idnits 2.17.1 draft-yonezawa-pairing-friendly-curves-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 28, 2019) is 1915 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Experimental ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Yonezawa 3 Internet-Draft Lepidum 4 Intended status: Experimental S. Chikara 5 Expires: August 1, 2019 NTT TechnoCross 6 T. Kobayashi 7 T. Saito 8 NTT 9 January 28, 2019 11 Pairing-Friendly Curves 12 draft-yonezawa-pairing-friendly-curves-00 14 Abstract 16 This memo introduces pairing-friendly curves used for constructing 17 pairing-based cryptography. It describes recommended parameters for 18 each security level and recent implementations of pairing-friendly 19 curves. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on August 1, 2019. 38 Copyright Notice 40 Copyright (c) 2019 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Pairing-Based Cryptography . . . . . . . . . . . . . . . 2 57 1.2. Applications of Pairing-Based Cryptography . . . . . . . 3 58 1.3. Goal . . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 1.4. Requirements Terminology . . . . . . . . . . . . . . . . 4 60 2. Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . 4 61 2.1. Elliptic Curve . . . . . . . . . . . . . . . . . . . . . 4 62 2.2. Pairing . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 2.3. Barreto-Naehrig Curve . . . . . . . . . . . . . . . . . . 5 64 2.4. Barreto-Lynn-Scott Curve . . . . . . . . . . . . . . . . 6 65 3. Security of Pairing-Friendly Curves . . . . . . . . . . . . . 7 66 3.1. Evaluating the Security of Pairing-Friendly Curves . . . 7 67 3.2. Impact of the Recent Attack . . . . . . . . . . . . . . . 7 68 4. Security Evaluation of Pairing-Friendly Curves . . . . . . . 8 69 4.1. For 100 Bits of Security . . . . . . . . . . . . . . . . 8 70 4.2. For 128 Bits of Security . . . . . . . . . . . . . . . . 9 71 4.3. For 256 Bits of Security . . . . . . . . . . . . . . . . 9 72 5. Implementations of Pairing-Friendly Curves . . . . . . . . . 9 73 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 74 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 75 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 76 9. Change log . . . . . . . . . . . . . . . . . . . . . . . . . 12 77 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 78 10.1. Normative References . . . . . . . . . . . . . . . . . . 12 79 10.2. Informative References . . . . . . . . . . . . . . . . . 13 80 Appendix A. Test Vectors of Optimal Ate Pairing . . . . . . . . 17 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 83 1. Introduction 85 1.1. Pairing-Based Cryptography 87 Elliptic curve cryptography is one of the important areas in recent 88 cryptography. The cryptographic algorithms based on elliptic curve 89 cryptography, such as ECDSA, is widely used in many applications. 91 Pairing-based cryptography, a variant of elliptic curve cryptography, 92 is attracted the attention for its flexible and applicable 93 functionality. Pairing is a special map defined over elliptic 94 curves. Generally, elliptic curves is defined so that pairing is not 95 efficiently computable since elliptic curve cryptography is broken if 96 pairing is efficiently computable. As the importance of pairing 97 grows, elliptic curves where pairing is efficiently computable are 98 studied and the special curves called pairing-friendly curves are 99 proposed. 101 Thanks to the characteristics of pairing, it can be applied to 102 construct several cryptographic algorithms and protocols such as 103 identity-based encryption (IBE), attribute-based encryption (ABE), 104 authenticated key exchange (AKE), short signatures and so on. 105 Several applications of pairing-based cryptography is now in 106 practical use. 108 1.2. Applications of Pairing-Based Cryptography 110 Several applications using pairing-based cryptography are 111 standardized and implemented. We show example applications available 112 in the real world. 114 IETF issues RFCs for pairing-based cryptography such as identity- 115 based cryptography [9], certificateless signatures [10], Sakai- 116 Kasahara Key Encryption (SAKKE) [11], and Identity-Based 117 Authenticated Key Exchange (IBAKE) [12]. SAKKE is applied to 118 Multimedia Internet KEYing (MIKEY) [13] and used in 3GPP [14]. 120 Pairing-based key agreement protocols are standardized in ISO/IEC 121 [15]. In [15], a key agreement scheme by Joux [16], identity-based 122 key agreement schemes by Smart-Chen-Cheng [17] and by Fujioka-Suzuki- 123 Ustaoglu [18] are specified. 125 MIRACL implements M-Pin, a multi-factor authentication protocol [19]. 126 M-Pin protocol includes a kind of zero-knowledge proof, where pairing 127 is used for its construction. 129 Trusted Computing Group (TCG) specifies ECDAA (Elliptic Curve Direct 130 Anonymous Attestation) in the specification of Trusted Platform 131 Module (TPM) [20]. ECDAA is a protocol for proving the attestation 132 held by a TPM to a verifier without revealing the attestation held by 133 that TPM. Pairing is used for constructing ECDAA. FIDO Alliance 134 [21] and W3C [22] also published ECDAA algorithm similar to TCG. 136 Zcash implements their own zero-knowledge proof algorithm named zk- 137 SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of 138 Knowledge) [23]. zk-SNARKs is used for protecting privacy of 139 transactions of Zcash. They use pairing for constructing zk-SNARKS. 141 Cloudflare introduced Geo Key Manager [24] to restrict distribution 142 of customers' private keys to the subset of their data centers. To 143 achieve this functionality, attribute-based encryption is used and 144 pairing takes a role as a building block. 146 DFINITY utilized threshold signature scheme to generate the 147 decentralized random beacons [25]. They constructed a BLS signature- 148 based scheme, which is based on pairings. 150 In Ethereum 2.0, project Prysm applies signature aggregation for 151 scalability benefits by leveraging DFINITY's random-beacon chain 152 playground [26]. Their codes are published on GitHub. 154 1.3. Goal 156 The goal of this memo is to consider the security of pairing-friendly 157 curves used in pairing-based cryptography and introduce secure 158 parameters of pairing-frindly curves. Specifically, we explain the 159 recent attack against pairing-friendly curves and how much the 160 security of the curves is reduced. We show how to evaluate the 161 security of pairing-friendly curves and give the parameters for 100 162 bits of security, which is no longer secure, 128 and 256 bits of 163 security. 165 1.4. Requirements Terminology 167 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 168 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 169 document are to be interpreted as described in [1]. 171 2. Preliminaries 173 2.1. Elliptic Curve 175 Let p > 3 be a prime and F_p be a finite field. The curve defined by 176 the following equation E is called an elliptic curve. 178 E : y^2 = x^3 + A * x + B, 180 where A, B are in F_p and satisfies 4 * A^3 + 27 * B^2 != 0 mod p. 182 Solutions (x, y) for an elliptic curve E, as well as the point at 183 infinity, O_E, are called F_p-rational points. If P and Q are two 184 points on the curve E, we can define R = P + Q as the opposite point 185 of the intersection between the curve E and the line that intersects 186 P and Q. We can define P + O_E = P = O_E + P as well. The additive 187 group is constructed by the well-defined operation in the set of F_p- 188 rational points. Similarly, a scalar multiplication S = [a]P for a 189 positive integer a can be defined as an a-time addition of P. 191 Typically, the cyclic additive group with a prime order r and the 192 base point G in its group is used for the elliptic curve 193 cryptography. Furthermore, we define terminology used in this memo 194 as follows. 196 O_E: the point at infinity over an elliptic curve E. 198 #E(F_p): number of points on an elliptic curve E over F_p. 200 h: a cofactor such that h = #E(F_p)/r. 202 k: an embedding degree, a minimum integer such that r is a divisor 203 of p^k - 1. 205 2.2. Pairing 207 Pairing is a kind of the bilinear map defined over an elliptic curve. 208 Examples include Weil pairing, Tate pairing, optimal Ate pairing [2] 209 and so on. Especially, optimal Ate pairing is considered to be 210 efficient to compute and mainly used for practical implementation. 212 Let E be an elliptic curve defined over the prime field F_p. Let G_1 213 be a cyclic subgroup generated by a rational point on E with order r, 214 and G_2 be a cyclic subgroup generated by a twisted curve E' of E 215 with order r. Let G_T be an order r subgroup of a field F_p^k, where 216 k is an embedded degree. Pairing is defined as a bilinear map e: 217 (G_1, G_2) -> G_T satisfying the following properties: 219 (1) Bilinearity: for any S in G_1, T in G_2, a, b in Z_r, we have 220 the relation e([a]S, [b]T) = e(S, T)^{a * b}. 222 (2) Non-degeneracy: for any T in G_2, e(S, T) = 1 if and only if S = 223 O_E. Similarly, for any S in G_1, e(S, T) = 1 if and only if T 224 = O_E. 226 (3) Computability: for any S in G_1 and T in G_2, the bilinear map 227 is efficiently computable. 229 2.3. Barreto-Naehrig Curve 231 A BN curve [3] is one of the instantiations of pairing-friendly 232 curves proposed in 2005. A pairing over BN curves constructs optimal 233 Ate pairings. 235 A BN curve is an elliptic curve E defined over a finite field F_p, 236 where p is more than or equal to 5, such that p and its order r are 237 prime numbers parameterized by 239 p = 36u^4 + 36u^3 + 24u^2 + 6u + 1 240 r = 36u^4 + 36u^3 + 18u^2 + 6u + 1 242 for some well chosen integer u. The elliptic curve has an equation 243 of the form E: y^2 = x^3 + b, where b is an element of multiplicative 244 group of order p. 246 BN curves always have order 6 twists. If w is an element which is 247 neither a square nor a cube in a finite field F_p^2, the twisted 248 curve E' of E is defined over a finite field F_p^2 by the equation 249 E': y^2 = x^3 + b' with b' = b/w or b' = bw. 251 A pairing e is defined by taking G_1 as a cyclic group composed by 252 rational points on the elliptic curve E, G_2 as a cyclic group 253 composed by rational points on the elliptic curve E', and G_T as a 254 multiplicative group of order p^12. 256 2.4. Barreto-Lynn-Scott Curve 258 A BLS curve [4] is another instantiations of pairings proposed in 259 2002. Similar to BN curves, a pairing over BLS curves constructs 260 optimal Ate pairings. 262 A BLS curve is an elliptic curve E defined over a finite field F_p by 263 an equation of the form E: y^2 = x^3 + b and has a twist of order 6 264 defined in the same way as BN curves. In contrast to BN curves, a 265 BLS curve does not have a prime order but its order is divisible by a 266 large parameterized prime r and the pairing will be defined on the 267 r-torsions points. 269 BLS curves vary according to different embedding degrees. In this 270 memo, we deal with BLS12 and BLS48 families with embedding degrees 12 271 and 48 with respect to r, respectively. 273 In BLS curves, parameterized p and r are given by the following 274 equations: 276 BLS12: 278 p = (u - 1)^2 (u^4 - u^2 + 1)/3 + u 280 r = u^4 - u^2 + 1 282 BLS48: 284 p = (u - 1)^2 (u^16 - u^8 + 1)/3 + u 286 r = u^16 - u^8 + 1 288 for some well chosen integer u. 290 3. Security of Pairing-Friendly Curves 292 3.1. Evaluating the Security of Pairing-Friendly Curves 294 The security of pairing-friendly curves is evaluated by the hardness 295 of the following discrete logarithm problems. 297 o The elliptic curve discrete logarithm problem (ECDLP) in G_1 and 298 G_2 300 o The finite field discrete logarithm problem (FFDLP) in G_T 302 There are other hard problems over pairing-friendly curves, which are 303 used for proving the security of pairing-based cryptography. Such 304 problems include bilinear computational Diffie-Hellman (BCDH) 305 problem, bilinear decisional Diffie-Hellman (BDDH) problem, gap BDDH 306 problem, etc [27]. Almost all of these variants are reduced to the 307 hardness of discrete logarithm problems described above and believed 308 to be easier than the discrete logarithm problems. 310 There would be the case where the attacker solves these reduced 311 problems to break the pairing-based cryptography. Since such attacks 312 have not been discovered yet, we discuss the hardness of the discrete 313 logarithm problems in this memo. 315 The security level of pairing-friendly curves is estimated by the 316 computational cost of the most efficient algorithm to solve the above 317 discrete logarithm problems. The well-known algorithms for solving 318 the discrete logarithm problems includes Pollard's rho algorithm 319 [28], Index Calculus [29] and so on. In order to make index calculus 320 algorithms more efficient, number field sieve (NFS) algorithms are 321 utilized. 323 In addition, the special case where the cofactors of G_1, G_2 and G_T 324 are small should be taken care [30]. In such case, the discrete 325 logarithm problem can be efficiently solved. One has to choose 326 parameters so that the cofactors of G_1, G_2 and G_T contain no prime 327 factors smaller than |G_1|, |G_2| and |G_T|. 329 3.2. Impact of the Recent Attack 331 In 2016, Kim and Barbulescu proposed a new variant of the NFS 332 algorithms, the extended number field sieve (exTNFS), which 333 drastically reduces the complexity of solving FFDLP [5]. Due to 334 exTNFS, the security level of pairing-friendly curves asymptotically 335 dropped down. For instance, Barbulescu and Duquesne estimates that 336 the security of the BN curves which was believed to provide 128 bits 337 of security (BN256, for example) dropped down to approximately 100 338 bits [6]. 340 Some papers show the minimum bitlength of the parameters of pairing- 341 friendly curves for each security level when applying exTNFS as an 342 attacking method for FFDLP. For 128 bits of security, Menezes, 343 Sarkar and Singh estimated the minimum bitlength of p of BN curves 344 after exTNFS as 383 bits, and that of BLS12 curves as 384 bits [7]. 345 For 256 bits of security, Kiyomura et al. estimated the minimum 346 bitlength of p^k of BLS48 curves as 27,410 bits, which implied 572 347 bits of p [8]. 349 4. Security Evaluation of Pairing-Friendly Curves 351 We give security evaluation for pairing-friendly curves based on the 352 evaluating method presented in Section 3. We also introduce secure 353 parameters of pairing-friendly curves for each security level. The 354 parameters introduced here are chosen with the consideration of 355 security, efficiency and global acceptance. 357 For security, we introduce 100 bits, 128 bits and 256 bits of 358 security. We note that 100 bits of security is no longer secure and 359 recommend 128 bits and 256 bits of security for secure applications. 360 We follow TLS 1.3 which specifies the cipher suites with 128 bits and 361 256 bits of security as mandatory-to-implement for the choice of the 362 security level. 364 Implementors of the applications have to choose the parameters with 365 appropriate security level according to the security requirements of 366 the applications. For efficiency, we refer to the benchmark by mcl 367 [31] for 128 bits of security, and by Kiyomura et al. [8] for 256 368 bits of security and choose sufficiently efficient parameters. For 369 global acceptance, we give the implementations of pairing-friendly 370 curves in section Section 5. 372 4.1. For 100 Bits of Security 374 Before exTNFS, BN curves with 256-bit size of underlying finite field 375 (so-called BN256) were considered to have 128 bits of security. 376 After exTNFS, however, the security level of BN curves with 256-bit 377 size of underlying finite field fell into 100 bits. 379 Implementors who will newly develop the applications of pairing-based 380 cryptography SHOULD NOT use BN256 as a pairing-friendly curve when 381 their applications require 128 bits of security. In case an 382 application does not require higher security level and is sufficient 383 to have 100 bits of security (i.e. IoT), implementors MAY use BN256. 385 4.2. For 128 Bits of Security 387 A BN curve with 128 bits of security is shown in [6], which we call 388 BN462. BN462 is defined by a parameter u = 2^114 + 2^101 - 2^14 - 1 389 for the definition in Section 2.3. Defined by u, the elliptic curve 390 E and its twisted curve E' are represented by E: y^2 = x^3 - 4 and 391 E': y^2 = x^3 - 4 * (1 + i), where i is an element of an extension 392 field F_p^2, respectively. The size of p becomes 462-bit length. 394 A BLS12 curve with 128 bits of security shown in [6] is parameterized 395 by u = -2^77 - 2^71 - 2^64 + 2^37 + 2^35 + 2^22 - 2^5, which we call 396 BLS12-461. Defined by u, the elliptic curve E and its twisted curve 397 E' are represented by E: y^2 = x^3 - 2 and E': y^2 = x^3 - 2 / (1 + 398 i), respectively. The size of p becomes 461-bit length. The curve 399 BLS12-461 is subgroup-secure. 401 There is another BLS12 curve stating 128 bits of security, BLS12-381 402 [32]. It is defined by a parameter u = -0xd201000000010000. Defined 403 by u, the elliptic curve E and its twisted curve E' are represented 404 by E: y^2 = x^3 + 4 and E': y^2 = x^3 + 4(i + 1), respectively. 406 We have to note that, according to [7], the bit length of p for BLS12 407 to achieve 128 bits of security is calculated as 384 bits and more, 408 which BLS12-381 does not satisfy. Although the computational time is 409 conservatively estimated by 2^110 when exTNFS is applied with index 410 calculus, there is no currently published efficient method for such 411 computational time. They state that BLS12-381 achieves 127-bit 412 security level evaluated by the computational cost of Pollard's rho. 414 4.3. For 256 Bits of Security 416 As shown in Section 3.2, it is unrealistic to achieve 256 bits of 417 security by BN curves since the minimum size of p becomes too large 418 to implement. Hence, we consider BLS48 for 256 bits of security. 420 A BLS48 curve with 256 bits of security is shown in [8], which we 421 call BLS48-581. It is defined by a parameter u = -1 + 2^7 - 2^10 - 422 2^30 - 2^32 and the elliptic curve E and its twisted curve E' are 423 represented by E: y^2 = x^3 + 1 and E': y^2 = x^3 - 1/w, where w is 424 an element of an extension field F_p^8. The size of p becomes 425 581-bit length. 427 5. Implementations of Pairing-Friendly Curves 429 We show the pairing-friendly curves selected by existing standards, 430 applications and cryptographic libraries. 432 ISO/IEC 15946-5 [33] shows examples of BN curves with the size of 433 160, 192, 224, 256, 384 and 512 bits of p. There is no action so far 434 after the proposal of exTNFS. 436 TCG adopts an BN curve of 256 bits specified in ISO/IEC 15946-5 437 (TPM_ECC_BN_P256) and of 638 bits specified by their own 438 (TPM_ECC_BN_P638). FIDO Alliance [21] and W3C [22] adopt the BN 439 curves specified in TCG, a 512-bit BN curve shown in ISO/IEC 15946-5 440 and another 256-bit BN curve. 442 MIRACL [34] implements BN curves and BLS12 curves. 444 Zcash implemented a BN curve (named BN128) in their library libsnark 445 [35]. After exTNFS, they propose a new parameter of BLS12 as 446 BLS12-381 [32] and publish its experimental implementation [36]. 448 Cloudflare implements a 256-bit BN curve (bn256) [37]. There is no 449 action so far after exTNFS. 451 Ethereum 2.0 adopts BLS12-381 (BLS12_381), BN curves with 254 bits of 452 p (CurveFp254BNb) and 382 bits of p (CurveFp382_1 and CurveFp382_2) 453 [38]. Their implementation calls mcl [31] for pairing computation. 455 Cryptographic libraries which implement pairings include PBC [39], 456 mcl [31], RELIC [40], TEPLA [41], AMCL [42], Intel IPP [43] and a 457 library by Kyushu University [44]. 459 Table 1 shows the adoption of pairing-friendly curves in existing 460 standards, applications and libraries. 462 +--------------+------------+--------------+----------------+-------+ 463 | Category | Name | 100 bit | 128 bit | 256 | 464 | | | | | bit | 465 +--------------+------------+--------------+----------------+-------+ 466 | standards | ISO/IEC | BN256 | BN384 | | 467 | | [33] | | | | 468 | | | | | | 469 | | TCG | BN256 | | | 470 | | | | | | 471 | | FIDO/W3C | BN256 | | | 472 | | | | | | 473 | applications | MIRACL | BN254 | BLS12 | | 474 | | | | | | 475 | | Zcash | BN128 | BLS12-381 | | 476 | | | (CurveSNARK) | | | 477 | | | | | | 478 | | Cloudflare | BN256 | | | 479 | | | | | | 480 | | Ethereum | BN254 | BN382 (*) / | | 481 | | | | BLS12-381 (*) | | 482 | | | | | | 483 | libraries | PBC | BN254 / | BN381_1 (*) / | | 484 | | | BN_SNARK1 | BN462 / | | 485 | | | | BLS12-381 | | 486 | | | | | | 487 | | mcl | BN254 / | BN381_1 (*) / | | 488 | | | BN_SNARK1 | BN462 / | | 489 | | | | BLS12-381 | | 490 | | | | | | 491 | | RELIC [40] | BN254 / | BLS12-381 / | | 492 | | | BN256 | BLS12-455 | | 493 | | | | | | 494 | | TEPLA | BN254 | | | 495 | | | | | | 496 | | AMCL | BN254 / | BLS12-381 (*) | BLS48 | 497 | | | BN256 | / BLS12-383 | | 498 | | | | (*) / | | 499 | | | | BLS12-461 | | 500 | | | | | | 501 | | Intel IPP | BN256 | | | 502 | | | | | | 503 | | Kyushu | | | BLS48 | 504 | | Univ. | | | | 505 +--------------+------------+--------------+----------------+-------+ 507 (*) There is no research result on the security evaluation, but the 508 implementers states that they satisfy 128 bits of security. 510 Table 1: Adoption of Pairing-Friendly Curves 512 6. Security Considerations 514 This memo entirely describes the security of pairing-friendly curves, 515 and introduces secure parameters of pairing-friendly curves. We give 516 these parameters in terms of security, efficiency and global 517 acceptance. The parameters for 100, 128 and 256 bits of security are 518 introduced since the security level will different in the 519 requirements of the pairing-based applications. 521 7. IANA Considerations 523 This document has no actions for IANA. 525 8. Acknowledgements 527 The authors would like to thank Akihiro Kato for his significant 528 contribution to the early version of this memo. 530 9. Change log 532 NOTE TO RFC EDITOR: Please remove this section in before final RFC 533 publication. 535 10. References 537 10.1. Normative References 539 [1] Bradner, S., "Key words for use in RFCs to Indicate 540 Requirement Levels", RFC 2119, March 1997. 542 [2] Vercauteren, F., "Optimal pairings", Proceedings IEEE 543 Transactions on Information Theory 56(1): 455-461 (2010), 544 2010. 546 [3] Barreto, P. and M. Naehrig, "Pairing-Friendly Elliptic 547 Curves of Prime Order", Selected Areas in Cryptography-SAC 548 2005. volume 3897 of Lecture Notes in Computer Science, 549 pages 319-331, 2006. 551 [4] Barreto, P., Lynn, B., and M. Scott, "Constructing 552 Elliptic Curves with Prescribed Embedding Degrees", 553 Security in Communication Networks - SCN 2002 LNCS 2576, 554 pp. 257--167, Springer, 2002. 556 [5] Kim, T. and R. Barbulescu, "Extended tower number field 557 sieve: a new complexity for the medium prime case.", 558 CRYPTO 2016 LNCS, vol. 9814, pp. 543.571, 2016. 560 [6] Barbulescu, R. and S. Duquesne, "Updating Key Size 561 Estimations for Pairings", Journal of Cryptology 2018, 562 January 2018. 564 [7] Menezes, A., Sarkar, P., and S. Singh, "Challenges with 565 Assessing the Impact of NFS Advances on the Security of 566 Pairing-Based Cryptography", Paradigms in Cryptology - 567 Mycrypt 2016 LNCS 10311, pp. 83--108, Springer, 2017. 569 [8] Kiyomura, Y., Inoue, A., Kawahara, Y., Yasuda, M., Takagi, 570 T., and T. Kobayashi, "Secure and Efficient Pairing at 571 256-Bit Security Level", ACNS 2017 LNCS, vol. 10355, pp. 572 59.79, 2017, 2017. 574 10.2. Informative References 576 [9] Boyen, X. and L. Martin, "Identity-Based Cryptography 577 Standard (IBCS) #1: Supersingular Curve Implementations of 578 the BF and BB1 Cryptosystems", RFC 5091, 579 DOI 10.17487/RFC5091, December 2007, 580 . 582 [10] Groves, M., "Elliptic Curve-Based Certificateless 583 Signatures for Identity-Based Encryption (ECCSI)", 584 RFC 6507, DOI 10.17487/RFC6507, February 2012, 585 . 587 [11] Groves, M., "Sakai-Kasahara Key Encryption (SAKKE)", 588 RFC 6508, DOI 10.17487/RFC6508, February 2012, 589 . 591 [12] Cakulev, V., Sundaram, G., and I. Broustis, "IBAKE: 592 Identity-Based Authenticated Key Exchange", RFC 6267, 593 DOI 10.17487/RFC6267, March 2012, 594 . 596 [13] Groves, M., "MIKEY-SAKKE: Sakai-Kasahara Key Encryption in 597 Multimedia Internet KEYing (MIKEY)", RFC 6509, 598 DOI 10.17487/RFC6509, February 2012, 599 . 601 [14] 3GPP, "Security of the mission critical service (Release 602 15)", 3GPP TS 33.180 15.3.0, September 2018. 604 [15] ISO/IEC, "ISO/IEC 11770-3:2015", ISO/IEC Information 605 technology -- Security techniques -- Key management -- 606 Part 3: Mechanisms using asymmetric techniques, 2015. 608 [16] Joux, A., "A One Round Protocol for Tripartite Diffie- 609 Hellman", ANTS-IV LNCS 1838, pp. 385--393, Springer- 610 Verlag, 2000. 612 [17] Chen, L., Cheng, Z., and N. Smart, "Indentity-based Key 613 Agreement Protocols From Pairings", International Journal 614 of Information Security Volume 6 Issue 4, pages 213--241, 615 Springer-Verlag, June 2007. 617 [18] Fujioka, A., Suzuki, K., and B. Ustaoglu, "Ephemeral Key 618 Leakage Resilient and Efficient ID-AKEs That Can Share 619 Identities, Private and Master Keys", Pairing-Based 620 Cryptography - Pairing 2010 LNCS 6487, pp. 187--205, 621 Springer, 2010. 623 [19] Scott, M., "M-Pin: A Multi-Factor Zero Knowledge 624 Authentication Protocol", . 628 [20] Trusted Computing Group (TCG), "TPM 2.0 Library 629 Specification", September 2016, 630 . 633 [21] Lindemann, R., "FIDO ECDAA Algorithm - FIDO Alliance 634 Review Draft 02", July 2018, 635 . 638 [22] Balfanz, D., Czeskis, A., Hodges, J., Jones, J., Jones, 639 M., Kumar, A., Liao, A., Lindemann, R., and E. Lundberg, 640 "Web Authentication: An API for accessing Public Key 641 Credentials Level 1 - W3C Candidate Recommendation", July 642 2018, . 644 [23] Lindemann, R., "What are zk-SNARKs?", July 2018, 645 . 647 [24] Sullivan, N., "Geo Key Manager: How It Works", September 648 2017, . 651 [25] Hanke, T., Movahedi, M., and D. Williams, "DFINITY 652 Technology Overview Series Consensus System Rev. 1", 653 . 656 [26] Jordan, R., "Ethereum 2.0 Development Update #17 - 657 Prysmatic Labs", November 2018, . 661 [27] ECRYPT, "Final Report on Main Computational Assumptions in 662 Cryptography", January 2013. 664 [28] Pollard, J., "Monte Carlo Methods for Index Computation 665 (mod p)", Proceedings Mathematics of Computation, Vol.32, 666 1978. 668 [29] Hellman, M. and J. Reyneri, "Fast computation of discrete 669 logarithms in GF(q)", Advances in Cryptology: Proceedings 670 of CRYPTO '82 pp. 3-13, 1983. 672 [30] Barreto, P., Costello, C., Misoczki, R., Naehrig, M., 673 Pereira, G., and G. Zanon, "Subgroup security in pairing- 674 based cryptography", Cryptology ePrint 675 Archive http://eprint.iacr.org/2015/247.pdf, 2015. 677 [31] Mitsunari, S., "mcl - A portable and fast pairing-based 678 cryptography library", 2016, 679 . 681 [32] Bowe, S., "BLS12-381: New zk-SNARK Elliptic Curve 682 Construction", March 2017, 683 . 685 [33] ISO/IEC, "ISO/IEC 15946-5:2017", ISO/IEC Information 686 technology -- Security techniques -- Cryptographic 687 techniques based on elliptic curves -- Part 5: Elliptic 688 curve generation, 2017. 690 [34] MIRACL Ltd., "MIRACL Cryptographic SDK", 2018, 691 . 693 [35] SCIPR Lab, "libsnark: a C++ library for zkSNARK proofs", 694 2012, . 696 [36] zkcrypto, "zkcrypto - Pairing-friendly elliptic curve 697 library", 2017, . 699 [37] Cloudflare, "package bn256", 700 . 702 [38] Prysmatic Labs, "go-bls - Go wrapper for a BLS12-381 703 Signature Aggregation implementation in C++", 2018, 704 . 706 [39] Lynn, B., "PBC Library - The Pairing-Based Cryptography 707 Library", 2006, . 709 [40] Aranha, D. and C. Gouv, "RELIC is an Efficient LIbrary for 710 Cryptography", 2013, 711 . 713 [41] University of Tsukuba, "TEPLA: University of Tsukuba 714 Elliptic Curve and Pairing Library", 2013, 715 . 717 [42] The Apache Software Foundation, "The Apache Milagro 718 Cryptographic Library (AMCL)", 2016, 719 . 721 [43] Intel Corporation, "Developer Reference for Intel 722 Integrated Performance Primitives Cryptography 2019", 723 2018, . 727 [44] Kyushu University, "bls48 - C++ library for Optimal Ate 728 Pairing on BLS48", 2017, 729 . 731 Appendix A. Test Vectors of Optimal Ate Pairing 733 (TBD) 735 Authors' Addresses 737 Shoko Yonezawa 738 Lepidum 740 EMail: yonezawa@lepidum.co.jp 742 Sakae Chikara 743 NTT TechnoCross 745 EMail: chikara.sakae@po.ntt-tx.co.jp 747 Tetsutaro Kobayashi 748 NTT 750 EMail: kobayashi.tetsutaro@lab.ntt.co.jp 752 Tsunekazu Saito 753 NTT 755 EMail: saito.tsunekazu@lab.ntt.co.jp