Re: [Cfrg] I-D Action: draft-yonezawa-pairing-friendly-curves-00.txt

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Fri, 15 February 2019 09:16 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C940130F5F for <cfrg@ietfa.amsl.com>; Fri, 15 Feb 2019 01:16:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RyiZZYAG53TX for <cfrg@ietfa.amsl.com>; Fri, 15 Feb 2019 01:16:34 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130051.outbound.protection.outlook.com [40.107.13.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FDED130F28 for <cfrg@irtf.org>; Fri, 15 Feb 2019 01:16:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7T4uDinkDkxriHIsOkFDOu3RmPbQBwVksCzkr951NtM=; b=xcSYRfp2Y0sNRvUTgkdmEes1mywK9abGVlMI/Zc4Ee8aWI7trVbD/6btzsR2VlV1NNzPYvg6ETqEzivZnaEaKrs2kS4hiDQaW/za7ujKD5fP6K5TcboO/chHOhmYeYAOYvCW66Qz6ABOB3PTVvDy6CAhP0GCrj6V0Tz2W2Ttoo0=
Received: from DB7PR03MB3561.eurprd03.prod.outlook.com (52.134.98.30) by DB7PR03MB4603.eurprd03.prod.outlook.com (20.176.234.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.17; Fri, 15 Feb 2019 09:16:30 +0000
Received: from DB7PR03MB3561.eurprd03.prod.outlook.com ([fe80::7c67:ed34:18f6:6894]) by DB7PR03MB3561.eurprd03.prod.outlook.com ([fe80::7c67:ed34:18f6:6894%5]) with mapi id 15.20.1601.023; Fri, 15 Feb 2019 09:16:30 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Shoko YONEZAWA <yonezawa@lepidum.co.jp>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] I-D Action: draft-yonezawa-pairing-friendly-curves-00.txt
Thread-Index: AQHUtxmHWFuPvACV/U+ONBnWwtdTJ6XV3duAgAp2BYCAAFwyBQ==
Date: Fri, 15 Feb 2019 09:16:30 +0000
Message-ID: <E4977A89-214B-4797-B040-5170B7CD1525@rhul.ac.uk>
References: <030efaab-7a2d-8743-89a7-28fe61211cea@lepidum.co.jp> <5DC878C8-148E-4746-9C5C-0F960882194D@rhul.ac.uk>, <d9c81d0e-3332-c0a8-5c50-68ad1fb1df04@lepidum.co.jp>
In-Reply-To: <d9c81d0e-3332-c0a8-5c50-68ad1fb1df04@lepidum.co.jp>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-originating-ip: [85.255.235.131]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ff423c03-ce38-4c98-27ae-08d693264588
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(2017052603328)(7167020)(7153060)(7193020); SRVR:DB7PR03MB4603;
x-ms-traffictypediagnostic: DB7PR03MB4603:
x-ms-exchange-purlcount: 5
x-microsoft-exchange-diagnostics: =?utf-8?B?MTtEQjdQUjAzTUI0NjAzOzIzOjB1T0UyaExnRDlQQ2g0NzJmT1BobzVOQU4x?= =?utf-8?B?RHZnS3Z5T2tRRWVvWk5PUUFVSlcwUVFjYUdhazF1N0lzQnR6OW5Bb2IwTith?= =?utf-8?B?NUV3cDhqbWlrUExJMm0vT3o0SVE5OGlPUzQzaE83Y0NKeU8xYmJzNUR6blhE?= =?utf-8?B?Zkx4NWk5SDFEWEJBMUZaN3lrUVZvMVFvamxQcURodEM3T250QmtsdUUra1l6?= =?utf-8?B?NmNHWkZRcjc4YjJvNHBISWs4RWJpS1RqN2U0SmhmdUJtRU16WlBrQk8wVjd4?= =?utf-8?B?aXo3ZUlZUE85cmtNU21wNXdIZ1l4TU9ubDFSd3ZlMjZ0QzUzQ3lyaFFtSDVT?= =?utf-8?B?Y0Y2VHZvLzhCYVRIRWJiamdXdVNhSmNOcW9NbzhaRmU2RVRqSklUV1dtcXBH?= =?utf-8?B?Q1VkenNSMHUvbGtNRGpXTGxTeTd3c0owZmluaWNQdE5HVE5kbXlCdjNrejBG?= =?utf-8?B?NHBPaFBxMFo2czhWaE5zZnBOZ0JJL0t6MGdwNzh0SVBUM0FtR0ZBNU0rejlR?= =?utf-8?B?dEtOU3k4RHhwQWFsalBHSW1OMU5zT1dJTUpzbU9YSFFiL1NyNmN5MEUvZXhu?= =?utf-8?B?OVk0bHV5aEJoTkw5VHNDNlBOR0ZLUkg0TjloOENoWjgxZTg4dmRTWVpCZGQ4?= =?utf-8?B?VXB6cXRlNGplbzdIYkxsU0pzbjJOdU01VXJjRUJMOVBXZWJFOGNIMWdWajgx?= =?utf-8?B?bXV6RGRCSWJGLzNXQnVUeE5EaWtyRVFFMEpPRSt5cE9NZ2pSZG5rdDhqRjlj?= =?utf-8?B?QUtMSHhkNHRIdWpmMzY1cHhJWHh2Z2RjdER1dzJIaW1lMm0vOVFSK1NyZ0Vq?= =?utf-8?B?N1h4TUhtUHUzWGNYbWROT0FxTEdPcGhSNEp6WVJobWJTb1BnalNOeWk4elhu?= =?utf-8?B?bFk1WGRiREQwamFUcXdGRkpxUUk3VDJqZVVXeVZFZW5iRjgyQTg2MjR5aHFw?= =?utf-8?B?ZGN2Vm14THdmRzFhYU9jeUc5emhuRmRHcEZhSlVpWDVCcHFPSWpUNlJ4OUlz?= =?utf-8?B?RFJhOWRCZXdiM1lwVGNieWNtT1gwV29oRUN0TGNtNWdoOHJhZ0Z3RCtDbDRI?= =?utf-8?B?SEZnYktGNDJZc1doZnlPZTNpbEdnVzlacmFLT1I2TUJsdldQd0pmWE1NdDBW?= =?utf-8?B?dFI5QkZtQ0ZpWXF3UzJKV0wrZ1E5cHZoNW4zNU5iZnRrcWNjdlk2NnEveFhu?= =?utf-8?B?ZWg2dkRMeGx5TVRRazZQWWsvMFUzVjVQV0tUYmpjclZhWlVJa3UwNFpsYTlq?= =?utf-8?B?NnoxK3gwOS9LVVE4M2pYb21YMWZpWjU3S0w5clVwcTd5aU1VUWdwVXRMWGRo?= =?utf-8?B?aE04MmFoWU95U1RNYlphcVpQRDkvdlF4V21WNUpxdkpFbFdmNE5DdUhOeEc2?= =?utf-8?B?RFV5QlU3UWZqZEk4cWVpUE51NkpGZTBHQlhwVHAwUVV5a3hhVnNqMk9sSGJa?= =?utf-8?B?NnVNV0E0TzZtUDJSOGNpbjJSVjNpZ212K2ZDa0pUZkxHQnhBSCt4R0V1QkY0?= =?utf-8?B?SjU5QUNjQVZxNmVqdUM3OCtHYzlUTTRJZDFFSXozR3RaL2kySVZlVUIvaW50?= =?utf-8?B?SUQ1UVRiSWlOM3Q0bExyL0lIdFJmbFBYd05PcXB6enp3WHhGWWRSeWkyTkRj?= =?utf-8?B?bFI5aHJPQ3A3TFBmWUNFalBRRXFTZkU2UXdNK1djam5ZVTJkdmovc3RvR3RC?= =?utf-8?B?dmhjK294WW1yZG1xVHVNNEhBdEhqQjhMM2srWkJYdjV4ZXpubC9BdFJoK2lJ?= =?utf-8?B?bUtqTnlsaFo1YmRlYTlqemZwSDljOW5JL3ZPWG12blAzQWNWVnd5RXVEU0xp?= =?utf-8?B?enZYcm1adW1US092RjBVdHYxc0xFVGtaYTJFZm56OGo0Q2M2eVoyZmxWN3BG?= =?utf-8?Q?qLd2KeIuN9mjEwCUHb7753uYsvNbuP9K?=
x-microsoft-antispam-prvs: <DB7PR03MB46032AC1BF6581CCEC5B7729BC600@DB7PR03MB4603.eurprd03.prod.outlook.com>
x-forefront-prvs: 09497C15EB
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(376002)(136003)(396003)(366004)(346002)(199004)(189003)(13464003)(102836004)(105586002)(6306002)(106356001)(68736007)(6512007)(3846002)(6116002)(99286004)(97736004)(6916009)(71200400001)(33656002)(786003)(25786009)(55236004)(83716004)(6506007)(53936002)(53546011)(76176011)(316002)(82746002)(86362001)(486006)(14444005)(6246003)(256004)(4326008)(72206003)(14454004)(74482002)(966005)(413944005)(6486002)(66066001)(476003)(446003)(81156014)(8936002)(71190400001)(6436002)(11346002)(229853002)(2906002)(36756003)(478600001)(66574012)(305945005)(8676002)(26005)(81166006)(2616005)(7736002)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR03MB4603; H:DB7PR03MB3561.eurprd03.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 8tJhJNwkSYpZRHMAgX88VRF5yIeaQ7MLSjEmKKvNRbeUlwnuEXgFZGqiFzOTy09rwiJnObrgI1UwQ4cPteNpPLo9MjgKTn1rKLgmJVdObd6rPd2BDZnCe679GkC7yWIWj2ttwMZ3vM18gJ9cpFMU7Xktpk9vn65Kzl0kjXgkJMptL48AHVpooYMH9P9MpUnM1C1pC+oGwGt0YcMFs9V/gDhdNEUwQ2axiggMQH9ZNsHnPF/fr0teWnppSFUfV4v7Q9yRazUZOxa3UQBnoIXWRNpo1+d/yCSGKW1zGQYM/Ag25kfYIH1rb2VYq06fa85PRR2YJkDuLuzqiE9YAq/uSOwJIbU5iGbfws96nRYbAPJqfEeBYOu++UpOUd+hba3i3ZlQ6OuNzrRf3upqeqCLyDTjQn7uXxdPovk2JU/FTDA=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: ff423c03-ce38-4c98-27ae-08d693264588
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Feb 2019 09:16:30.3334 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR03MB4603
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/b7YVWKV0q7ZwnKZQRjKZB_SG-NY>
Subject: Re: [Cfrg] I-D Action: draft-yonezawa-pairing-friendly-curves-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2019 09:16:38 -0000

Dear Shoko,

> On 15 Feb 2019, at 03:46, Shoko YONEZAWA <yonezawa@lepidum.co.jp> wrote:
> 
> Dear Kenny,
> 
> Thank you very much for your comments on our draft.

[...]

> We are going to describe pseudo-code of pairing computation (optimal Ate pairing, specifically) for both BN curves and BLS curves
> so that readers can imagine the implementation of pairing computation.
> This will appear in Appendix.
> I will post the description after we complete it.

Excellent. 

> Your comments are really appreciated.
> 
> > Relatedly, then, it would be useful to include test vectors for this "reference implementation".
> 
> We are going to include test vectors as well as curve parameters (size, order, generator, cofactor etc.) in the next version.
> One thing we are worrying is how to represent an element of an extension field (G2 and GT) in String.
> We will try to find the suitable representation by referring other examples and hearing the opinions from users of these curves.

There are people on this list who have lots of experience of this kind of thing and I'm sure they'll jump in to help out. 

Cheers,

Kenny

> Best regards,
> Shoko
> 
>> On 2019/02/08 21:01, Paterson, Kenny wrote:
>> Dear Shoko,
>> Thanks for preparing this draft. I think it could be very useful for CFRG to specify some pairing-friendly curves that reflect recent advances in cryptanalysis. We expect additional drafts making use of such curves to come before CFRG for consideration in the near future.
>> One question I had at this stage: would it be feasible to include a short, self-contained description in pseudo-code of how to compute a pairing on these curves? I know this may be asking for quite a lot, especially as there are different pairings available, and many implementation optimisations can be made. However, perhaps a simple and not necessarily super-optimised description could be given? This would enable people starting from scratch with a suitable curve library to at least obtain a working implementation for themselves (which would of course be rather slow). Relatedly, then, it would be useful to include test vectors for this "reference implementation".
>> Best wishes,
>> Kenny
>> -----Original Message-----
>> From: Cfrg <cfrg-bounces@irtf.org> on behalf of Shoko YONEZAWA <yonezawa@lepidum.co.jp>
>> Date: Monday, 28 January 2019 at 14:55
>> To: "cfrg@irtf.org" <cfrg@irtf.org>
>> Subject: [Cfrg] I-D Action: draft-yonezawa-pairing-friendly-curves-00.txt
>>     Hi there,
>>          we have submitted an Internet-Draft about pairing-friendly curves.
>>     This is a revision of draft-kato-threat-pairing
>>     (https://datatracker.ietf.org/doc/draft-kato-threat-pairing/).
>>          Our I-D introduces pairing-friendly curves used for constructing
>>     highly-functional crypto-based protocols.
>>     We describe secure parameters for pairing-frinedly curves
>>     reflecting the recent result on the remarkable attack
>>     by Kim and Barbulescu.
>>          I would be grateful if you are interested in our draft
>>     and kindly read it. Your comments are welcome.
>>          Thank you,
>>     Shoko YONEZAWA
>>          ---
>>     A New Internet-Draft is available from the on-line Internet-Drafts
>>     directories.
>>                        Title           : Pairing-Friendly Curves
>>              Authors         : Shoko Yonezawa
>>                                Sakae Chikara
>>                                Tetsutaro Kobayashi
>>                                Tsunekazu Saito
>>         Filename        : draft-yonezawa-pairing-friendly-curves-00.txt
>>         Pages           : 17
>>         Date            : 2019-01-27
>>          Abstract:
>>         This memo introduces pairing-friendly curves used for constructing
>>         pairing-based cryptography.  It describes recommended parameters for
>>         each security level and recent implementations of pairing-friendly
>>         curves.
>>               The IETF datatracker status page for this draft is:
>>     https://datatracker.ietf.org/doc/draft-yonezawa-pairing-friendly-curves/
>>          There are also htmlized versions available at:
>>     https://tools.ietf.org/html/draft-yonezawa-pairing-friendly-curves-00
>>     https://datatracker.ietf.org/doc/html/draft-yonezawa-pairing-friendly-curves-00
>>               Please note that it may take a couple of minutes from the time of submission
>>     until the htmlized version and diff are available at tools.ietf.org.
>>          Internet-Drafts are also available by anonymous FTP at:
>>     ftp://ftp.ietf.org/internet-drafts/
>>          _______________________________________________
>>     Cfrg mailing list
>>     Cfrg@irtf.org
>>     https://www.irtf.org/mailman/listinfo/cfrg
>>     
> 
> -- 
> Shoko YONEZAWA
> Lepidum Co. Ltd.
> yonezawa@lepidum.co.jp
> TEL: +81-3-6276-5103