Re: [Cfrg] CFRG feedback on signing with secp256k1 curve
denis bider <denisbider.ietf@gmail.com> Wed, 13 June 2018 05:33 UTC
Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EB0F130DE5 for <cfrg@ietfa.amsl.com>; Tue, 12 Jun 2018 22:33:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q6-AcQ2DoKQO for <cfrg@ietfa.amsl.com>; Tue, 12 Jun 2018 22:33:35 -0700 (PDT)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9405E126F72 for <cfrg@irtf.org>; Tue, 12 Jun 2018 22:33:34 -0700 (PDT)
Received: by mail-lf0-x229.google.com with SMTP id o9-v6so1936049lfk.1 for <cfrg@irtf.org>; Tue, 12 Jun 2018 22:33:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=sn9/6IcgvUb+TGzsGKsocXscQx1GZfFfKmnOaLeYjiE=; b=Ozn1LHm+TYDKSj32mCYW/NHJ7xA+juNbGV+9iKixTWwluP+yJYzz5slMJV2d38ZSji Z44t23GoTZ0fy3BEys5H7nh2Gq9hUMBwClMbNhNFRDwJK5ARooHjLyyEjmVV6hrCyo4D ZIcX30s67dQqrEPo4aIEhNozVVJtXOtRzIh7Ip4GsJYL5r1j91sfu+RVBmZQRteFZgDy g4j0UUmpxZ8/9p/c/5ZHJgbAujH8dD3R3fabWE6FcdfbmfbKK7KWRKbcrgV8waAPgxj3 NkMsDq6usxBJ/K0JxumMRYVdxr/YLvI9DPMX1sdmkg34elVFo3V+y3dGOmiVJppSeR8r iKMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=sn9/6IcgvUb+TGzsGKsocXscQx1GZfFfKmnOaLeYjiE=; b=IXV0iwN7T35+KWxERYGjY7ktWmWMIYkkqo5UXF2jgSoUwMQddCCr2xl5Ra1UuP3XXe +lmaatW9DOLSO00MXkTvn8+O0wKK0PKDUWeahKn9zTiG3kteNaFf0MdX+lYktdv4cENh CvznzHctwX5LgfrDcrUhQVWEqrzDn/tc6yJFcgEsFBEyPO5lPLRg1HUU4/FBSzCePmTP qnU1uw9mUIYyRregDXiisFEhaQZwhtgxrFI4r3H4auvTaUzQ1XJgKo9ir0KCH7CEYitb wvFQGBccFFO25qSxvyFxg9F9VRyGzJBWS55XtaDR5+bzS1FCHrFU6Glx3GNNEuQenaZi Kk0Q==
X-Gm-Message-State: APt69E347dD9cYB50BfLDF7xOZmFL+MunwGEEM9tx/aThyrGfhSx+26Z pSZgTi7pb28iNitDFEzSU8aqx7GstZca5/X74NM=
X-Google-Smtp-Source: ADUXVKJOylKWmpIsoJPr0nKqfkG0/+PT5wRKFcJTxqn3lNvETlVqr86SXxXaSd/KOQo8DSWxL43gMWtcv9dYht1Lkmk=
X-Received: by 2002:a2e:1bcb:: with SMTP id c72-v6mr2120211ljf.99.1528868012933; Tue, 12 Jun 2018 22:33:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:a04:0:0:0:0:0 with HTTP; Tue, 12 Jun 2018 22:33:32 -0700 (PDT)
In-Reply-To: <MW2PR00MB0300CA51291C5238E7272C52F57F0@MW2PR00MB0300.namprd00.prod.outlook.com>
References: <MW2PR00MB0300CA51291C5238E7272C52F57F0@MW2PR00MB0300.namprd00.prod.outlook.com>
From: denis bider <denisbider.ietf@gmail.com>
Date: Wed, 13 Jun 2018 00:33:32 -0500
Message-ID: <CADPMZDAQ1c04k5rEAU=yorWzQcFB8F9_X2ovbz+xAvSAyRag_A@mail.gmail.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000d1c524056e7f526b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6q4gY_zd9wNpXUnkBOc0LtSrbg0>
Subject: Re: [Cfrg] CFRG feedback on signing with secp256k1 curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2018 05:33:39 -0000
Tangential note: In SSH, RFC 5656 defines a standard algorithm identifier format for ECDSA and ECDH using any curve that has an OID. I'm not aware of many other implementations, but exactly because of the reasoning you point out (Bitcoin is a huge target), since 2014, Bitvise SSH Server and SSH Client have supported secp256k1 in SSH under the following algorithm names: Key exchange: ecdh-sha2-1.3.132.0.10 Public key authentication (server or client): ecdsa-sha2-1.3.132.0.10 On Mon, Jun 11, 2018 at 7:03 PM, Mike Jones < Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote: > Dear CFRG, > > > > You’ll recall that the “secp256k1” elliptic curve is described by Dan > Brown and Certicom in “SEC 2: Recommended Elliptic Curve Domain Parameters” > http://www.secg.org/sec2-v2.pdf (the same document that described the > secp256r1 curve – a.k.a., P-256). > > > > I recently wrote https://tools.ietf.org/html/draft-jones-webauthn- > secp256k1-00 > <https://tools.ietf..org/html/draft-jones-webauthn-secp256k1-00> with a > very specific and narrow purpose: to register JOSE and COSE curve > identifiers for the SECG secp256k1 elliptic curve and associated algorithm > identifiers for signing. This curve is already being used by FIDO UAF, > the W3C Verifiable Claims interest group, and several blockchain projects. > I want to get standard identifiers registered so these projects can use > standards-based, rather than ad-hoc, cryptographic representations. A path > forward for this document is being discussed at secdispatch@ietf.org. > > > > As part of the SECDISPATCH evaluation, Ekr had suggested that I ask the > CFRG for references to security analyses of secp256k1. No matter what > you or I may think of Blockchain, because Blockchain is using secp256k1 and > is under tremendous scrutiny, it’s my assumption that if major security > flaws were known, people would be widely talking about them. But I’d like > to replace my assumption with an actual security analysis or two and > thoughts from the CFRG, if possible. > > > > Thanks, > > -- Mike > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > >
- Re: [Cfrg] CFRG feedback on signing with secp256k… Dan Brown
- Re: [Cfrg] CFRG feedback on signing with secp256k… Dan Brown
- Re: [Cfrg] CFRG feedback on signing with secp256k… Dan Brown
- Re: [Cfrg] CFRG feedback on signing with secp256k… Peter Gutmann
- Re: [Cfrg] CFRG feedback on signing with secp256k… denis bider
- [Cfrg] CFRG feedback on signing with secp256k1 cu… Mike Jones
- Re: [Cfrg] CFRG feedback on signing with secp256k… Richard Barnes