Pairing-Friendly Curves
draft-irtf-cfrg-pairing-friendly-curves-07
CFRG Y. Sakemi, Ed.
Internet-Draft Lepidum
Intended status: Experimental T. Kobayashi
Expires: 20 December 2020 T. Saito
NTT
R. Wahby
Stanford University
18 June 2020
Pairing-Friendly Curves
draft-irtf-cfrg-pairing-friendly-curves-07
Abstract
Pairing-based cryptography, a subfield of elliptic curve
cryptography, has received attention due to its flexible and
practical functionality. Pairings are special maps defined using
elliptic curves and it can be applied to construct several
cryptographic protocols such as identity-based encryption, attribute-
based encryption, and so on. At CRYPTO 2016, Kim and Barbulescu
proposed an efficient number field sieve algorithm named exTNFS for
the discrete logarithm problem in a finite field. Several types of
pairing-friendly curves such as Barreto-Naehrig curves are affected
by the attack. In particular, a Barreto-Naehrig curve with a 254-bit
characteristic was adopted by a lot of cryptographic libraries as a
parameter of 128-bit security, however, it ensures no more than the
100-bit security level due to the effect of the attack. In this
memo, we list the security levels of certain pairing-friendly curves,
and motivate our choices of curves. First, we summarize the adoption
status of pairing-friendly curves in standards, libraries and
applications, and classify them in the 128-bit, 192-bit, and 256-bit
security levels. Then, from the viewpoints of "security" and "widely
used", we select the recommended pairing-friendly curves considering
exTNFS.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Sakemi, et al. Expires 20 December 2020 [Page 1]
Internet-Draft Pairing-Friendly Curves June 2020
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 20 December 2020.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Pairing-based Cryptography . . . . . . . . . . . . . . . 3
1.2. Applications of Pairing-based Cryptography . . . . . . . 3
1.3. Motivation and Contribution . . . . . . . . . . . . . . . 5
1.4. Requirements Terminology . . . . . . . . . . . . . . . . 5
2. Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Elliptic Curves . . . . . . . . . . . . . . . . . . . . . 6
2.2. Pairings . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3. Barreto-Naehrig Curves . . . . . . . . . . . . . . . . . 7
2.4. Barreto-Lynn-Scott Curves . . . . . . . . . . . . . . . . 8
2.5. Representation Convention for an Extension Field . . . . 9
3. Security of Pairing-Friendly Curves . . . . . . . . . . . . . 9
3.1. Evaluating the Security of Pairing-Friendly Curves . . . 10
3.2. Impact of Recent Attacks . . . . . . . . . . . . . . . . 10
4. Selection of Pairing-Friendly Curves . . . . . . . . . . . . 11
4.1. Adoption Status of Pairing-friendly Curves . . . . . . . 11
4.1.1. International Standards . . . . . . . . . . . . . . . 15
4.1.2. Cryptographic Libraries . . . . . . . . . . . . . . . 16
4.1.3. Applications . . . . . . . . . . . . . . . . . . . . 17
Show full document text