Pairing-Friendly Curves
draft-irtf-cfrg-pairing-friendly-curves-04

The information below is for an old version of the document
Document Type Active Internet-Draft (cfrg RG)
Last updated 2020-05-26 (latest revision 2020-04-28)
Replaces draft-yonezawa-pairing-friendly-curves
Stream IRTF
Intended RFC status (None)
Formats pdf htmlized (tools) htmlized bibtex
Stream IRTF state (None)
Consensus Boilerplate Unknown
Document shepherd Stanislav Smyshlyaev
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to Stanislav Smyshlyaev <smyshsv@gmail.com>
CFRG                                                      Y. Sakemi, Ed.
Internet-Draft                                                   Lepidum
Intended status: Experimental                               T. Kobayashi
Expires: 30 October 2020                                        T. Saito
                                                                     NTT
                                                           28 April 2020

                        Pairing-Friendly Curves
               draft-irtf-cfrg-pairing-friendly-curves-04

Abstract

   Pairing-based cryptography, a variant of elliptic curve cryptography,
   has received attention for its flexible and applicable functionality.
   Pairing is a special map defined over elliptic curves and it can be
   applied to construct several cryptographic protocols such as
   identity-based encryption, attribute-based encryption, and so on.  At
   CRYPTO 2016, Kim and Barbulescu proposed an efficient number field
   sieve algorithm named exTNFS for the discrete logarithm problem in a
   finite field.  Several types of pairing-friendly curves such as
   Barreto-Naehrig curves are affected by the attack.  In particular, a
   Barreto-Naehrig curve with a 254-bit characteristic was adopted by a
   lot of cryptographic libraries as a parameter of 128-bit security,
   however, it ensures no more than a 100-bit security level due to the
   effect of the attack.  In this memo, we summarize the adoption status
   of pairing-friendly curves in standards, libraries and applications,
   and classify them in 128-bit, 192-bit, and 256-bit security levels.
   Then, from the viewpoints of "security" and "widely use", we select
   the recommended pairing-friendly curves considering exTNFS.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 30 October 2020.

Sakemi, et al.           Expires 30 October 2020                [Page 1]
Internet-Draft           Pairing-Friendly Curves              April 2020

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Pairing-based Cryptography  . . . . . . . . . . . . . . .   3
     1.2.  Applications of Pairing-based Cryptography  . . . . . . .   3
     1.3.  Motivation and Contribution . . . . . . . . . . . . . . .   5
     1.4.  Requirements Terminology  . . . . . . . . . . . . . . . .   5
   2.  Preliminaries . . . . . . . . . . . . . . . . . . . . . . . .   5
     2.1.  Elliptic Curve  . . . . . . . . . . . . . . . . . . . . .   5
     2.2.  Pairing . . . . . . . . . . . . . . . . . . . . . . . . .   6
     2.3.  Barreto-Naehrig Curve . . . . . . . . . . . . . . . . . .   7
     2.4.  Barreto-Lynn-Scott Curve  . . . . . . . . . . . . . . . .   7
     2.5.  Representation Convention for an Extension Field  . . . .   8
   3.  Security of Pairing-Friendly Curves . . . . . . . . . . . . .   9
     3.1.  Evaluating the Security of Pairing-Friendly Curves  . . .   9
     3.2.  Impact of the Recent Attack . . . . . . . . . . . . . . .  10
   4.  Selection of Pairing-Friendly Curves  . . . . . . . . . . . .  10
     4.1.  Adoption Status of Pairing-friendly Curves  . . . . . . .  10
       4.1.1.  International Standards . . . . . . . . . . . . . . .  14
       4.1.2.  Cryptographic Libraries . . . . . . . . . . . . . . .  15
       4.1.3.  Applications  . . . . . . . . . . . . . . . . . . . .  16
     4.2.  For 128-bit Security  . . . . . . . . . . . . . . . . . .  16
       4.2.1.  BN Curves . . . . . . . . . . . . . . . . . . . . . .  16
     4.3.  For 192-bit Security  . . . . . . . . . . . . . . . . . .  19
     4.4.  For 256-bits Security . . . . . . . . . . . . . . . . . .  19
Show full document text