IETF Logo Mail Archive

Re: [Cfrg] BLS standard draft

Antonio Sanso <asanso@adobe.com> Mon, 18 March 2019 09:54 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5383A128D7A for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2019 02:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uwFWrRA_6paM for <cfrg@ietfa.amsl.com>; Mon, 18 Mar 2019 02:54:42 -0700 (PDT)
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (mail-eopbgr690071.outbound.protection.outlook.com [40.107.69.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94AFB128D0B for <cfrg@irtf.org>; Mon, 18 Mar 2019 02:54:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q+yvocSdrHw+ZHSn1WAHwgCsVp+ypM/fN5VPKZyup+E=; b=mLwuAwUgCZbjkZIbkDPbW7atbsmD93p1DzGr0OiBorrHXK5vB7/BMHQC1bxpvOVf574DeTO/gXKu+xhiMYLH+TeGOU6LRRb5W9TXeuoKkAiFgvXIV8N/8UDCn1fzFyb/Gx/NFLq31z12p8m1rfkmNC92hQL+qF5+wNTXosQ3TOs=
Received: from SN6PR02MB5311.namprd02.prod.outlook.com (52.135.104.21) by SN6PR02MB4320.namprd02.prod.outlook.com (52.135.119.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.13; Mon, 18 Mar 2019 09:54:30 +0000
Received: from SN6PR02MB5311.namprd02.prod.outlook.com ([fe80::2874:55d2:9bd4:825e]) by SN6PR02MB5311.namprd02.prod.outlook.com ([fe80::2874:55d2:9bd4:825e%2]) with mapi id 15.20.1709.015; Mon, 18 Mar 2019 09:54:30 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Sergey Gorbunov <sgorbunov@uwaterloo.ca>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] BLS standard draft
Thread-Index: AQHU2mz82ZpTqALWa0KbPD2RfBHl3qYRPRGA
Date: Mon, 18 Mar 2019 09:54:30 +0000
Message-ID: <1EF21C17-4CE1-4BD1-87ED-782C433F4ED3@adobe.com>
References: <mailman.27.1551816005.6121.cfrg@irtf.org> <CACnav0pt0_+=r4-OH3_0nZe+3FxmApcGfF7CGkjR-NSvJ9t-mA@mail.gmail.com>
In-Reply-To: <CACnav0pt0_+=r4-OH3_0nZe+3FxmApcGfF7CGkjR-NSvJ9t-mA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.16.0.190211
authentication-results: spf=none (sender IP is ) smtp.mailfrom=asanso@adobe.com;
x-originating-ip: [2a02:1205:5031:1990:982e:be90:a593:1eaa]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 295dfecd-5d40-4d37-73f7-08d6ab87b755
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:SN6PR02MB4320;
x-ms-traffictypediagnostic: SN6PR02MB4320:
x-ms-exchange-purlcount: 6
x-microsoft-antispam-prvs: <SN6PR02MB4320B2E97AEABCF9B6065837D9470@SN6PR02MB4320.namprd02.prod.outlook.com>
x-forefront-prvs: 098076C36C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(136003)(396003)(39860400002)(366004)(189003)(199004)(51914003)(55674003)(33656002)(25786009)(46003)(8676002)(81166006)(81156014)(446003)(7736002)(11346002)(9326002)(10090500001)(486006)(21615005)(6506007)(6486002)(14444005)(5024004)(2616005)(53546011)(6436002)(256004)(102836004)(186003)(6512007)(83716004)(6306002)(54896002)(476003)(71200400001)(76176011)(8936002)(6116002)(99286004)(71190400001)(86362001)(236005)(106356001)(53936002)(68736007)(66574012)(2906002)(229853002)(82746002)(5660300002)(14454004)(30864003)(478600001)(966005)(36756003)(97736004)(606006)(316002)(6246003)(58126008)(110136005)(2501003)(105586002)(786003); DIR:OUT; SFP:1101; SCL:1; SRVR:SN6PR02MB4320; H:SN6PR02MB5311.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: adobe.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: VDEtv+g7PsdRG9Y7asH/8sIYCca10CiYJ6BX3hpHk47X72WvfRJ36Fl1Kg1Hc4pqrEiyWMfCcUu941tAhUtFzy17nKXCF42Zf3YB3lEtYmAOIBY/A9nfit2utyJN3+zf5NOE1Q1D0ot2zJW+6Io6R38jH9Tj4obp8MABYvtzN8k8RW2MDVz7bmZhy5frFxM6qPftc0WohZgmae7pStq/Hk0JoRR09HsWHx2R3VOAr3fUSGzYD0fAnO2FpetrdIBaqHlNdQ3S0YCX1pv4K7Vv9vOFL9mcI/AqJ1CulfhHBg9zcuGkoo9Lst9Nm6yrcNVKoY1YROpm3sZfgotK7kj2XHokIobrD/BiYMuGihjcl3jLAvSrGabSKyWWXryFU4TBF7/rD7DnzwfOM2TdyIsEDgaQcdSnurKOUDw+0LbkWM0=
Content-Type: multipart/alternative; boundary="_000_1EF21C174CE14BD187ED782C433F4ED3adobecom_"
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 295dfecd-5d40-4d37-73f7-08d6ab87b755
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2019 09:54:30.2758 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR02MB4320
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rhKkolykojt4ZJdGn9Vbhb9RDXI>
X-Mailman-Approved-At: Fri, 22 Mar 2019 02:50:18 -0700
Subject: Re: [Cfrg] BLS standard draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 09:54:47 -0000

Hi Sergey,
Great work so far.

Not quite the same. Just wanted to point out that recently Luca De Feo, Simon Masson, Christophe Petit and myself published a paper that generalizes the BLS construction (employing isogenies).
You can find the paper in https://eprint.iacr.org/2019/166.pdf

Regards

antonio

From: Cfrg <cfrg-bounces@irtf.org> on behalf of Sergey Gorbunov <sgorbunov@uwaterloo.ca>
Date: Thursday, March 14, 2019 at 2:51 PM
To: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] BLS standard draft

Dear All:

Thanks for the continuing feedback!
Our draft is now on GitHub:
https://github.com/pairingwg/bls_standard
Please submit and comment on the issues to continue improving the draft.

Note that the parent working group also contains a related draft on pairing-friendly curves:
https://github.com/pairingwg

Regards,
Sergey


Message: 1
Date: Tue, 5 Mar 2019 17:42:00 +0000
From: Michael Scott <mike.scott@miracl.com<mailto:mike.scott@miracl.com>>
To: "cfrg@irtf.org<mailto:cfrg@irtf.org>" <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [Cfrg] BLS standard draft
Message-ID:
        <CAEseHRpH2s0i7=u4ZoSCMX9ghiSN_0Y=bLj3_2E1gED+f3WJoQ@mail.gmail.com<mailto:bLj3_2E1gED%2Bf3WJoQ@mail.gmail.com>>
Content-Type: text/plain; charset="utf-8"

My understanding is that while shortness is a nice feature of BLS
signature, its not the main selling point any more. That would be its
aggregation and compression property.

As it happens I just finished getting some timings for the BLS381 curve on
an Arduino IoT MKR1000 board (48MHz clock, 32-bit ARM Cortex M0 chip - but
no 32x32->64 multiplication instruction, 256K ROM, 32K RAM, no room for any
precomputation :), no assembly language, pure C++, side channel resistant
coding). Signature in G1, public key in G2, SHA3 message hashing.

The test program occupies less than 56K of ROM, and (obviously) something
less than 32K of RAM

Key generation -  2.7 seconds
Signature - 2.8 seconds
Verification - 13.1 seconds

Of course it would be a little crazy to do BLS signature verification on
such a chip....

Mike


On Tue, Mar 5, 2019 at 1:48 PM John Mattsson <john.mattsson@ericsson.com<mailto:john..mattsson@ericsson.com>>
wrote:

> Hi Sergey,
>
>
>
> I think this is interesting and likely something worth spending time on. I
> agree with the opinion that quantum computers is not a reason to stop
> looking at this, at least not yet.
>
>
>
> Some very quick high level comments:
>
>
>
> - It is stated the BLS12-381 yield signature sizes of 48 bytes when
> signatures are in G1. I think the draft should also state what the public
> keys sizes are in this case. I assume the "minimizing public key size"
> option just swap the sizes.
>
>
>
> - It would be good if the draft gave some hint to potential implementors
> regarding the amount of processing required. While short signatures would
> be good in many IoT applications, I assume that the pairing operations are
> relatively expensive.
>
>
>
> - The curve is called both BLS12-381 and BLS-381, I assume they are the
> same curve.
>
>
>
> My memory of BLS (backed up by a book section by K.G.Paterson that I had
> in my book shelf) is that BLS signatures where close to half the size of
> ECDSA (170 vs. 320 bits for 80 bit security), I assume some new attacks
> have changed this?
>
>
>
> /John
>
>
>
> *From: *Cfrg <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> on behalf of Sergey Gorbunov <
> sgorbunov@uwaterloo.ca<mailto:sgorbunov@uwaterloo.ca>>
> *Date: *Saturday, 23 February 2019 at 20:26
> *To: *"cfrg@irtf.org<mailto:cfrg@irtf.org>" <cfrg@irtf.org<mailto:cfrg@irtf.org>>, David Wong <
> davidwong.crypto@gmail.com<mailto:davidwong.crypto@gmail.com>>, "ylzhao@fudan.edu.cn<mailto:ylzhao@fudan.edu.cn>" <ylzhao@fudan.edu.cn<mailto:ylzhao@fudan.edu.cn>>,
> Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>
> *Subject: *Re: [Cfrg] BLS standard draft
>
>
>
> Thanks, David and everyone else for the feedback!
>
> We will create a github repository where anyone will be able to view and
> comment on the latest draft and share the link.
>
>
>
> In the meantime, please continue sending us feedback by email.
>
>
> Regards,
>
> Sergey
>
> web <https://cs.uwaterloo.ca/~sgorbuno/>
>
>
>
>
>
> On Sun, Feb 17, 2019 at 3:00 PM <cfrg-request@irtf.org<mailto:cfrg-request@irtf.org>> wrote:
>
> Message: 1
> Date: Sun, 17 Feb 2019 08:54:36 -0800
> From: David Wong <davidwong.crypto@gmail..com<mailto:davidwong.crypto@gmail.com>>
> To: ??? <ylzhao@fudan.edu.cn<mailto:ylzhao@fudan.edu.cn>>
> Cc: Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>, CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>,  Sergey
>         Gorbunov <sgorbunov@uwaterloo.ca<mailto:sgorbunov@uwaterloo.ca>>
> Subject: Re: [Cfrg] BLS standard draft
> Message-ID:
>         <CAK3aN2r9J9ToH6OZPNqUv4vNPx_DqJM+KQC=X=
> rfHFEkM5hkdg@mail.gmail.com<mailto:rfHFEkM5hkdg@mail.gmail.com>>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi again,
>
> I am not sure what the process is. If you have a github repo where we
> can participate or if you want us to give you feedback here. So here
> is some feedback from a first read. Feel free to ignore the bits you
> don't agree with of course. Some common themes were:
>
> * Keep in mind that this is for implementations, so remove information
> that belongs in a whitepaper
> * Make the RFC timeless (we should be able to read it in 5 years and
> understand it)
> * Set things in stone so that the RFC is actionable, don't make it
> vague. If people want to add to it, extensions and updates are
> possible later.
>
> And here is the more detailed feedback:
>
> - abstract: re-write with "what is it?" in mind first, history bits
> can wait until the introduction. I suggest using developer-friendly
> terms like "compression" and define aggregation later if the term is
> needed. Example:
>
>     BLS is a digital signature scheme with compression properties.
> With a given set of signatures (sig_1, ..., sig_n) anyone can produce
> a compressed signature sig_compressed. The same is true for a set of
> private keys or public keys, while keeping the connection between sets
> (a compressed public key is associated to its compressed public key).
> Furthermore, the BLS signature scheme is deterministic, non-malleable,
> and efficient. Its simplicity and cryptographic properties allows it
> to be useful in a variety of use-cases, specifically when minimal
> storage space or bandwidth are required.
>
> - intro:
>     - "A signature scheme is a fundamental cryptographic primitive
> used on the Internet that is used to protect integrity of
> communication" -> not necessarily used on the internet, and not
> necessarily for integrity of communications.
>     - "2.  Verification requires 2 pairing operations." -> at this
> point pairing is not defined, and what does that mean for the
> developer? how does it compare to other signature schemes that do not
> use pairing?
>     - "we believe the scheme will find very interesting applications"
> -> too temporal. At some point, it is possible that the scheme will be
> popular and this sentence will seem out of place.
>     - "the BLS signature scheme is already integrated" -> maybe out of
> place (as too temporal as well). If not, sort the list by alphabetical
> order, I think no one will mind that.
>     - "BLS signatures are used for authenticating transactions as well
> as votes during the consensus protocol" -> I suggest we itemize the
> different use-cases of BLS (from PKI to blockchain).
> - section "1.1.  Terminology"
>     - "msg" -> I suggest we change that to "message"
>     - "sigma" -> "signature"
>     - "signer/verifier/aggregator" do we need roles for these? Can't
> we do with just an API ("sign/verify/compress")
>     - "P1" is defined but never seem to be used. Am I missing something?
>     - I suggest we spell "e()" as "pairing()" in the algorithms, and
> define it here
> - section "1.2.  Signature Scheme Algorithms and Properties"
>     - "A signature scheme comes with" -> "Like most signature schemes,
> BLS comes with the following API", this way we can leverage the
> reader's knowledge of other signature scheme.
>     - "The signing algorithm may be deterministic or randomized,
> depending on the scheme" -> as this is a spec, we need to make a
> decision here. I think it makes more sense to make it deterministic.
> - section "1..2.2.  Security" -> do we need these security properties
> in the RFC? It sounds to me like they would belong in a whitepaper
> instead..
> - section "2."
>     - "BLS signatures require pairing-friendly curves" -> I suggest
> standardizing BLS with a set of curves. Extensions or updates can
> later add more curves if needed.
>     - "There are two variants of the scheme" -> It'd be nice if the
> two variants were specified in this document, as they both have
> use-cases.
>     - "Put ... in G1" -> not clear, rephrase
> - section "2.1.  Preliminaries". I recommend renaming "suite_string"
> to "domain_separator" and having specific values for it instead of
> potential values.. (We're standardizing something after all, ideally it
> should be self-contained)
> - section "2.4.  Verify: Signature Verification"
>     - "4.  If r*Gamma != 0, output "INVALID" and stop" -> I had heard
> a while ago that this membership check was patented for ECDH. Anyone
> remembers something like this?
> - section "2.5.  Aggregate"
>     - it should be "sigma = E1_to_string(string_to_E1(sigma_1) + ... +
> string_to_E1(sigma_n))"
>     - you specify verifying aggregates of SAME msg and of DIFFERENT
> msgs, but only have the aggregate algorithm for SAME msg specified.
> - section "2.5.3.  Implementation optimizations". Two things:
>     - this should be towards the end of the documentation as these are
> optional recommendations. Perhaps after "security recommendations" or
> as an appendix
>     - is it really wise to have the standard contain this? Available
> optimizations may change over time. I've also never seen an RFC
> talking about optimizations.
> - section "2.7.  Security analysis" -> I don't think this is necessary
> to have that in the RFC.
> - section "3.1. Verifying public keys"
>     - define "G2 membership test"
>     - "to prevent rogue key attacks" -> needs a reference
> - section "3.4. Randomness considerations" needs a citation, for
> example on ECDSA issues when the nonce is repeated
> - section "4.  Implementation Status". Standards usually don't refer
> to implementations AFAIK. I imagine this is because their state can
> change, and new good implementations can arise after the RFC is set in
> stone. I think this is good to have in the draft though, so perhaps
> add an indication somewhere that this will be deleted in the final
> document.
> - section "6.  IANA Considerations". Do we need this?
> - section "2.6.1.  Preliminaries", "In fact, we will pad each
> substring with 0s so that the length of each substring is a multiple
> of 8." specify that this is in bits.
>
> Cheers,
> David
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org<mailto:Cfrg@irtf.org>
> https://www.irtf.org/mailman/listinfo/cfrg
>
-------------- next part --------------
An HTML attachment was scrubbed....
URL: <https://mailarchive.ietf.org/arch/browse/cfrg/attachments/20190305/1ee7766b/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg


------------------------------

End of Cfrg Digest, Vol 167, Issue 7
************************************

v2.23.0 | Report a Bug | By Email