IETF Logo Mail Archive

Re: [Cfrg] (offline) Re: Call for adoption: draft-yonezawa-pairing-friendly-curves

SAITO Tsunekazu <tsunekazu.saito.hg@hco.ntt.co.jp> Fri, 20 September 2019 07:30 UTC

Return-Path: <tsunekazu.saito.hg@hco.ntt.co.jp>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6385E1200DF for <cfrg@ietfa.amsl.com>; Fri, 20 Sep 2019 00:30:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gfCdCwnPJ5wU for <cfrg@ietfa.amsl.com>; Fri, 20 Sep 2019 00:30:32 -0700 (PDT)
Received: from dish-sg.nttdocomo.co.jp (dish-sg.nttdocomo.co.jp [202.19.227.74]) by ietfa.amsl.com (Postfix) with ESMTP id 3D0E61200CE for <cfrg@ietf.org>; Fri, 20 Sep 2019 00:30:32 -0700 (PDT)
X-dD-Source: Outbound
Received: from zssg-mailmd105.ddreams.local (zssg-mailmd900.ddreams.local [10.160.172.63]) by zssg-mailou104.ddreams.local (Postfix) with ESMTP id B28901200FE; Fri, 20 Sep 2019 16:30:31 +0900 (JST)
Received: from zssg-mailcc302.ddreams.local (zssg-mailcc302.ddreams.local [10.160.162.153]) by zssg-mailmd105.ddreams.local (dDREAMS) with ESMTP id <0PY4016R8CUV2P70@dDREAMS>; Fri, 20 Sep 2019 16:30:31 +0900 (JST)
Received: from zssg-mailcc302 (localhost [127.0.0.1]) by zssg-mailcc302.ddreams.local (unknown) with SMTP id x8K7UV9k065245; Fri, 20 Sep 2019 16:30:31 +0900
Received: from zssg-mailmf106.ddreams.local (unknown [127.0.0.1]) by zssg-mailmf106.ddreams.local (Postfix) with ESMTP id 289607E6034; Fri, 20 Sep 2019 16:30:23 +0900 (JST)
Received: from zssg-mailmf106.ddreams.local (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 271AC8E6063; Fri, 20 Sep 2019 16:30:23 +0900 (JST)
Received: from localhost (unknown [127.0.0.1]) by IMSVA (Postfix) with SMTP id 253C98E6055; Fri, 20 Sep 2019 16:30:23 +0900 (JST)
X-IMSS-HAND-OFF-DIRECTIVE: localhost:10026
Received: from zssg-mailmf106.ddreams.local (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 94CF78E6063; Fri, 20 Sep 2019 16:30:22 +0900 (JST)
Received: from zssg-mailua104.ddreams.local (unknown [10.160.172.62]) by zssg-mailmf106.ddreams.local (Postfix) with ESMTP; Fri, 20 Sep 2019 16:30:22 +0900 (JST)
Received: from rcR9101293 (unknown [10.171.96.154]) by zssg-mailua104.ddreams.local (dDREAMS) with ESMTPA id <0PY40164ICUHNC50@dDREAMS>; Fri, 20 Sep 2019 16:30:17 +0900 (JST)
From: SAITO Tsunekazu <tsunekazu.saito.hg@hco.ntt.co.jp>
References: <2E880A9A-78D2-4CE0-9C73-57AA73582D2D@inf.ethz.ch> <627acfce-29a9-753e-6cbb-24dd142df560@gmail.com> <000701d56ed8$fdd2a750$f977f5f0$@hco.ntt.co.jp_1> <027b114f-68f5-6cd5-cc85-0ddae3f3a72e@gmail.com>
In-reply-to: <027b114f-68f5-6cd5-cc85-0ddae3f3a72e@gmail.com>
Date: Fri, 20 Sep 2019 16:30:16 +0900
Message-id: <000001d56f85$3ff482a0$bfdd87e0$@hco.ntt.co.jp_1>
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-index: AQGAnI2JCM2pBVcutDJL+ChfC5VzZAIw6xpMAqASu+sB8u0Eo6ensD0Q
Content-language: ja
X-TM-AS-GCONF: 00
To: 'Rene Struik' <rstruik.ext@gmail.com>, cfrg@ietf.org
X-CC-Mail-RelayStamp: CC/Mail Relayed
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/bhID5H9CXe-kSg-gczHCbo0W71o>
Subject: Re: [Cfrg] (offline) Re: Call for adoption: draft-yonezawa-pairing-friendly-curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2019 07:30:35 -0000

Dear Rene 

Thank you for the information about your draft.
We also know that the BLS signature implementation uses concatenation.

Like these implementations of conversion by concatenation, 
this draft should be adapted to the method of concatenation. 
We will change to Method B.

Moreover, now there are two conversion methods of extension field element.
Thus we will add a remark  so that implementer will not make a mistake.

Best Regards,
Tsunekazu

From: Rene Struik <rstruik.ext@gmail.com> 
Sent: Thursday, September 19, 2019 11:09 PM
To: SAITO Tsunekazu <tsunekazu.saito.hg@hco.ntt.co.jp>; cfrg@ietf.org
Subject: (offline) Re: [Cfrg] Call for adoption: draft-yonezawa-pairing-friendly-curves

Hi Saito:

Indeed, there are trade-offs with the various data conversion methods. In my curve draft (Annex J.4 [1]) I used method B, as does the SIKE PQC submission to NIST's post-quantum contest. My choice mostly motivated by desire for consistency (so that others could simply cross-reference this) and extreme ease in processing (and can be easily implemented securely). 

Best regards, Rene

Ref: 
[1]https://tools.ietf.org/html/draft-ietf-lwig-curve-representations-08#page-53
[2] Supersingular Isogeny-Based DH - SIDH-spec (David Jao et al, NIST PQC Project, November 30, 2017)


On 9/19/2019 6:57 AM, SAITO Tsunekazu wrote:
Dear Rene

This is SAITO Tsunekazu. I am the co-author of draft-yonezawa.

Thank you for your comments about data conversion in Section 2.5.
We will be careful to correct the typo etc. in the next draft. 

(1) Description of Data Conversion
Riad also asked us if we need to describe data conversion.
At that time, Shoko responded that we were considering just a mathematical parameter range as the draft range.
Certainly, if it is necessary to describe the data conversion for implementation, we can describe it separately in the appendix as follows.
https://info.isl.ntt.co.jp/crypt/psec/dl/iso/psec-kem_v2.2_20080414e.pdf

(2) Data Conversion Between Extension Field Element and Octet String.
There are two main methods for this conversion as you said.

(A) a method to assign the characteristic to an indeterminate.
For extension field element as polynomial x = s_0 + s_1 * u + ... + s_{n-1} *u^{n-1}, one assign the prime and compute an integer
int(x) = s_0 + s_1 * p + ... + s_{n-1} *p^{n-1}.
Then we convert to octet string. 

Advantages of this method are
* Adopted by other standards like IEEE and ANSI to ensure consistency.
* You only need to check if the element of the finite field is correct when converted to an integer.

(B) a method of concatenation of each coefficient.
For extension field element as polynomial x = s_0 + s_1 * u + ... + s_{n-1} *u^{n-1}, one concatenate each coefficient s_i oct (x) = s_0 ||s_1|| ... ||s_{n-1}. 

Advantages of this method are
* Fast implementation.
* Easy to implement. 

We understand that there are good points to either method, so we briefly described the conversion method of (A) according to different standards and historical backgrounds. 

Best Regards,
SAITO Tsunekazu

-----Original Message-----
From: Rene Struik mailto:rstruik.ext@gmail.com 
Sent: Friday, September 6, 2019 10:52 PM
To: Paterson Kenneth mailto:kenny.paterson@inf.ethz.ch; mailto:cfrg@ietf.org
Cc: mailto:draft-yonezawa-pairing-friendly-curves.authors@ietf.org; mailto:cfrg-chairs@ietf.org
Subject: Re: [Cfrg] Call for adoption: draft-yonezawa-pairing-friendly-curves

Dear colleagues:

I am neutral with respect to adoption of this draft.

I do have an organizational remark regarding CFRG work items, though: if this draft is adopted by the CFRG as a working group document, I would suggest moving the description of the curves isogenous to BLS-12-381 as described in Appendix C of draft-irtf-cfrg-hash-to-curve-04 to the pairing curve document, so as to keep the curve mapping document clean and keep all core pairing-related stuff in one document.

Section 2.5:
a) s = s_0 + s_1 * p + ... + s_{d - 1} * i^{d - 1} should read s = s_0 +
s_1 * i + ... + s_{d - 1} * i^{d - 1}, since it is a polynomial in indeterminate i.
b) Is there a a reason to represent this as s = s_0 + s_1 * p + ... + s_{d - 1} * p^{d - 1}, in lowest-coefficient-first order, rather than in highest-coefficient-first order? Why not represent this as right-concatenation of the representation of the polynomial coefficients s_0, ..., s_{d-1} in GF(p) instead, so each of these can be easily extracted individually?
c) The IEEE 1363a-2004 specification referenced is not publicly available (well, without paying ~ $100).

Best regards, Rene

On 9/6/2019 7:36 AM, Paterson Kenneth wrote:
Dear CFRG,

This email commences a 2-week call for adoption for draft-yonezawa-pairing-friendly-curves:

https://datatracker.ietf.org/doc/draft-yonezawa-pairing-friendly-curve
s/

Please give your views on whether this document should be adopted as a CFRG draft, and if so, whether you'd be willing to help work on it/review it.

Thanks,

Kenny (for the chairs)

_______________________________________________
Cfrg mailing list
mailto:Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg


--
email: mailto:rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363


_______________________________________________
Cfrg mailing list
mailto:Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

-- 
email: mailto:rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email