Re: [Crypto-panel] Request for review: draft-irtf-cfrg-pairing-friendly-curves-03
Chloe Martindale <chloemartindale@gmail.com> Mon, 01 June 2020 09:53 UTC
Return-Path: <chloemartindale@gmail.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 983A73A0ECC for <crypto-panel@ietfa.amsl.com>; Mon, 1 Jun 2020 02:53:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.597
X-Spam-Level:
X-Spam-Status: No, score=-1.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, GB_ABOUTYOU=0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q9u82z18vzqc for <crypto-panel@ietfa.amsl.com>; Mon, 1 Jun 2020 02:53:44 -0700 (PDT)
Received: from mail-ot1-x329.google.com (mail-ot1-x329.google.com [IPv6:2607:f8b0:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1032B3A0EC9 for <crypto-panel@irtf.org>; Mon, 1 Jun 2020 02:53:44 -0700 (PDT)
Received: by mail-ot1-x329.google.com with SMTP id o13so7497118otl.5 for <crypto-panel@irtf.org>; Mon, 01 Jun 2020 02:53:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=e6pmjzbb7I3i8c3PE5ZakJYTs6P6FBDaw5kJq3+7KhE=; b=Y/ZuSNw9yZDnOg1nED6VQS6W0bqF0JBoW9plEXYFi/ixmO7jmFeKTDDjEzfO9/sKky MpXny2ziCjj8p8asKdEYhR1E/Yrao4Yh37jaRnzumsw66KkqdQ4j7+J8h+WnVfNm0ZNV u8+zAJcVP+8ibUvu0/S4Xz+ZddJFFP1giKEAJxUs9fFK3g9PRgn1U96bVgzTV16LgmGZ +Fzp50QAZcBTV2GTyW5GDb4msPnIgJK44A/MgJoGSEymNAAn5DZ0tpl88LxBs3t1OfKO T0ld4YzXuKvp04tJoM6gC24jEQQPWa22aHHGw7w0KchhcwEA1ZsMMN2Qs5uM0k2QYXAk tzOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=e6pmjzbb7I3i8c3PE5ZakJYTs6P6FBDaw5kJq3+7KhE=; b=FoAxy1pQhU1efTprCT0/GboGtblh/NzmSx5ON5NbZu/1UFLWqBl+N8Ov1hDa4SpyNC hqGnDh/J1bitJQGHkqiVbd606zdVae/cZcTFV5HXU00ZNcEawyD5PMUWPh0L1ZnG58cG XhUIZeEGz2XmrIWlKIUPABLAV4kAeWixjuge9FN6gA/xENnOnbMb5bkYr9tZN3S76fbd HGMEPq9veAjYXX1nVCbbz/k+KGP3QR2jj3FXuQgwNG0E9pa7tdyw2Ftdr35T1IZ9uVNY WfvR95B/aKANefb37o4VOLY9nvGhT4Y/Oqi9CKlWMN7PjlLJ1yGLvVc4XRWDkuyiHauM xFjA==
X-Gm-Message-State: AOAM531xLz7SxW0PV521A2rcMbvSHiiSf2JUpLphC3/58gBEyoUHQfsz /5SV/F0bPbDRSjmYE30qTiQ3QIJ51t9yXPOVO6E=
X-Google-Smtp-Source: ABdhPJwRSlDFsXp/OLQABG386N2d2oDmsN4lwRH/8zMfztDsFQBqMevMvAXH/E8N6aySUVLKtzmJk/UAA0NHvPP9jWI=
X-Received: by 2002:a9d:6d0f:: with SMTP id o15mr15542304otp.200.1591005223122; Mon, 01 Jun 2020 02:53:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6mjt+cMAnEtJibkGvH5Lod4Akcv57x+fd-nYvAxtG=gmg@mail.gmail.com> <CAL+7JtTOVsuTOvM8DyAaVmbAkFvB+Y+-jaHXUnLQVQqnJDyQ6A@mail.gmail.com> <CAMr0u6=8gjBWifvW-7tkWjTXuKM1_Uu9xcgY5vZE=gNMbP_Emw@mail.gmail.com> <CAL+7JtS0FcGLB2hzVw=36M=JzZUofs5NWV3b_QDAAPfGoOmeOg@mail.gmail.com> <CAMr0u6=OgC_6RsqiFNm-8wrMVxJ7Nvecn_fWQ8pNHXk1ABHWHw@mail.gmail.com> <CAL+7JtSZa=3y5_tdgi11Q3_rFWT7tAUWpTZEzXv1-c0_VBC78A@mail.gmail.com> <CAMr0u6=cJKSf+OgXctSMzBVT3n3AK9qaTr-6XNRo74FO0zDnKA@mail.gmail.com> <002201d61c30$4f561da0$ee0258e0$@hco.ntt.co.jp_1> <CAA4D8Kbp26=zo4H-so6jBRVzQ-MP5zai7TK3=Vr2J8-Xz0-x7g@mail.gmail.com> <CAA4D8KbRkXipMp-Hxi6ch6+09DquU-fS6MRP8qP=v8dLWSiU-w@mail.gmail.com>
In-Reply-To: <CAA4D8KbRkXipMp-Hxi6ch6+09DquU-fS6MRP8qP=v8dLWSiU-w@mail.gmail.com>
From: Chloe Martindale <chloemartindale@gmail.com>
Date: Mon, 01 Jun 2020 10:53:31 +0100
Message-ID: <CAL+7JtSb9qZ4Uueq4hDQvf3_cpGN3hS2_kT655aSACGbWivi5A@mail.gmail.com>
To: Yumi Sakemi <yumi.sakemi@lepidum.co.jp>
Cc: crypto-panel@irtf.org, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, cfrg-chairs@ietf.org, Tetsutaro Kobayashi <tetsutaro.kobayashi.dr@hco.ntt.co.jp>, SAITO Tsunekazu <tsunekazu.saito.hg@hco.ntt.co.jp>
Content-Type: multipart/alternative; boundary="00000000000028fcb005a702c5e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/bEUXrbmmWhIeF0voo3njiC35vIc>
Subject: Re: [Crypto-panel] Request for review: draft-irtf-cfrg-pairing-friendly-curves-03
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2020 09:53:47 -0000
Dear Yumi, dear all, thank you for the update and for involving me in your thought process regarding the curve choices. I understand and agree with your reasoning (and approach) regarding including both BLS12-381 and BN462, however I think I would make a different 'safer choice'. My reason is this: if the attack is improved further (which you are completely right, it may), it is very likely to have a bigger impact on curves constructed via polynomial methods with embedding degree 8 (such as BN462) than on any other curves for this security level, so it's not unlikely that the security of BN462 would be pushed below 128 bits. A safer choice in my view would be to take the Cocks-Pinch curve (not constructed using polynomial methods) defined using a 544-bit prime implemented in RELIC, from [GMT19]*. The TNFS attacks cannot be applied to Cocks-Pinch curves (at least not without a fundamental new attack idea, since they rely on the polynomial construction), so small improvements will not decrease the security level at all, and this curve is actually still more efficient than BN462 so there's nothing to lose there. I appreciate that such a choice would mean also including some background on Cocks-Pinch and a reference/short explanation of the fact that TNFS attacks don't apply to these, which would be a major change to the original document, so I appreciate it if you'd rather not do this, but just thought I'd suggest it as I think it would increase the lifetime of your document. *In your draft this is [GME19], but it should be [GMT19], and can now be updated to the peer-reviewed version of course (this is the paper I pointed out in my review). All the best, Chloe On Fri, 29 May 2020 at 16:21, Yumi Sakemi <yumi.sakemi@lepidum.co.jp> wrote: > Dear Chloe > > We appreciate a lot of constructive comments received at Expert Review. > > We are currently working on updating our draft. > Last week, Nick created a repository for pairing-friendly curves on > CFRG's official GitHub, so we plan to update our draft using the issue > tracker. > The updating for your comments will be made available to you on the > following issue page. > > https://github.com/cfrg/draft-irtf-cfrg-pairing-friendly-curves/issues > > We will contact you again when all the comments have been updated. > In that case, we would be glad if you could check them. > > In addition, before updating, there is a comment that we would like to > inform you about the policy of update. > The comment is about the recommended curve for 128-bit security level. > > First of all, thank you for teaching us a peer-reviewed paper for > BLS12-381. > The comment is about the recommended curve for 128-bit security level. > Due to our lack of investigation, we made the wrong decision that > BLS12-381 was not matched in our selection policy. > > Your comment pointed out that BLS12-381 is moved to the recommended > curve and BN462 is moved to the Appendix. > We understood the disadvantages of BN462 that you were concerned > about, but we would like to recommend both BLS12-381 and BN462. > The reason is as follows. > > CFRG aims to standardize cryptographic technology for future Internet use. > We agree that BLS12-381 with a 126-bit security level is the best > match as a curve of 128-bit security level "at this time" from the > viewpoint of security and efficiency. > On the other hand, the security of BLS12-381 is already less than > 128bit, so from the viewpoint of future use, if the attack is improved > even a little, it will not be suitable for a curve of 128-bit security > level. > Considering that the curve of 128-bit security level is often used at > current. > So, we would like to recommend both BLS12-381 and BN462 considering > the future use and the safety side. > > However, as you pointed out, BN462 has the disadvantage of being too > slow compared to BLS12-381. > Then, the reader will be confused if there are two parameters of > 128-bit security level, so we will add the basis for selection by > adding the explanation of merits and demerits for each parameter. > And, we will also add a description about the disadvantages of BN462 > regarding efficiency. > > If you have any problems with the updating policy, we would like you to > comment. > > Best regards, > Yumi > > > > > > > 2020年4月27日(月) 21:58 Yumi Sakemi <yumi.sakemi@lepidum.co.jp>: > > > > Dear Chloe > > > > I appreciate your review. > > I'm very glad to receive many constructive comments! > > I will discuss about your comments with co-authors and revise our > > draft to reflect your comments in our draft. > > I think it will be a better draft by reflecting your comments. > > > > As co-author Tsunekazu e-mailed, we're planning to submit version 04, > > because we were independently working on updating of abstract, > > introduction (sec. 1.3) and proofreading of English in parallel with > > the expert review. > > (Version 04 will not be reflected your comments.) > > > > Comments from Chloe will be reflected in the version 05. > > We will submit version 05 in mid-May and we will report you when we > > submit version 05. > > > > Dear Stanislav > > > > Thank you very much for proceeding to the Expert review. > > We received a lot of constructive comments from Chloe, so I think it > > is difficult to manage comments by email. > > (Because there are over 100 comments from Chloe.) > > > > Therefore, I would like to use the issue management function of GitHub > > so that it is easy to check the reflecting status of Chloe's comments. > > So, I'd like to use the repository of pairing-friendly curves draft on > > CFRG's GitHub > > because BLS signature which is similar in terms of IRTF stream is also > > registered on the GitHub. > > Could you register the repository for the draft of pairing-friendly > > curves on the following CFRG's GitHub? > > > > https://github.com/cfrg > > > > Best regards, > > Yumi > > > > 2020年4月27日(月) 10:09 SAITO Tsunekazu <tsunekazu.saito.hg@hco.ntt.co.jp>: > > > > > > Dear Chloe, Stanislav, > > > > > > > > > > > > This is Tsunekazu. > > > > > > > > > > > > We plan to update the draft to version 04 soon. > > > > > > As the contents of the update, we changed the wording of Section 1.3 > and security consideration. > > > > > > Yumi will submit the 4th edition, so please wait a moment. > > > > > > > > > > > > Best regards, > > > > > > Tsunekazu > > > > > > > > > > > > From: Stanislav V. Smyshlyaev <smyshsv@gmail.com> > > > Sent: Sunday, April 26, 2020 2:30 PM > > > To: Chloe Martindale <chloemartindale@gmail.com>; SAITO Tsunekazu < > tsunekazu.saito.hg@hco.ntt.co.jp>; Tetsutaro Kobayashi < > tetsutaro.kobayashi.dr@hco.ntt.co.jp>; Yumi Sakemi < > yumi.sakemi@lepidum.co.jp> > > > Cc: cfrg-chairs@ietf.org; crypto-panel@irtf.org > > > Subject: Re: [Crypto-panel] Request for review: > draft-irtf-cfrg-pairing-friendly-curves-03 > > > > > > > > > > > > Dear Chloe, > > > > > > Many thanks for your review (such a great and a prompt one!). > > > > > > > > > > > > Dear Yumi, Saito, Tetsutaro, do you plan to update your draft taking > into account Chloe’s review? > > > > > > > > > > > > Best regards, > > > > > > Stanislav > > > > > > > > > > > > пт, 24 апр. 2020 г. в 19:49, Chloe Martindale < > chloemartindale@gmail.com>: > > > > > > Hi all, > > > > > > > > > > > > review is attached. > > > > > > > > > > > > All the best, > > > > > > Chloe > > > > > > > > > > > > On Tue, 21 Apr 2020 at 18:05, Stanislav V. Smyshlyaev < > smyshsv@gmail.com> wrote: > > > > > > Sure - it is > > > > > > https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-03 > > > > > > > > > > > > Thank you again! > > > > > > > > > > > > Regards, > > > > > > Stanislav > > > > > > > > > > > > вт, 21 апр. 2020 г. в 19:10, Chloe Martindale < > chloemartindale@gmail.com>: > > > > > > Just to be sure, can you point me towards the most recent version of > the draft please? > > > > > > > > > > > > Thanks, > > > > > > Chloe > > > > > > > > > > > > On Tue, 21 Apr 2020 at 13:17, Stanislav V. Smyshlyaev < > smyshsv@gmail.com> wrote: > > > > > > Great, many thanks, Chloe! > > > > > > > > > > > > Kind regards, > > > > > > Nick, Alexey, Stanislav > > > > > > > > > > > > On Tue, 21 Apr 2020 at 15:16, Chloe Martindale < > chloemartindale@gmail.com> wrote: > > > > > > I'll take a look this week. > > > > > > > > > > > > All the best, > > > > > > Chloe > > > > > > > > > > > > On Tue, 21 Apr 2020, 13:10 Stanislav V. Smyshlyaev, <smyshsv@gmail.com> > wrote: > > > > > > Dear Crypto Panel members, > > > > > > > > > > > > The authors of the Pairing-Friendly Curves draft have addressed the > concerns raised during the discussion and are ready to move to the next > stage with the draft. > > > > > > > > > > > > Alexey, Nick and I would like to ask Crypto Review Panel members about > the review(s) of draft-irtf-cfrg-pairing-friendly-curves-03. > > > > > > > > > > > > This memo introduces pairing-friendly curves used for constructing > pairing-based cryptography. It describes recommended parameters for each > security level and recent implementations of pairing-friendly curves. > > > > > > > > > > > > > > > > > > Can we have any volunteers, please?.. > > > > > > > > > > > > > > > > > > Best regards, > > > > > > Stanislav (on behalf of chairs) > > > > > > _______________________________________________ > > > Crypto-panel mailing list > > > Crypto-panel@irtf.org > > > https://www.irtf.org/mailman/listinfo/crypto-panel > > > > > > > > -- > > Yumi Sakemi, Ph. D. > > Lepidum Co. Ltd. > > E-Mail: yumi.sakemi@lepidum.co.jp > > > > -- > Yumi Sakemi, Ph. D. > Lepidum Co. Ltd. > > Tel: +81-3 6276 5103 > E-Mail: yumi.sakemi@lepidum.co.jp >
- [Crypto-panel] Request for review: draft-irtf-cfr… Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: draft-irtf… Chloe Martindale
- Re: [Crypto-panel] Request for review: draft-irtf… Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: draft-irtf… Chloe Martindale
- Re: [Crypto-panel] Request for review: draft-irtf… Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: draft-irtf… Chloe Martindale
- Re: [Crypto-panel] Request for review: draft-irtf… Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: draft-irtf… SAITO Tsunekazu
- Re: [Crypto-panel] Request for review: draft-irtf… Yumi Sakemi
- Re: [Crypto-panel] Request for review: draft-irtf… Yumi Sakemi
- Re: [Crypto-panel] Request for review: draft-irtf… Chloe Martindale
- Re: [Crypto-panel] Request for review: draft-irtf… Yumi Sakemi
- Re: [Crypto-panel] Request for review: draft-irtf… Yumi Sakemi
- Re: [Crypto-panel] Request for review: draft-irtf… Chloe Martindale
- Re: [Crypto-panel] Request for review: draft-irtf… Yumi Sakemi