Re: [CFRG] Asking the advice on the draft of pairing-friendly curves

Michael Scott <> Wed, 23 December 2020 14:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5838A3A0FDC for <>; Wed, 23 Dec 2020 06:04:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.602
X-Spam-Status: No, score=0.602 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Q0irAKJnUsni for <>; Wed, 23 Dec 2020 06:04:24 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D74653A108F for <>; Wed, 23 Dec 2020 06:04:10 -0800 (PST)
Received: by with SMTP id b64so14245482ybg.7 for <>; Wed, 23 Dec 2020 06:04:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JqGPjiGsSbDowYaPc/QeM0q7sdiEEfys3w9lzfyz+pc=; b=hpZFRdcyQL2g2bLeE1WZKIkkSA0MkW8xTvlcLDqvgcP7uzm/UmHLVOXoBD4iryiplf KAIpwhdsdHcC8wm2+DxdkUhemYuiTRf1hRf+8Ld8ePtQPb09qQZLAihMw5TPBzA+MeX0 9iuos2JEJSR8J7Gci6gtXTvWbxwjoPmDWEhAZGzz55EuZnqIiJz/wcQ6O3l3dEPL9P8x CF23Ioel0AozZkdckEZ964VZBT0Bp01BrJxiPVwsqTmHK6zIELZ+iBLEzS9iMuNrb8Co jPDlR4Yd52jvsbeNz4bbKJPaAIjIk5PIgvyd7c0MeINgHVnkPu1PlYgLwDynXGL4E94D lbXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JqGPjiGsSbDowYaPc/QeM0q7sdiEEfys3w9lzfyz+pc=; b=UlmopX7I862OCjNxGidGO2+BFZ6dPbBe2C51a7+F+o6ur3ovps0PkHCm237ZOQbkUh x7AS/CfDsBrSMZTGAnXy2vnou75JMdo8aPzsK0Lwrt58eaK7NyPlkCT0LZs+zfXy86CH qO6Q1CP6cxQ7iPtrqlJkphzPv6vFFTcTWXJJ5xkSl2ZSkDdHWSB5FDIPcjIL4HwdhG1f eY0Trb9IpV3+TaY6hzzbF7LNkAo328VYLQpKTxnquNkRIcZj4MYIZnf57nz7S1Sfey2d cFI/nfEzdUi2ppSDWZ462rSPgGBTcZ2KCPRWk7ns0RhnEZqMc3Vx10phepWgS1SWoLLn jLZA==
X-Gm-Message-State: AOAM533/Tfw9yeKS2Yf7TwxwJMP4qGkNjsaf4RXvUilTImE/ahVKXzRI BcICaRk6Y0CeW86lFhCAibW7DokbBJf2609hFVn768WFMEdOMBX8
X-Google-Smtp-Source: ABdhPJyAA+ZXd+E3ipcfAdf2ulnrWUBsDZriB7r9aDRpzbWbG5AvMkVh0pKV9TYe+0F1rtETpyZ+06l+ngHYAcPbwLI=
X-Received: by 2002:a25:ab30:: with SMTP id u45mr35855889ybi.516.1608732249326; Wed, 23 Dec 2020 06:04:09 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Michael Scott <>
Date: Wed, 23 Dec 2020 14:04:14 +0000
Message-ID: <>
To: CFRG <>
Cc: Tetsutaro Kobayashi <>, "Riad S. Wahby" <>, Yumi Sakemi <>
Content-Type: multipart/alternative; boundary="00000000000042a0d405b7222a68"
Archived-At: <>
Subject: Re: [CFRG] Asking the advice on the draft of pairing-friendly curves
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Dec 2020 14:04:26 -0000

 I would like to voice my strong support for this effort.

Since pairings arrived as a new cryptographic tool in the year 2000, they
have transformed cryptography and flung open may new doors to new avenues
of research. If RSA was a cryptographic lump hammer, pairings are a Swiss
army knife.

Alternative technologies have followed behind, some of them post-quantum
secure, but they have not as yet filled many of the niches currently
occupied by pairings.

A good example of an application area would be Functional encryption, which
I mention because an email popped into my Inbox just yesterday concerning
an interesting event associated with the Real World crypto conference in
January – see

It needs to be recognised that for reasons not entirely clear to me, many
regard pairings with suspicion. They have a largely undeserved reputation
of being slow. Many papers seem to like to boast that their scheme works
“without pairings”, as some kind of badge of honour. In fact pairing-based
schemes are completely practical.

More seriously their security has been called into question, due to some
impressive cryptanalysis. I must admit I was surprised and deeply impressed
when pairings based on small characteristic super-singular curves were
spectacularly blown out of the water. I was also impressed, although much
less surprised, when methods were found to exploit the particular form of
discrete log problem that arises in the context of large characteristic
non-supersingular pairing-friendly curves. This has lead to the adoption of
modest increases in parameter sizes.

However I would regard this as a natural progression for any new
cryptographic primitive. Parameter sizes generally creep up over time as
cryptanalytic efforts intensify, before eventually stabilising. Remember
512-bit RSA keys. Observe the current post-quantum crypto scene.

I would suggest that the security of pairings is comparable with that of
other discrete log based systems, and some 20 years after their arrival on
the cryptographic scene it is certainly time that their power was
recognised, and that standard curves should emerge for implementers to work
with in confidence. The world urgently needs better cryptography.

Hopefully CFRG will not be found wanting in offering its support for these
efforts. Personally I have always found the proposers of this standard to
be unfailingly polite and responsive to my feedback.

If de facto standards that have not undergone proper community scrutiny
start to emerge (as industry implementers lose patience waiting for
“proper” standards), then, well, that would be a pity.

Mike Scott