Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
Michael Scott <mike.scott@miracl.com> Thu, 14 March 2019 18:52 UTC
Return-Path: <mike.scott@miracl.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 759A6130EEA for <cfrg@ietfa.amsl.com>; Thu, 14 Mar 2019 11:52:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=miracl-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8J8L4VdhSnHM for <cfrg@ietfa.amsl.com>; Thu, 14 Mar 2019 11:52:36 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C6BC130EBD for <cfrg@irtf.org>; Thu, 14 Mar 2019 11:52:36 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id v4so5054362ioj.5 for <cfrg@irtf.org>; Thu, 14 Mar 2019 11:52:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=miracl-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CaFwwAj6R2p/z7KTnFqZSdMbGBHMVOQvFSjWzKvHocg=; b=EbxG+CQREHMXCadct7vZ38kEt2QcW0t0n+g5YnWFs89vOqCNiffxAAP6Pz/ZjHuAT3 OyxU7EROW54fhzGJ66NR/R1GqgzHeQdV6KYxgVEdrj2BExNhKperYSG2o/hU7fl4GTqg 2Y51Dy6101rlgFoQnMB2CyoBH+TPL8ktcj9kghtLB33YIalvE9c+fahnBOznGrsXX5Qk kHwat/IIZQvw32uQ3vbDI3uJLMe581HyCICtgvCWg1y8x9PH3e/i6XjFAxqGxjGILMnP mT4GGxViT6JrrAa5DaqVoME23JgyesNtCwYjnDaZVViXzhVjRdwVyG3T5AzxQGpAO0SY BV1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CaFwwAj6R2p/z7KTnFqZSdMbGBHMVOQvFSjWzKvHocg=; b=M2oDmtWZRk+EzFw0MKO5Hl7InXMh8/B61mGDbwA3sRusXN1ltIWtTM8XBLXydEnkXN 3jPzaW8cV4uOp7Ix++gLLDtoKc2uj6ppdFn965ApXDi9xkbEVCErC5r3OtCT5GqZD2BC GYSL1Kd4ja0fPd5Ob42ox0tCBfudRg5HSaXmV6Q46d3Cv4m6AH6+LKoN+p/eBKmNLQcI YJ+UL7W5PnIpL5pkkRewesuQ4I8EVZKaKVESipui/8DhVP1fnzYLw8VthE7sZQD7PDBW IpbloTUAvA2VDdl//Gq4tuXEtPK0PwsJKHcc/HDKefxZwKiO1e5hLFISgeAnJr5e8AEg acAQ==
X-Gm-Message-State: APjAAAVFw9rHjaSeOP8vC18arPwb8/amehXAkRwIpF/AiTh+BN9nP6cn h9JCzzfdUU1wV6qfIZhgYaYtkuzcL0TJagUUU6qcjDQG
X-Google-Smtp-Source: APXvYqx0vf5oYiM2tukT6O7K/TWSUp8s8CY03UPnxEAUW6BQOkxpZyxISPbOpo/7oWSqNuia/Qc1XoXIeg3pcWkc9bc=
X-Received: by 2002:a6b:3c19:: with SMTP id k25mr14602893iob.261.1552589555471; Thu, 14 Mar 2019 11:52:35 -0700 (PDT)
MIME-Version: 1.0
References: <155231848866.23086.9976784460361189399@ietfa.amsl.com> <737ea2b3-74e3-d02e-a44d-c44cca5db036@lepidum.co.jp> <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com>
In-Reply-To: <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com>
From: Michael Scott <mike.scott@miracl.com>
Date: Thu, 14 Mar 2019 18:52:38 +0000
Message-ID: <CAEseHRqh4d0VaeSaj4CWr_ZxJbbpm33ZaLF-aYGBjVowFNLFeQ@mail.gmail.com>
To: Shoko YONEZAWA <yonezawa@lepidum.co.jp>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000efe5380584126c24"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rZN1MR5kLzJgmQdfkBib0G-TaNw>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2019 18:52:40 -0000
Another point.. For the BLS curves, the cofactor h in G_1 is calculated here as ((t-1)^2)/3, and this will work fine as a co-factor, where a random point on the curve over the base field can be multiplied by this co-factor to create a point of order r in G_1. But this co-factor is unnecessarily large. The same can be achieved by using (t-1) as a co-factor, due to the structure of pairing friendly fields. This will be twice as fast. Mike However to On Thu, Mar 14, 2019 at 3:21 PM Michael Scott <mike.scott@miracl.com> wrote: > Hello, > > I greatly welcome this proposal, and would not want to slow its progress > in any way. It is long overdue that pairing-friendly curves be > standardized, before unsuitable de-facto standards emerge, which may not be > ideal, but which may nevertheless become widely deployed. > > However I make the following observations about the particular curves > suggested. > > The suggested curves do not appear to meet the requirement for subgroup > security which is indicated as being a desirable property in section 3.1 - > “One has to choose parameters so that the cofactors of G_1, G_2 and G_T > contain no prime factors smaller than |G_1|, |G_2| and |G_T|”. > > The case could be made that subgroup security is not so important, but if > so the text in 3.1 should be modified to reflect this point of view. > > The curve BN462 is not sub-group secure, as in G_T (p^4-p^2+1) /r has > small factors of 2953, 5749 and 151639045476553 (amongst others). I didn’t > check G_2. > > The curve BLS381 has the same problem, as (p^4-p^2+1) /r has small factor > of 4513, 584529700689659162521 and more. Again I didn’t check G_2 > > The curve BLS48-581 has the same problem, as (p^4-p^2+1) /r has a small > factor of 76369, and probably others. Again I didn’t check for G_2 > > The draft does point out that for BLS curves, when hashing to a point in > G_1, multiplication by a small co-factor h>1 will always be necessary. > > In my opinion sub-group security in G_T is particularly important if it is > desirable to offload the pairing calculation to an untrusted server, and so > it is a feature I would consider useful in a standard curve. In our > experience finding such curves is relatively easy (although finding curves > that are sub-group secure in both G_2 and G_T is more problematical). > > Another point – the BLS381 curve was chosen for a very particular (albeit > important) application where it is a requirement that r-1 has a factor of > 2^m for a large value of m. Curves chosen with application-specific > benefits should I suggest be considered carefully if proposed as more > general purpose standards. Note that this particular application > disadvantages BN curves, as due to the form of its formula for r, this > particular condition is much harder to achieve. > > > Mike > > On Wed, Mar 13, 2019 at 10:33 AM Shoko YONEZAWA <yonezawa@lepidum.co.jp> > wrote: > >> Hi there, >> >> Thank you for your comments to our pairing-friendly curve draft. >> We submitted a new version. >> >> According to Kenny's comments, >> we added the following description to the new version. >> >> - Pseudo-codes for pairing computation >> - Example parameters and test vectors of each curve >> >> We now published our working draft on GitHub, >> together with the BLS signature group. >> Please feel free to submit issues. Your comments are really appreciated. >> >> https://github.com/pairingwg/pfc_standard/ >> >> Best, >> Shoko >> >> -------- Forwarded Message -------- >> Subject: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt >> Date: Mon, 11 Mar 2019 08:34:48 -0700 >> From: internet-drafts@ietf.org >> Reply-To: internet-drafts@ietf.org >> To: i-d-announce@ietf.org >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> >> >> Title : Pairing-Friendly Curves >> Authors : Shoko Yonezawa >> Sakae Chikara >> Tetsutaro Kobayashi >> Tsunekazu Saito >> Filename : draft-yonezawa-pairing-friendly-curves-01.txt >> Pages : 28 >> Date : 2019-03-11 >> >> Abstract: >> This memo introduces pairing-friendly curves used for constructing >> pairing-based cryptography. It describes recommended parameters for >> each security level and recent implementations of pairing-friendly >> curves. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-yonezawa-pairing-friendly-curves/ >> >> There are also htmlized versions available at: >> https://tools.ietf.org/html/draft-yonezawa-pairing-friendly-curves-01 >> >> https://datatracker.ietf.org/doc/html/draft-yonezawa-pairing-friendly-curves-01 >> >> A diff from the previous version is available at: >> >> https://www.ietf.org/rfcdiff?url2=draft-yonezawa-pairing-friendly-curves-01 >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> _______________________________________________ >> I-D-Announce mailing list >> I-D-Announce@ietf.org >> https://www.ietf.org/mailman/listinfo/i-d-announce >> Internet-Draft directories: http://www.ietf.org/shadow.html >> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> >
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Marek Jankowski
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Michael Scott
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Shoko YONEZAWA
- [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-fr… Shoko YONEZAWA
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Michael Scott
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Michael Scott
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… David Wong
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Shoko YONEZAWA
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Shoko YONEZAWA
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Michael Scott
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Shoko YONEZAWA
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Shoko YONEZAWA
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Paterson Kenneth
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Michael Scott
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… John Mattsson
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Michael Scott
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Marek Jankowski
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Dan Brown
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… John Mattsson
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… denis bider
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Peter Gutmann
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Peter Gutmann
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Björn Haase
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Peter Gutmann
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Michael Scott
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… William Whyte
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Watson Ladd
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Watson Ladd
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… John Mattsson
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Damien Miller
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Peter Gutmann
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Ruslan Kiyanchuk
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… mcgrew
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Paterson Kenneth
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… mcgrew
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Peter Gutmann
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… A. Huelsing
- Re: [Cfrg] I-D Action: draft-yonezawa-pairing-fri… Paul Hoffman
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Salz, Rich
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Shoko YONEZAWA
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Shoko YONEZAWA
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Michael Scott
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Paterson Kenneth
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Michael Scott
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Shoko YONEZAWA
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Shoko YONEZAWA
- Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairin… Michael Scott