance and purpose of our I-D.

    Best regards,
    Yumi


    <<FOR YOUR INFORMATION>>
    In the following, I would like to explain the background and purpose
    of our activities again for your reference.
    As shown in our I-D, there are many kinds of types and parameters for
    pairing-friendly curves, and it is difficult for implementers of
    pairing-based cryptographies to select which parameter is secure.
    For example, the parameters of pairing-friendly curves given in
    standard specifications such as ISO and TCG have not been updated
    since before Kim's attack in 2016, so implementers may refer to
    insecure and inappropriate parameters when referring to these standard
    specifications.
    To address this issue, we propose to publish RFC for secure parameters
    of pairing-friendly curves so that pairing implementors can safely
    select secure parameters.

    The proposed parameters in our I-D were selected based on the
    selection policy of "security" and "widely used" after organizing the
    security of parameters of pairing-friendly curves shown in standard
    specifications, libraries, and applications.

    On the other hand, again, we do not aim to standardize the method of
    pairing implementation.
    A pairing implementation consists of many arithmetic operations,
    including operations on finite fields, twist techniques, operations on
    elliptic curves, pairing operations, and applications of pairing.
    Since many approaches to accelerate each type of operation have been
    proposed, we don't want to limit the implementation methods in our
    I-D.
    Nevertheless, the existence of methods to improve the efficiency of
    pairing computation is useful as references, so we have made
    references to textbooks, papers, and other publications to present
    carefully selected information.
    Another way to look at it is that acceleration methods may have
    patents against them, so we avoid such risks.

    2021年9月10日(金) 7:43 Watson Ladd <watsonbladd@gmail.com>om>:
    >
    > On Fri, Aug 13, 2021 at 11:40 AM Stanislav V. Smyshlyaev
    > <smyshsv@gmail.com> wrote:
    > >
    > > Dear CFRG participants,
    > >
    > > This message starts a second RGLC on "Pairing-Friendly Curves" (draft-irtf-cfrg-pairing-friendly-curves-10), that will end on September, 8th.
    > >
    > > See https://datatracker.ietf.org/doc/draft-irtf-cfrg-pairing-friendly-curves/ for the latest version of the draft.
    > >
    > > We are having the second RGLC since Yumi Sakemi has provided (see https://mailarchive.ietf.org/arch/msg/cfrg/-1nTbbVRlkP5wV2odEYFac-jK08/) updated replies for the questions raised after the first RGLC.
    > >
    > > Please send your comments, as well as expression of support to publish as an RFC (or possible reasons for not doing so) in reply to this message or directly to CFRG chairs.
    >
    > The timing of this WGLC was a bit unfortunate for me, and I apologize
    > for my late submission.
    >
    > I think this draft has many issues. It doesn't limit the number of
    > choices, it doesn't provide enough information to implementers, it's
    > filled with extraneous information about history and applications and
    > much useful information is in the appendices. I don't think this
    > draft's publication will help authors who would like to point to a
    > reference for BLS12 and how to implement it.
    >
    > Sincerely,
    > Watson Ladd
    >
    > --
    > Astra mortemque praestare gradatim
    >
    > _______________________________________________
    > CFRG mailing list
    > CFRG@irtf.org
    > https://www.irtf.org/mailman/listinfo/cfrg



    -- 
    Yumi Sakemi, Ph. D.
     Infours Inc.

    E-Mail: yumi.sakemi@infours.co.jp

    _______________________________________________
    CFRG mailing list
    CFRG@irtf.org
    https://www.irtf.org/mailman/listinfo/cfrg