Re: [Cfrg] I-D Action: draft-irtf-cfrg-pairing-friendly-curves-04.txt
Armando Faz <armfazh@cloudflare.com> Tue, 05 May 2020 20:44 UTC
Return-Path: <armfazh@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8430B3A0A6C for <cfrg@ietfa.amsl.com>; Tue, 5 May 2020 13:44:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x-GdD1Rxqfkl for <cfrg@ietfa.amsl.com>; Tue, 5 May 2020 13:44:15 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1AE83A0A6A for <cfrg@irtf.org>; Tue, 5 May 2020 13:44:15 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id u6so21877ljl.6 for <cfrg@irtf.org>; Tue, 05 May 2020 13:44:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=yaXOhLMXwWjo1e6B0ZhgB5+BnSBu5whFGcHnScZ8YHE=; b=t3+zggrJuWPJw+yevHznAtfp3C8/HXDYghQVa76xjdwBEVj61Y2zqpiQAxZ7WG2USW dl8LYA7pVxpLZ1YaTDP+VODm931+LAgSC2Xzd5MwEAPil6bOwvVt0v3kaE5XHHy32Jih sGLTqE/R+6WErrybntRq1JSyls5aHEoMctx4k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=yaXOhLMXwWjo1e6B0ZhgB5+BnSBu5whFGcHnScZ8YHE=; b=gjr1rvY66pJ8lCJjdWUkUAEN21IhNufGhK4KGcnUrNoktyGj+VG5Qr3uAKGlmUH8kN /rQjxa67KdHRl3ag5v5AUBERerQLYMdWKddL2d0MA7X1ok/mhiPBZtHzhO8Yty+XKjYy XNfGvA3jaKBjqH4NouYHmOECpV37CFbRS7ZE3DAEMwnayRyZJNEbTm7o6o3jWOwdErqN KCM2fQh3eyztTgcfjVSg7JL89V419AswfBBwDsEXNwdaQ4WFDjntaZiku0Q74a7bFxB7 MFXfibkMxteTd7UJkQ+3LcDSYm8ToLUwj9pOJtt/iJ7LMNUOUMsZazOBFNXkQIboirzM P5yw==
X-Gm-Message-State: AGi0PuZ+Z6kTypZ3ehi6bckLHMULfOpHZJ2BuMLpKjSeSK8DHOpReJLW xyDn4AhS8rm7HbDzeD4r9Y7rGuBNI4xXzPJBHbfgTHFrTKc=
X-Google-Smtp-Source: APiQypKN0DVY1JuDxbbL2HsVGmEOYNir4oSUHP+22GoopLu+EjrbI1OGxnNnjTLR6K4L93g2ajTAOiluxWgAHeDVu3k=
X-Received: by 2002:a05:651c:549:: with SMTP id q9mr2973034ljp.236.1588711453159; Tue, 05 May 2020 13:44:13 -0700 (PDT)
MIME-Version: 1.0
From: Armando Faz <armfazh@cloudflare.com>
Date: Tue, 05 May 2020 13:44:02 -0700
Message-ID: <CABZxKYm5PcZg4sV7hcgRvp5ecpPXROMw1JcgkAXeNRur=PzKOA@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000d1105a05a4ecb50a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fYL-hT80pgatxfpnB82c0sXV1ls>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-pairing-friendly-curves-04.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 20:44:18 -0000
Hi, I would like to give some feedback to the pairing-friendly-curves draft-v04. Hope this helps to improve the document. I am concerned about the security levels currently claimed. Before 2016, everybody agreed that BN256 provided 128-bit security, after the improvements on NFS the security level was reduced. So, what would happen in the future when another improvement is discovered? Is there some escalation plan for anticipating this event? As there isn't a recommendation of curves at 192-bit level, so at the point when moving from 128- to the 256-bit level, the change would be dramatic. I think some curves should be recommended, even though they are not widely used currently. Does the curves proposed satisfy the notion of subgroup security ( https://eprint.iacr.org/2015/247)? I think some comments should be added regarding this notion. Have you considered the use of other models such as Hessian curves ( https://eprint.iacr.org/2018/1026). ? They are interesting since they provide fast pairings for odd embedding degrees. What is the isomorphism used in each instance? ## When implementing the line function, implementers should consider the isomorphism of E and its twisted curve E' so that one can reduce the computational cost of operations in G_2. We note that Line_function does not consider such isomorphism The description of pairing computation doesn't describe the outcome of the special cases, e.g. when points do not belong to G1 or G2, or when the input points are the identity. (I consider this is important for implementers not familiar with pairings.) Editorial: Soluti\ons -> Solutions Better to use k for denoting a scalar, in ## Similarly, we can define 2P = P + P and a scalar multiplication S = [k]P for a positive integer k can be defined as an (k-1)-time addition of P. T belongs to E' ## Similarly, for any S in G_1, e(S, T) = 1 if and only if T = O_E' reducedto -> reduced to In the description of ate pairing computation, there is an inconsistency between the number of inputs of the Line_function. -- Armando Faz Cloudflare Inc.
- [Cfrg] I-D Action: draft-irtf-cfrg-pairing-friend… internet-drafts
- [Cfrg] Fwd: I-D Action: draft-irtf-cfrg-pairing-f… Yumi Sakemi
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-pairing-fr… Armando Faz
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-pairing-fr… Yumi Sakemi