Re: [Cfrg] I-D Action: draft-kasamatsu-bncurves-00.txt

Michael Hamburg <mike@shiftleft.org> Thu, 23 January 2014 00:46 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B6451A0193 for <cfrg@ietfa.amsl.com>; Wed, 22 Jan 2014 16:46:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.557
X-Spam-Level: *
X-Spam-Status: No, score=1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9jBxnSDMNAaf for <cfrg@ietfa.amsl.com>; Wed, 22 Jan 2014 16:46:42 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-157-v301.PUBLIC.monkeybrains.net [199.116.74.157]) by ietfa.amsl.com (Postfix) with ESMTP id 0F1D41A00F0 for <cfrg@irtf.org>; Wed, 22 Jan 2014 16:46:41 -0800 (PST)
Received: from [10.184.148.249] (w035.z205158021.lax-ca.dsl.cnc.net [205.158.21.35]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 119063AA04; Wed, 22 Jan 2014 16:44:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1390437868; bh=d9RysFTvjH8/VJsVl6skH2/Q/AAaGhDoVP77BO/TrTs=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=YgUA4lEsVBco4icNt0iQvVJ6hO4Nc2TRk2NEwfqFCBRe2tJyfS7VULjGQdKBn6BNF H909in1RNPUy844TkkJA0T9rz2D7Asg5RC5iU1n062XzGTxf2RIIVwaTC8t7g4rXh7 HKQPLptNNt6Rm2ADlzypBviVujiLECCLtQcIqacs=
Content-Type: multipart/alternative; boundary="Apple-Mail=_16314D5F-7853-45C6-B412-1A5E6F1BAC2C"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <52E05C7C.2030400@po.ntts.co.jp>
Date: Wed, 22 Jan 2014 16:46:38 -0800
Message-Id: <2A62E87D-89CF-47E9-A0A2-F213F6D079BE@shiftleft.org>
References: <20140110051303.25816.17055.idtracker@ietfa.amsl.com> <52E05C7C.2030400@po.ntts.co.jp>
To: Kohei Kasamatsu <kasamatsu.kohei@po.ntts.co.jp>
X-Mailer: Apple Mail (2.1827)
Cc: kobayashi.tetsutaro@lab.ntt.co.jp, kawahara.yuto@lab.ntt.co.jp, cfrg@irtf.org
Subject: Re: [Cfrg] I-D Action: draft-kasamatsu-bncurves-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 00:46:44 -0000

Hello Kohei and company,

It’s cool to see pairing-friendly curves specced.  I’ve always found the applications of these curves fascinating, so progress toward deploying them is very nice to see.

But isn’t 512 bits rather large for a BN curve?  If you’re going to have a curve that large, it seems to me that you’d want an embedding degree of at least 18 even though it costs you a giant cofactor.  A curve with a 512-bit prime and a 384-bit subgroup might get you to the 192-bit security level.  This would take a 640-bit BN curve at minimum, with 720 a more conservative guess.

Source: Freeman 2006, http://eprint.iacr.org/2006/372.pdf.  My knowledge on this subject is dated, so I’m sure you know better...

Cheers,
— Mike Hamburg

On Jan 22, 2014, at 4:04 PM, Kohei Kasamatsu <kasamatsu.kohei@po.ntts.co.jp> wrote:

> Hi cfrg folks,
> 
> 
> Elliptic curves with a special map called a pairing allow cryptographic
> primitives to achieve functions or efficiency which cannot be realized
> by conventional mathematical tools. For example, ZSS signature is one of
> these primitives.
> 
> We have recently submitted an I-D on Barreto-Naehrig curves (BN-curves)
> which provide efficient operations of a pairing.
> The I-D specifies parameters of BN-curves which are particularly useful
> for realization of efficient cryptographic schemes based on pairing and parameters of BN-curves which are compliant with ISO/IEC 15946-5.
> 
> We will propose I-Ds on computation of pairing and pairing-based primitives in order to contribute to IETF community in the near future.
> 
> We would appreciate your comments and suggestions on our I-D and works.
> 
> Best,
> Kohei KASAMATSU
> -------- Original Message --------
> Subject: I-D Action: draft-kasamatsu-bncurves-00.txt
> Date: Thu, 09 Jan 2014 21:13:03 -0800
> From: internet-drafts@ietf.org
> Reply-To: internet-drafts@ietf.org
> To: i-d-announce@ietf.org
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> 
> 
>        Title           : Barreto-Naehrig Curves
>        Authors         : Kohei Kasamatsu
>                          Satoru Kanno
>                          Tetsutaro Kobayashi
>                          Yuto Kawahara
> 	Filename        : draft-kasamatsu-bncurves-00.txt
> 	Pages           : 15
> 	Date            : 2014-01-09
> 
> Abstract:
>   Elliptic curves with pairing are useful tools for constructing
>   cryptographic primitives.  In this memo, we specify domain parameters
>   of Barreto-Naehrig curve (BN-curve) [5].  The BN-curve is an elliptic
>   curve suitable for pairings and allows us to achieve high security
>   and efficiency of cryptographic schemes.  This memo specifies domain
>   parameters of two 254-bit BN-curves [1] [2] which allow us to obtain
>   efficient implementations and domain parameters of 224, 256, 384, and
>   512-bit BN-curves which are compliant with ISO/IEC 15946-5[3].
>   Furthermore, this memo organizes differences between types of
>   elliptic curves specified in ISO document and often used in open
>   source softwares, which are called M-type and D-type
>   respectively[21].
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-kasamatsu-bncurves/
> 
> There's also a htmlized version available at:
> http://tools.ietf.org/html/draft-kasamatsu-bncurves-00
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> I-D-Announce mailing list
> I-D-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/i-d-announce
> Internet-Draft directories: http://www.ietf.org/shadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> 
> 
> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg