IETF Logo Mail Archive

[Cfrg] (offline) Re: Call for adoption: draft-yonezawa-pairing-friendly-curves

Rene Struik <rstruik.ext@gmail.com> Thu, 19 September 2019 14:09 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D41E9120090 for <cfrg@ietfa.amsl.com>; Thu, 19 Sep 2019 07:09:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hNQSwZ9gyDae for <cfrg@ietfa.amsl.com>; Thu, 19 Sep 2019 07:09:19 -0700 (PDT)
Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 386EB120108 for <cfrg@ietf.org>; Thu, 19 Sep 2019 07:09:19 -0700 (PDT)
Received: by mail-io1-xd41.google.com with SMTP id q1so8083476ion.1 for <cfrg@ietf.org>; Thu, 19 Sep 2019 07:09:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=LAGYzDtrrQGGrJiRK1TpZi4cEY+BCM+nzVBketv1vw0=; b=qgECTG2C62Lg4Ru2X0wSss9Yy5lW2jy8gjgdv5+Y0WfahJci2bZXS/0trHYjdFxMsy L9DZbFDjLsK7bTUXAc00OFCx73ulkRQ643JBfaAyXCgw62ig8rt41daCM52tpurndJ4U DSsNOl0ZOGdnxziaJjxJN9dJg1+jgKA+P+k6WJvH6OjgU0rHThjGI7kxFFs4X2terdF4 4LJ9ZEpykssyhoyXpp5Zv18lxmLkoYGoa671liFIAOEMr409RDraBWMit5fnaT6mEth/ PHRJBUUJvWveRk1pB2cCSniEYg6/AW5hWtgMquT0FHdTciuPBoVIVNzGC4w+RXL2W+z0 mnyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=LAGYzDtrrQGGrJiRK1TpZi4cEY+BCM+nzVBketv1vw0=; b=TWcQXaAyYdW65e00iceGVAPe4+I4fmEBZB5KqK4VfQyKw+iHrQIKNlC+wNWjR7Q9Kh NR9BQKOIDafLANnhDrcMRXzGN8FInmEtfjqYNT3VIj4I4ROx2icbXX2o38Ht7ZYNcMSG hRvbQuFfD5mE1/iI4BkXjoQK31uwELQR6VA8Cyu/hsntwq2lR108DQUiPDwFiDYyUmd4 z8VzoPVKi9f0I/IFv7yWdmcj3G9S8Hwnq+EvrEU1fzppRPckzvOXke7mp8aFxs9Wni2T VMg58jdKFUM0pdEdYL4322axeynCL3VtuApXv/ewrOzG8JrMDcYmWzBj5yA7okmblgS+ uV4A==
X-Gm-Message-State: APjAAAXKb9LS/GBjKcxO6l7y7PsaObDWGPk8Y4w/tmv5ebgc182CDaCG TPC74hk+GicH1hRKP7ozbroW5drT
X-Google-Smtp-Source: APXvYqxRTAh6D4mGlLu81fJX7oJNuJBmU6stLjaX5wawaH9PQW2bsyAXzr2sw/TiZ5QrHAl0l5vaTw==
X-Received: by 2002:a6b:5f11:: with SMTP id t17mr12359804iob.169.1568902158304; Thu, 19 Sep 2019 07:09:18 -0700 (PDT)
Received: from ?IPv6:2607:fea8:69f:f5eb:fc5f:12b:d173:619a? ([2607:fea8:69f:f5eb:fc5f:12b:d173:619a]) by smtp.gmail.com with ESMTPSA id h70sm14899636iof.48.2019.09.19.07.09.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Sep 2019 07:09:17 -0700 (PDT)
To: SAITO Tsunekazu <tsunekazu.saito.hg@hco.ntt.co.jp>, cfrg@ietf.org
References: <2E880A9A-78D2-4CE0-9C73-57AA73582D2D@inf.ethz.ch> <627acfce-29a9-753e-6cbb-24dd142df560@gmail.com> <000701d56ed8$fdd2a750$f977f5f0$@hco.ntt.co.jp_1>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <027b114f-68f5-6cd5-cc85-0ddae3f3a72e@gmail.com>
Date: Thu, 19 Sep 2019 10:09:15 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <000701d56ed8$fdd2a750$f977f5f0$@hco.ntt.co.jp_1>
Content-Type: multipart/alternative; boundary="------------A3B117B0A8D8EDE63C4E9099"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/VI1aDb14oCxI3hW2JLpvswI5eJQ>
Subject: [Cfrg] (offline) Re: Call for adoption: draft-yonezawa-pairing-friendly-curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 14:09:24 -0000

Hi Saito:

Indeed, there are trade-offs with the various data conversion methods. 
In my curve draft (Annex J.4 [1]) I used method B, as does the SIKE PQC 
submission to NIST's post-quantum contest. My choice mostly motivated by 
desire for consistency (so that others could simply cross-reference 
this) and extreme ease in processing (and can be easily implemented 
securely).

Best regards, Rene

Ref:
[1]https://tools.ietf.org/html/draft-ietf-lwig-curve-representations-08#page-53
[2] Supersingular Isogeny-Based DH - SIDH-spec (David Jao et al, NIST 
PQC Project, November 30, 2017)


On 9/19/2019 6:57 AM, SAITO Tsunekazu wrote:
> Dear Rene
>
> This is SAITO Tsunekazu. I am the co-author of draft-yonezawa.
>
> Thank you for your comments about data conversion in Section 2.5.
> We will be careful to correct the typo etc. in the next draft.
>
> (1) Description of Data Conversion
> Riad also asked us if we need to describe data conversion.
> At that time, Shoko responded that we were considering just a mathematical parameter range as the draft range.
> Certainly, if it is necessary to describe the data conversion for implementation, we can describe it separately in the appendix as follows.
> https://info.isl.ntt.co.jp/crypt/psec/dl/iso/psec-kem_v2.2_20080414e.pdf
>
> (2) Data Conversion Between Extension Field Element and Octet String.
> There are two main methods for this conversion as you said.
>
> (A) a method to assign the characteristic to an indeterminate.
> For extension field element as polynomial x = s_0 + s_1 * u + ... + s_{n-1} *u^{n-1}, one assign the prime and compute an integer
> int(x) = s_0 + s_1 * p + ... + s_{n-1} *p^{n-1}.
> Then we convert to octet string.
>
> Advantages of this method are
> * Adopted by other standards like IEEE and ANSI to ensure consistency.
> * You only need to check if the element of the finite field is correct when converted to an integer.
>
> (B) a method of concatenation of each coefficient.
> For extension field element as polynomial x = s_0 + s_1 * u + ... + s_{n-1} *u^{n-1}, one concatenate each coefficient s_i oct (x) = s_0 ||s_1|| ... ||s_{n-1}.
>
> Advantages of this method are
> * Fast implementation.
> * Easy to implement.
>
> We understand that there are good points to either method, so we briefly described the conversion method of (A) according to different standards and historical backgrounds.
>
> Best Regards,
> SAITO Tsunekazu
>
> -----Original Message-----
> From: Rene Struik <rstruik.ext@gmail.com>
> Sent: Friday, September 6, 2019 10:52 PM
> To: Paterson Kenneth <kenny.paterson@inf.ethz.ch>; cfrg@ietf.org
> Cc: draft-yonezawa-pairing-friendly-curves.authors@ietf.org; cfrg-chairs@ietf.org
> Subject: Re: [Cfrg] Call for adoption: draft-yonezawa-pairing-friendly-curves
>
> Dear colleagues:
>
> I am neutral with respect to adoption of this draft.
>
> I do have an organizational remark regarding CFRG work items, though: if this draft is adopted by the CFRG as a working group document, I would suggest moving the description of the curves isogenous to BLS-12-381 as described in Appendix C of draft-irtf-cfrg-hash-to-curve-04 to the pairing curve document, so as to keep the curve mapping document clean and keep all core pairing-related stuff in one document.
>
> Section 2.5:
> a) s = s_0 + s_1 * p + ... + s_{d - 1} * i^{d - 1} should read s = s_0 +
> s_1 * i + ... + s_{d - 1} * i^{d - 1}, since it is a polynomial in indeterminate i.
> b) Is there a a reason to represent this as s = s_0 + s_1 * p + ... + s_{d - 1} * p^{d - 1}, in lowest-coefficient-first order, rather than in highest-coefficient-first order? Why not represent this as right-concatenation of the representation of the polynomial coefficients s_0, ..., s_{d-1} in GF(p) instead, so each of these can be easily extracted individually?
> c) The IEEE 1363a-2004 specification referenced is not publicly available (well, without paying ~ $100).
>
> Best regards, Rene
>
> On 9/6/2019 7:36 AM, Paterson Kenneth wrote:
>> Dear CFRG,
>>
>> This email commences a 2-week call for adoption for draft-yonezawa-pairing-friendly-curves:
>>
>> https://datatracker.ietf.org/doc/draft-yonezawa-pairing-friendly-curve
>> s/
>>
>> Please give your views on whether this document should be adopted as a CFRG draft, and if so, whether you'd be willing to help work on it/review it.
>>
>> Thanks,
>>
>> Kenny (for the chairs)
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>
> --
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email