Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

Michael Scott <> Thu, 14 March 2019 15:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B50E9130E79 for <>; Thu, 14 Mar 2019 08:22:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DD89HlA14bGw for <>; Thu, 14 Mar 2019 08:22:10 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B3439130E11 for <>; Thu, 14 Mar 2019 08:22:10 -0700 (PDT)
Received: by with SMTP id f6so5452069iop.3 for <>; Thu, 14 Mar 2019 08:22:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HalFtqrLLmSGXR1MaBpNy1mMzgC8ZwBmLoi3T+scaeE=; b=P2aYEGzp6Bpi7AAIWlPuknnIgPPAB5ldyQwvSz0pSNAzQyqJ3MfEHUPJSlKIJrgtow CjloBXfM96GHwgJ0Cwe+FiBe7Ob1fiPiDYsHAPi3h25/EsZAJAxBwfBEkxawg3Arwsqn eqI+DiXsVkGafLSnghHI+3G+se3oFEV8yeujdGKT/84Y8zNKNLqE3rO2GZM/awoSv1jz y0c1eMQoaYHnZZyhz+KoQsIGx/zKJoZ0H/C1JGoMGbkXTbbZJHQjm7xrLlE7Lc2DqCei PE1vGIZl6Y11s13tdYHRrehpBwTQsOR7OrfZFgeU4tpIYOlWNpO75pHMeSARpe+vTPlr ghjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HalFtqrLLmSGXR1MaBpNy1mMzgC8ZwBmLoi3T+scaeE=; b=j2R9YjQ2Mgz/zZS0gkrlAp0c2mvRFlFTavm+BYdsVCdcsMVS/OyakI+TU9dtQnWrnB 8Lw9wN47SKF8AqRF34YpMrDZDL1XNhSrfX+Cyd36mzE9EreppQGarOj+kN+CTfmgQkQU eLqrqBWi74kLG3Wy3wTIGJNor0Behprx3wg7o4sFWdEQpKG8iF6+ZOlW1gCk+4kolDuF XTXEtOBQc8uv2s8zcQyFYqRjVRzBwBFU+QqP9J3ASuVLYQ1/avdJ5qxIK0bs4YUc2dLW oQBN6ZjFWseYVPmv2qcNiYuOeF94y7khdASE/qd8wu9drt6AGtNQwS+dFcGvGwo7yhTG sS0Q==
X-Gm-Message-State: APjAAAVrEKic2DsvkZ0/YL7cluJYZcNYkQ1YCaqo6N/qFodcPrvL+sO3 XSZPCaL0GP/Stl1tLlCEnfl5lwf6WwCQPr7I3MPDO/8h9us=
X-Google-Smtp-Source: APXvYqydUe73Yp72FPxbbLEtEiaHdwqjQxG4cspdO/rv7/KgZhPkACf9+duv89ZQhAQGrvRYWd/zNJpX9uOgdjn9cKY=
X-Received: by 2002:a6b:3c19:: with SMTP id k25mr13982189iob.261.1552576929722; Thu, 14 Mar 2019 08:22:09 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Michael Scott <>
Date: Thu, 14 Mar 2019 15:21:58 +0000
Message-ID: <>
To: Shoko YONEZAWA <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="000000000000620b0005840f7c4f"
Archived-At: <>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Mar 2019 15:22:14 -0000


I greatly welcome this proposal, and would not want to slow its progress in
any way. It is long overdue that pairing-friendly curves be standardized,
before unsuitable de-facto standards emerge, which may not be ideal, but
which may nevertheless become widely deployed.

However I make the following observations about the particular curves

The suggested curves do not appear to meet the requirement for subgroup
security which is indicated as being a desirable property in section 3.1 -
“One has to choose parameters so that the cofactors of G_1, G_2 and G_T
contain no prime factors smaller than |G_1|, |G_2| and |G_T|”.

The case could be made that subgroup security is not so important, but if
so the text in 3.1 should be modified to reflect this point of view.

The curve BN462 is not sub-group secure, as in G_T (p^4-p^2+1) /r has small
factors of 2953, 5749 and 151639045476553 (amongst others). I didn’t check

The curve BLS381 has the same problem, as (p^4-p^2+1) /r has small factor
of 4513, 584529700689659162521 and more. Again I didn’t check G_2

The curve BLS48-581 has the same problem, as (p^4-p^2+1) /r has a small
factor of 76369, and probably others. Again I didn’t check for G_2

The draft does point out that for BLS curves, when hashing to a point in
G_1, multiplication by a small co-factor h>1 will always be necessary.

In my opinion sub-group security in G_T is particularly important if it is
desirable to offload the pairing calculation to an untrusted server, and so
it is a feature I would consider useful in a standard curve. In our
experience finding such curves is relatively easy (although finding curves
that are sub-group secure in both G_2 and G_T is more problematical).

Another point – the BLS381 curve was chosen for a very particular (albeit
important) application where it is a requirement that r-1 has a factor of
2^m for a large value of m. Curves chosen with application-specific
benefits should I suggest be considered carefully if proposed as more
general purpose standards. Note that this particular application
disadvantages BN curves, as due to the form of its formula for r, this
particular condition is much harder to achieve.


On Wed, Mar 13, 2019 at 10:33 AM Shoko YONEZAWA <>

> Hi there,
> Thank you for your comments to our pairing-friendly curve draft.
> We submitted a new version.
> According to Kenny's comments,
> we added the following description to the new version.
> - Pseudo-codes for pairing computation
> - Example parameters and test vectors of each curve
> We now published our working draft on GitHub,
> together with the BLS signature group.
> Please feel free to submit issues. Your comments are really appreciated.
> Best,
> Shoko
> -------- Forwarded Message --------
> Subject: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
> Date: Mon, 11 Mar 2019 08:34:48 -0700
> From:
> Reply-To:
> To:
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>          Title           : Pairing-Friendly Curves
>          Authors         : Shoko Yonezawa
>                            Sakae Chikara
>                            Tetsutaro Kobayashi
>                            Tsunekazu Saito
>         Filename        : draft-yonezawa-pairing-friendly-curves-01.txt
>         Pages           : 28
>         Date            : 2019-03-11
> Abstract:
>     This memo introduces pairing-friendly curves used for constructing
>     pairing-based cryptography.  It describes recommended parameters for
>     each security level and recent implementations of pairing-friendly
>     curves.
> The IETF datatracker status page for this draft is:
> There are also htmlized versions available at:
> A diff from the previous version is available at:
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at
> Internet-Drafts are also available by anonymous FTP at:
> _______________________________________________
> I-D-Announce mailing list
> Internet-Draft directories:
> or
> _______________________________________________
> Cfrg mailing list