IETF Logo Mail Archive

Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt

Michael Scott <mike.scott@miracl.com> Sun, 31 March 2019 19:28 UTC

Return-Path: <mike.scott@miracl.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 649A6120048 for <cfrg@ietfa.amsl.com>; Sun, 31 Mar 2019 12:28:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=miracl-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id croZbUaSTE_G for <cfrg@ietfa.amsl.com>; Sun, 31 Mar 2019 12:28:48 -0700 (PDT)
Received: from mail-it1-x12c.google.com (mail-it1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1072E120003 for <cfrg@irtf.org>; Sun, 31 Mar 2019 12:28:48 -0700 (PDT)
Received: by mail-it1-x12c.google.com with SMTP id m137so11443307ita.0 for <cfrg@irtf.org>; Sun, 31 Mar 2019 12:28:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=miracl-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=1GV6V16pf+WntKQbNw4iFDZViqwbEQOUvEX6Og3k0Mw=; b=SZYlQZy7x92vbGQiEwuHE2+2do93tv4SydWm2SyBTpJTQB/yNy02QdXnvsmlUOW4tb S0C+BAY2HeJqG+Dc5DAHEooDI4z6ncuee3hVK/oQeKelbkhbPKnwZb3uJUQjckOwJV7a QY135v7mIttqfPmocLCJYZe+XS1r25+ZUoVv8l9/cNVBR8stwDBMwqLawHeygLYo22Qz NBpWIRTn323f2Aczz/4+tk6fZjs3SRfRYJQiwMTrBNN3ImJgUS6UX8f/I7n349ah6rND DFxI7QuA3tOq3rhgZxPxlFLp4a+exQv3WEZPKJlB0hsH/PJWilLbpUwjKHRUm8gzwEAR C+qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=1GV6V16pf+WntKQbNw4iFDZViqwbEQOUvEX6Og3k0Mw=; b=dKpWjZdQE2Dtz+chJU/komQsWA9ipX52tSF7huqRRtnR/pDix+JHsRcev7VyMGhBk1 h5Odc/bwJoPYtFZxyXGAxoqJdnfdk6vcb4HROTleVfMl7x3YYo1zJN/H293+P1bJzEa4 CoRD6+kEI2E+JI8gbjL3cgLqFPPunvA0i+hz1/ziPplduaPhTlaMPqiAYuDT0Bu94HQo 8LOSjIgfcHjKlVQTn9IBEsY8YsiWsz2ti5GXr77WuG9p5lGzDGmBuW5TdMYtF03IoAvV BrLb0lCshGBGk/HjOkDpKetL2/M+R0u9Op+MAVHHddHiwRTnOURgmEwzR3KYkfhCIvNF WEWw==
X-Gm-Message-State: APjAAAVHqvOuHEc8nNtk2ODnmUSxOHXvMDKz05bkuRCW+abzpLDxqg18 0zmDqn5IH9STLLZrQmbko/Yg3TSreMWRt4in4kazBF97PfA=
X-Google-Smtp-Source: APXvYqysiJw0mRO66kwfx32oY8ZKsFeUg3pHN2+2TWmKNDvjiblTMnyCBjccRCXY3JNoaxreHfGEjOrJ+Vba5RoNMes=
X-Received: by 2002:a24:8d03:: with SMTP id w3mr12238362itd.103.1554060526867; Sun, 31 Mar 2019 12:28:46 -0700 (PDT)
MIME-Version: 1.0
References: <155231848866.23086.9976784460361189399@ietfa.amsl.com> <737ea2b3-74e3-d02e-a44d-c44cca5db036@lepidum.co.jp> <CAEseHRrSiJ72tQepyTiL=pSBcRRLGXhnJyy_QzOubWax+v=Ntw@mail.gmail.com> <CAEseHRqh4d0VaeSaj4CWr_ZxJbbpm33ZaLF-aYGBjVowFNLFeQ@mail.gmail.com> <c57bbf7b-3177-eb64-a3c0-26842fccbb89@lepidum.co.jp> <CAEseHRrVomCo6KD7gidCRBzKJDzFZRQ+q0+PjfBr8tQT4dVpMQ@mail.gmail.com> <b016d1f6-68e4-9728-c738-ab72c593dfd1@lepidum.co.jp> <CAEseHRoLGFbf74HT9n2beryc9Liqf2Hz+_rh-yo6Q8hNqwCvNQ@mail.gmail.com> <17e2c039-3c20-21a6-0201-4278c988c060@lepidum.co.jp>
In-Reply-To: <17e2c039-3c20-21a6-0201-4278c988c060@lepidum.co.jp>
From: Michael Scott <mike.scott@miracl.com>
Date: Sun, 31 Mar 2019 20:28:44 +0100
Message-ID: <CAEseHRp0ALe9Wc9VCNNNwgF=jhgC7TTy=eZx60Mz8fJ-H6wCXA@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000a9f689058568e937"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zqSryImEw7-jzPxJHKSNU_AfIPo>
Subject: Re: [Cfrg] Fwd: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2019 19:28:53 -0000

Hello Shoko,

Thanks for previous clarifications.

I am a bit puzzled by the proposed BN462 curve

You chose the curve E:y^2=x^3+5
On the twisted curve you choose E':y^2=x^3-u+2 (and I am unclear where -u+2
came from)

In the paper that first suggested the curve -
https://eprint.iacr.org/2017/334.pdf

the authors suggest
E: y^2=x^3-4, and
E': y^2=x^3-4(1+u)

which seems simpler, and closer to the BLS381 approach

I am attempting to implement these curves (and already have BLS381 done).
Any help is much appreciated.

Mike

On Fri, Mar 29, 2019 at 10:03 AM Shoko YONEZAWA <yonezawa@lepidum.co.jp>
wrote:

> Hi Mike,
>
> This difference is probably caused by representation of an extension field.
> We encoded the generator G' = (x', y') where x' = a'*u + b' and y' =
> c'*u + d' by
>
> x' : a'*p + b' (in Z) and
> y' : c'*p + d' (in Z),
>
> whereas zkcrypto encoded it like
>
> x' : a' || b' and
> y' : c' || d'.
>
> We followed the convention shown in IEEE 1363a-2004.
>
> As you suggested, it is helpful to describe a',b',c',d' as well as x', y'.
> We add these value in the next version.
>
> Thank you again,
> Shoko
>
> On 2019/03/28 20:11, Michael Scott wrote:
> > OK. However for the BL381 curve for example the G2 generator point does
> not
> > appear to be the same as the one given here...
> >
> > https://github.com/zkcrypto/pairing/tree/master/src/bls12_381
> >
> > Also it would help if the individual components of x' and  y' were
> > highlighted. For example if x'=a'u+b' it would be useful to know were a'
> > ends and b' begins.
> >
> >   Also as in the above link it would I think be good practice to state
> > exactly how the values for G1 and G2 were arrived at.
> >
> > Mike
> >
> > On Thu, Mar 28, 2019 at 7:27 AM Shoko YONEZAWA <yonezawa@lepidum.co.jp>
> > wrote:
> >
> >> Hi Mike,
> >>
> >> Thank you again for the feedback.
> >>
> >>   > It would be helpful for implementors to know if the curves support
> an
> >>   > M-Type or D-Type twist.
> >>   >
> >>   > BLS381 and BN462 are both M-Type. BLS48_581 is D-Type.
> >>
> >> As the information for implementers,
> >> we add the description of M-type or D-type for each curve.
> >>
> >>   > Also I think a standard should also include a generator point for
> G2 for
> >>   > interoperability, as well as for G1. For example an implementation
> of
> >> BLS
> >>   > short signature probably requires a generator in G2.
> >>
> >> The generator point for G2 is described as a base point G' = (x', y')
> >> in our draft.
> >> We revise the description for clarification.
> >>
> >> Best,
> >> Shoko
> >>
> >> On 2019/03/21 0:48, Michael Scott wrote:
> >>> A couple of further observations..
> >>>
> >>> It would be helpful for implementors to know if the curves support an
> >>> M-Type or D-Type twist.
> >>>
> >>> BLS381 and BN462 are both M-Type. BLS48_581 is D-Type.
> >>>
> >>> Also I think a standard should also include a generator point for G2
> for
> >>> interoperability, as well as for G1. For example an implementation of
> BLS
> >>> short signature probably requires a generator in G2.
> >>>
> >>> Mike
> >>>
> >>> On Tue, Mar 19, 2019 at 3:39 AM Shoko YONEZAWA <yonezawa@lepidum.co.jp
> >
> >>> wrote:
> >>>
> >>>> Dear Mike,
> >>>>
> >>>> Thank you very much for your comments.
> >>>>
> >>>>> The suggested curves do not appear to meet the requirement for
> subgroup
> >>>>> security which is indicated as being a desirable property in section
> >>>> 3.1 -
> >>>>> “One has to choose parameters so that the cofactors of G_1, G_2 and
> G_T
> >>>>> contain no prime factors smaller than |G_1|, |G_2| and |G_T|”..
> >>>>>
> >>>>> The case could be made that subgroup security is not so important,
> but
> >> if
> >>>>> so the text in 3.1 should be modified to reflect this point of view.
> >>>>
> >>>> As you pointed out, we found that our suggested curves are not
> >>>> subgroup-secure.
> >>>> For standardization, we focus on the existing implementations as well
> as
> >>>> sufficient security.
> >>>> We think it impractical to choose a completely new parameter and
> >>>> implement it from now.
> >>>> Therefore, we would like to recommend the current parameters we
> >>>> described in the draft with modifying our description of subgroup
> >> security.
> >>>>
> >>>> We are keeping watching the research activity and ready to change
> >>>> parameters if a critical attack for pairing-friendly curves which
> don't
> >>>> meet subgroup security is found.
> >>>>
> >>>>> Another point – the BLS381 curve was chosen for a very particular
> >> (albeit
> >>>>> important) application where it is a requirement that r-1 has a
> factor
> >> of
> >>>>> 2^m for a large value of m. Curves chosen with application-specific
> >>>>> benefits should I suggest be considered carefully if proposed as more
> >>>>> general purpose standards. Note that this particular application
> >>>>> disadvantages BN curves, as due to the form of its formula for r,
> this
> >>>>> particular condition is much harder to achieve.
> >>>>
> >>>> We guess that BLS12-381 is chosen for the efficient computation of
> their
> >>>> zero-knowledge proof. Nonetheless, we think BLS12-381 has sufficient
> >>>> performance for general purpose.
> >>>>
> >>>> Best regards,
> >>>> Shoko
> >>>>
> >>>> On 2019/03/15 3:52, Michael Scott wrote:
> >>>>> Another point..
> >>>>>
> >>>>> For the BLS curves, the cofactor h in G_1 is calculated here as
> >>>>> ((t-1)^2)/3, and this will work fine as a co-factor, where a random
> >> point
> >>>>> on the curve over the base field can be multiplied by this co-factor
> to
> >>>>> create a point of order r in G_1. But this co-factor is unnecessarily
> >>>> large.
> >>>>>
> >>>>> The same can be achieved by using (t-1) as a co-factor, due to the
> >>>>> structure of pairing friendly fields. This will be twice as fast.
> >>>>>
> >>>>>
> >>>>> Mike
> >>>>>
> >>>>>
> >>>>> However to
> >>>>>
> >>>>> On Thu, Mar 14, 2019 at 3:21 PM Michael Scott <mike.scott@miracl.com
> >
> >>>> wrote:
> >>>>>
> >>>>>> Hello,
> >>>>>>
> >>>>>> I greatly welcome this proposal, and would not want to slow its
> >> progress
> >>>>>> in any way. It is long overdue that pairing-friendly curves be
> >>>>>> standardized, before unsuitable de-facto standards emerge, which may
> >>>> not be
> >>>>>> ideal, but which may nevertheless become widely deployed.
> >>>>>>
> >>>>>> However I make the following observations about the particular
> curves
> >>>>>> suggested.
> >>>>>>
> >>>>>> The suggested curves do not appear to meet the requirement for
> >> subgroup
> >>>>>> security which is indicated as being a desirable property in section
> >>>> 3.1 -
> >>>>>> “One has to choose parameters so that the cofactors of G_1, G_2 and
> >> G_T
> >>>>>> contain no prime factors smaller than |G_1|, |G_2| and |G_T|”.
> >>>>>>
> >>>>>> The case could be made that subgroup security is not so important,
> but
> >>>> if
> >>>>>> so the text in 3.1 should be modified to reflect this point of view.
> >>>>>>
> >>>>>> The curve BN462 is not sub-group secure, as in G_T (p^4-p^2+1) /r
> has
> >>>>>> small factors of 2953, 5749 and 151639045476553 (amongst others). I
> >>>> didn’t
> >>>>>> check G_2.
> >>>>>>
> >>>>>> The curve BLS381 has the same problem, as (p^4-p^2+1) /r has small
> >>>> factor
> >>>>>> of 4513, 584529700689659162521 and more. Again I didn’t check G_2
> >>>>>>
> >>>>>> The curve BLS48-581 has the same problem, as (p^4-p^2+1) /r has a
> >> small
> >>>>>> factor of 76369, and probably others. Again I didn’t check for G_2
> >>>>>>
> >>>>>> The draft does point out that for BLS curves, when hashing to a
> point
> >> in
> >>>>>> G_1, multiplication by a small co-factor h>1 will always be
> necessary.
> >>>>>>
> >>>>>> In my opinion sub-group security in G_T is particularly important if
> >> it
> >>>> is
> >>>>>> desirable to offload the pairing calculation to an untrusted server,
> >>>> and so
> >>>>>> it is a feature I would consider useful in a standard curve. In our
> >>>>>> experience finding such curves is relatively easy (although finding
> >>>> curves
> >>>>>> that are sub-group secure in both G_2 and G_T is more
> problematical)..
> >>>>>>
> >>>>>> Another point – the BLS381 curve was chosen for a very particular
> >>>> (albeit
> >>>>>> important) application where it is a requirement that r-1 has a
> factor
> >>>> of
> >>>>>> 2^m for a large value of m. Curves chosen with application-specific
> >>>>>> benefits should I suggest be considered carefully if proposed as
> more
> >>>>>> general purpose standards. Note that this particular application
> >>>>>> disadvantages BN curves, as due to the form of its formula for r,
> this
> >>>>>> particular condition is much harder to achieve.
> >>>>>>
> >>>>>>
> >>>>>> Mike
> >>>>>>
> >>>>>> On Wed, Mar 13, 2019 at 10:33 AM Shoko YONEZAWA <
> >> yonezawa@lepidum.co.jp
> >>>>>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> Hi there,
> >>>>>>>
> >>>>>>> Thank you for your comments to our pairing-friendly curve draft.
> >>>>>>> We submitted a new version.
> >>>>>>>
> >>>>>>> According to Kenny's comments,
> >>>>>>> we added the following description to the new version.
> >>>>>>>
> >>>>>>> - Pseudo-codes for pairing computation
> >>>>>>> - Example parameters and test vectors of each curve
> >>>>>>>
> >>>>>>> We now published our working draft on GitHub,
> >>>>>>> together with the BLS signature group.
> >>>>>>> Please feel free to submit issues. Your comments are really
> >>>> appreciated.
> >>>>>>>
> >>>>>>> https://github.com/pairingwg/pfc_standard/
> >>>>>>>
> >>>>>>> Best,
> >>>>>>> Shoko
> >>>>>>>
> >>>>>>> -------- Forwarded Message --------
> >>>>>>> Subject: I-D Action: draft-yonezawa-pairing-friendly-curves-01.txt
> >>>>>>> Date: Mon, 11 Mar 2019 08:34:48 -0700
> >>>>>>> From: internet-drafts@ietf.org
> >>>>>>> Reply-To: internet-drafts@ietf.org
> >>>>>>> To: i-d-announce@ietf.org
> >>>>>>>
> >>>>>>>
> >>>>>>> A New Internet-Draft is available from the on-line Internet-Drafts
> >>>>>>> directories.
> >>>>>>>
> >>>>>>>
> >>>>>>>             Title           : Pairing-Friendly Curves
> >>>>>>>             Authors         : Shoko Yonezawa
> >>>>>>>                               Sakae Chikara
> >>>>>>>                               Tetsutaro Kobayashi
> >>>>>>>                               Tsunekazu Saito
> >>>>>>>            Filename        :
> >>>> draft-yonezawa-pairing-friendly-curves-01.txt
> >>>>>>>            Pages           : 28
> >>>>>>>            Date            : 2019-03-11
> >>>>>>>
> >>>>>>> Abstract:
> >>>>>>>        This memo introduces pairing-friendly curves used for
> >> constructing
> >>>>>>>        pairing-based cryptography.  It describes recommended
> >> parameters
> >>>> for
> >>>>>>>        each security level and recent implementations of
> >> pairing-friendly
> >>>>>>>        curves.
> >>>>>>>
> >>>>>>>
> >>>>>>> The IETF datatracker status page for this draft is:
> >>>>>>>
> >>>>
> >>
> https://datatracker.ietf.org/doc/draft-yonezawa-pairing-friendly-curves/
> >>>>>>>
> >>>>>>> There are also htmlized versions available at:
> >>>>>>>
> >> https://tools.ietf.org/html/draft-yonezawa-pairing-friendly-curves-01
> >>>>>>>
> >>>>>>>
> >>>>
> >>
> https://datatracker.ietf.org/doc/html/draft-yonezawa-pairing-friendly-curves-01
> >>>>>>>
> >>>>>>> A diff from the previous version is available at:
> >>>>>>>
> >>>>>>>
> >>>>
> >>
> https://www.ietf.org/rfcdiff?url2=draft-yonezawa-pairing-friendly-curves-01
> >>>>>>>
> >>>>>>>
> >>>>>>> Please note that it may take a couple of minutes from the time of
> >>>>>>> submission
> >>>>>>> until the htmlized version and diff are available at
> tools.ietf.org..
> >>>>>>>
> >>>>>>> Internet-Drafts are also available by anonymous FTP at:
> >>>>>>> ftp://ftp.ietf.org/internet-drafts/
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> I-D-Announce mailing list
> >>>>>>> I-D-Announce@ietf.org
> >>>>>>> https://www.ietf.org/mailman/listinfo/i-d-announce
> >>>>>>> Internet-Draft directories: http://www.ietf.org/shadow.html
> >>>>>>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Cfrg mailing list
> >>>>>>> Cfrg@irtf.org
> >>>>>>> https://www.irtf.org/mailman/listinfo/cfrg
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>> --
> >>>> Shoko YONEZAWA
> >>>> Lepidum Co. Ltd.
> >>>> yonezawa@lepidum.co.jp
> >>>> TEL: +81-3-6276-5103
> >>>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Cfrg mailing list
> >>> Cfrg@irtf.org
> >>> https://www.irtf.org/mailman/listinfo/cfrg
> >>>
> >>
> >> --
> >> Shoko YONEZAWA
> >> Lepidum Co. Ltd.
> >> yonezawa@lepidum.co.jp
> >> TEL: +81-3-6276-5103
> >>
> >> _______________________________________________
> >> Cfrg mailing list
> >> Cfrg@irtf.org
> >> https://www.irtf.org/mailman/listinfo/cfrg
> >>
> >
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> >
>
> --
> Shoko YONEZAWA
> Lepidum Co. Ltd.
> yonezawa@lepidum.co.jp
> TEL: +81-3-6276-5103
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email