IETF Logo Mail Archive

Re: [Cfrg] Call for adoption: draft-yonezawa-pairing-friendly-curves

Chloe Martindale <chloemartindale@gmail.com> Sat, 07 September 2019 17:17 UTC

Return-Path: <chloemartindale@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99E5912004F; Sat, 7 Sep 2019 10:17:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ka_EFaaq89Pv; Sat, 7 Sep 2019 10:17:25 -0700 (PDT)
Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5236B1200D6; Sat, 7 Sep 2019 10:17:25 -0700 (PDT)
Received: by mail-oi1-x22a.google.com with SMTP id w6so7540948oie.11; Sat, 07 Sep 2019 10:17:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=mGsOu07dKXkWrF/JYxT35h8p5pFjYBXlzdTdHDOksZQ=; b=i6Tw2fN/vOEyD91ARJoevKO7HVJSsLm/XtsUVrbrUdCbPAFPldwTSSSOeIS6z/KWZa iV92VBBXBrGE5PdQZJyWwY2M9qVmnq1Tq91hSFVKX/NPL2TUs4OO2h22As5DS7K1gfS3 roNEflOVDK/P7hdEMd34yMVFEW70FXGw1VoJ2IMETYOFWiqjeX3X3xyrzoTjo68X2KBm zbOIVhEltwQKN3DHV3/eSCx1dkVXpwXAu+K7i6PfZKLG0iJ1dQFu31JOfFGUajqeFth/ L0wOLARzGK1JFz2w1fTNY3hMEQwb3zGDzBYqsCjwN01JkFx9R6CJrgtpmQoAcYhh4Iey oV0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=mGsOu07dKXkWrF/JYxT35h8p5pFjYBXlzdTdHDOksZQ=; b=eDdqn6IYbQKbp+rc/bzKp7lcECGmQn8FCPJYizp+GzIfNUkHnBrU/Gk+ChHpCz3UUu 1hgLY/kBOdaMTQs9xiajLhZcreHf3LbXhlzQVs1uZeA9K9yc0OxOjwYB9QRT06CIz7sk HmT+EQ8F2eRh09CLQLsPh9yvg4ccUfELbSJ/bsqAFqibd6Pj3fy8a9CGITd3WNy8eF2j lbGIOqU351YZd2hrUEdqtNJmmGCEFLSDKzQSL7lVTHQdqdGi9F5oT2SegOvjBusnnPce 2x3Bg0fUZuaAX9AxHDQEYYFd2TCK2HglJ1qOC0B0MAyhjeWDBF3PeJ4Xj0C+pnqbtr3M +WAw==
X-Gm-Message-State: APjAAAXQQd6t2ULSew0G+wBcH7AZ2GTZ8ICIGcovFatxnTZa4cST+MLO zqeV9PgECcWw9nxFp7qATn4YIlPSYtaRRQzHGUMvPyJ3
X-Google-Smtp-Source: APXvYqwh0/hkrbNDbTxFpOO9jVNVD3M/FMmoqZL0n+Qs3LUf4FelKJ8R67tmP8LnRmJ6/I5y2umboyMEMc2c4AtFMuA=
X-Received: by 2002:aca:b20b:: with SMTP id b11mr11797103oif.16.1567876644237; Sat, 07 Sep 2019 10:17:24 -0700 (PDT)
MIME-Version: 1.0
From: Chloe Martindale <chloemartindale@gmail.com>
Date: Sat, 07 Sep 2019 19:17:13 +0200
Message-ID: <CAL+7JtRaPftLz+vgSxnfxhS2a=O01EXrs=ftLXFPARxBqBbeDA@mail.gmail.com>
To: cfrg@ietf.org
Cc: draft-yonezawa-pairing-friendly-curves.authors@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006e75fe0591f9ba4e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/eAn3_8XpcG4R2VFhDtE_pomPo2Q>
Subject: Re: [Cfrg] Call for adoption: draft-yonezawa-pairing-friendly-curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Sep 2019 17:17:28 -0000

Dear CFRG,

I'm joining this list rather late, sorry for that. I would also like to
suggest a couple of changes and additions to the draft.

1. Currently the draft focusses on the security of currently-in-use
implementations and the smallest alterations possible to achieve 128-bit
(resp. 256-bit) security. On this I have one small comment: The security
levels of BN462 and BLS12-381 have been refined since [BD18], they are now
understood to be 134-bit and 126-bit secure respectively, see [GMT19].

2. I think it would be beneficial to name the safest known choice for
128-bit security. I would argue that BN462 is not really a 'conservative
choice' since further improvements on the NFS attacks are still quite
likely and could definitely weaken this to below 128 bits of security. I
would instead recommend the k=8 Cocks-Pinch curve of [GMT19] as a
conservative choice, since the NFS attacks do not apply to this curve. It
is also considerably more efficient than BN462 (but of course has the
disadvantage that it is not already implemented in industry). An
alternative (I guess slightly slower but still practical?!) recommendation
could be the Cocks-Pinch curve SW6 mentioned by Kobi as something already
in use in the wild?

3. I think it would be good to give some indication of performance
differences between the recommendations, for example by referring to the
tables of [GMT19]. If you want to give the most efficient choice to date
(theoretically), there are the Family 17 curves of [FM19]. Of course if you
allow slightly less than 128 bits of security you can also take BLS12-381,
or an equivalent choice in the family of [FM19], which one would expect to
be faster than BLS12-381 by a factor of about 15%. Having not yet had any
industry-level implementations, it might be too soon to really recommend
these curves, but it is probably good to mention that the recommendations
in this document (so BLS, BN, and Cocks-Pinch) are definitely not the most
efficient choices out there.

4. Regarding 192-bit secure curves. There are two recommendations in
[FM19], so perhaps these can go in the currently empty section of the draft.

I would in principle be happy to work on the draft myself in order to
incorporate these things.

[GMT19] https://eprint.iacr.org/2019/431.pdf
[FM19]  https://eprint.iacr.org/2019/555.pdf


Chloe Martindale
Eindhoven University of Technology

v2.23.0 | Report a Bug | By Email