Re: [CFRG] Asking the advice on the draft of pairing-friendly curves
Michael Scott <mike.scott@miracl.com> Wed, 23 December 2020 14:04 UTC
Return-Path: <mike.scott@miracl.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5838A3A0FDC for <cfrg@ietfa.amsl.com>; Wed, 23 Dec 2020 06:04:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.602
X-Spam-Level:
X-Spam-Status: No, score=0.602 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=miracl.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q0irAKJnUsni for <cfrg@ietfa.amsl.com>; Wed, 23 Dec 2020 06:04:24 -0800 (PST)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D74653A108F for <cfrg@irtf.org>; Wed, 23 Dec 2020 06:04:10 -0800 (PST)
Received: by mail-yb1-xb36.google.com with SMTP id b64so14245482ybg.7 for <cfrg@irtf.org>; Wed, 23 Dec 2020 06:04:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=miracl.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JqGPjiGsSbDowYaPc/QeM0q7sdiEEfys3w9lzfyz+pc=; b=hpZFRdcyQL2g2bLeE1WZKIkkSA0MkW8xTvlcLDqvgcP7uzm/UmHLVOXoBD4iryiplf KAIpwhdsdHcC8wm2+DxdkUhemYuiTRf1hRf+8Ld8ePtQPb09qQZLAihMw5TPBzA+MeX0 9iuos2JEJSR8J7Gci6gtXTvWbxwjoPmDWEhAZGzz55EuZnqIiJz/wcQ6O3l3dEPL9P8x CF23Ioel0AozZkdckEZ964VZBT0Bp01BrJxiPVwsqTmHK6zIELZ+iBLEzS9iMuNrb8Co jPDlR4Yd52jvsbeNz4bbKJPaAIjIk5PIgvyd7c0MeINgHVnkPu1PlYgLwDynXGL4E94D lbXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JqGPjiGsSbDowYaPc/QeM0q7sdiEEfys3w9lzfyz+pc=; b=UlmopX7I862OCjNxGidGO2+BFZ6dPbBe2C51a7+F+o6ur3ovps0PkHCm237ZOQbkUh x7AS/CfDsBrSMZTGAnXy2vnou75JMdo8aPzsK0Lwrt58eaK7NyPlkCT0LZs+zfXy86CH qO6Q1CP6cxQ7iPtrqlJkphzPv6vFFTcTWXJJ5xkSl2ZSkDdHWSB5FDIPcjIL4HwdhG1f eY0Trb9IpV3+TaY6hzzbF7LNkAo328VYLQpKTxnquNkRIcZj4MYIZnf57nz7S1Sfey2d cFI/nfEzdUi2ppSDWZ462rSPgGBTcZ2KCPRWk7ns0RhnEZqMc3Vx10phepWgS1SWoLLn jLZA==
X-Gm-Message-State: AOAM533/Tfw9yeKS2Yf7TwxwJMP4qGkNjsaf4RXvUilTImE/ahVKXzRI BcICaRk6Y0CeW86lFhCAibW7DokbBJf2609hFVn768WFMEdOMBX8
X-Google-Smtp-Source: ABdhPJyAA+ZXd+E3ipcfAdf2ulnrWUBsDZriB7r9aDRpzbWbG5AvMkVh0pKV9TYe+0F1rtETpyZ+06l+ngHYAcPbwLI=
X-Received: by 2002:a25:ab30:: with SMTP id u45mr35855889ybi.516.1608732249326; Wed, 23 Dec 2020 06:04:09 -0800 (PST)
MIME-Version: 1.0
References: <CAA4D8KZei_Cd+FhdgTH8MKOk2g126vFJihpEYJ23ZL3QfG3uGA@mail.gmail.com>
In-Reply-To: <CAA4D8KZei_Cd+FhdgTH8MKOk2g126vFJihpEYJ23ZL3QfG3uGA@mail.gmail.com>
From: Michael Scott <mike.scott@miracl.com>
Date: Wed, 23 Dec 2020 14:04:14 +0000
Message-ID: <CAEseHRpUUCV_aAAYdAxrw4wKDDDr-JbTQYnWihnp+18P2-VRBw@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Cc: Tetsutaro Kobayashi <tetsutaro.kobayashi.dr@hco.ntt.co.jp>, "Riad S. Wahby" <rsw@cs.stanford.edu>, Yumi Sakemi <yumi.sakemi@lepidum.co.jp>
Content-Type: multipart/alternative; boundary="00000000000042a0d405b7222a68"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vUaHltXFAK9Lw1nHdwxHI__ilZI>
Subject: Re: [CFRG] Asking the advice on the draft of pairing-friendly curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Dec 2020 14:04:26 -0000
I would like to voice my strong support for this effort. Since pairings arrived as a new cryptographic tool in the year 2000, they have transformed cryptography and flung open may new doors to new avenues of research. If RSA was a cryptographic lump hammer, pairings are a Swiss army knife. Alternative technologies have followed behind, some of them post-quantum secure, but they have not as yet filled many of the niches currently occupied by pairings. A good example of an application area would be Functional encryption, which I mention because an email popped into my Inbox just yesterday concerning an interesting event associated with the Real World crypto conference in January – see https://cryptohackathon.eu/ It needs to be recognised that for reasons not entirely clear to me, many regard pairings with suspicion. They have a largely undeserved reputation of being slow. Many papers seem to like to boast that their scheme works “without pairings”, as some kind of badge of honour. In fact pairing-based schemes are completely practical. More seriously their security has been called into question, due to some impressive cryptanalysis. I must admit I was surprised and deeply impressed when pairings based on small characteristic super-singular curves were spectacularly blown out of the water. I was also impressed, although much less surprised, when methods were found to exploit the particular form of discrete log problem that arises in the context of large characteristic non-supersingular pairing-friendly curves. This has lead to the adoption of modest increases in parameter sizes. However I would regard this as a natural progression for any new cryptographic primitive. Parameter sizes generally creep up over time as cryptanalytic efforts intensify, before eventually stabilising. Remember 512-bit RSA keys. Observe the current post-quantum crypto scene. I would suggest that the security of pairings is comparable with that of other discrete log based systems, and some 20 years after their arrival on the cryptographic scene it is certainly time that their power was recognised, and that standard curves should emerge for implementers to work with in confidence. The world urgently needs better cryptography. Hopefully CFRG will not be found wanting in offering its support for these efforts. Personally I have always found the proposers of this standard to be unfailingly polite and responsive to my feedback. If de facto standards that have not undergone proper community scrutiny start to emerge (as industry implementers lose patience waiting for “proper” standards), then, well, that would be a pity. Mike Scott
- [CFRG] Asking the advice on the draft of pairing-… Yumi Sakemi
- Re: [CFRG] Asking the advice on the draft of pair… Michael Scott
- Re: [CFRG] Asking the advice on the draft of pair… Yumi Sakemi
- [CFRG] Fwd: Asking the advice on the draft of pai… Taechan Kim