Re: [CFRG] guidance on using an Ed25519 keypair for x25519
Robert Moskowitz <rgm-sec@htt-consult.com> Tue, 21 June 2022 12:05 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5043C136064 for <cfrg@ietfa.amsl.com>; Tue, 21 Jun 2022 05:05:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.783
X-Spam-Level:
X-Spam-Status: No, score=-3.783 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4qGaUSGpgOIn for <cfrg@ietfa.amsl.com>; Tue, 21 Jun 2022 05:05:45 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AABCC136094 for <cfrg@irtf.org>; Tue, 21 Jun 2022 05:05:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id C44A062569; Tue, 21 Jun 2022 08:04:58 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id c43jZA8I+Zo2; Tue, 21 Jun 2022 08:04:48 -0400 (EDT)
Received: from [192.168.160.11] (unknown [192.168.160.11]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 62F08624D4; Tue, 21 Jun 2022 08:04:48 -0400 (EDT)
Content-Type: multipart/alternative; boundary="------------PHRHKj6G7ubsjV6BBN0lN5wq"
Message-ID: <f2d41566-1bd0-ef2f-870d-8c44b5f931ab@htt-consult.com>
Date: Tue, 21 Jun 2022 08:05:32 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>, Manu Sporny <msporny@digitalbazaar.com>
References: <c767d783-67b7-e43e-b438-96c1e361ea64@htt-consult.com> <37419b07-7a22-34c1-d596-643ae5d20d4e@digitalbazaar.com> <PAXPR07MB884416A454E51CEE5CA4AEBDF4B39@PAXPR07MB8844.eurprd07.prod.outlook.com>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
In-Reply-To: <PAXPR07MB884416A454E51CEE5CA4AEBDF4B39@PAXPR07MB8844.eurprd07.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/VuaZfQ4qbd9gUqXp8bufPAo4S0Q>
Subject: Re: [CFRG] guidance on using an Ed25519 keypair for x25519
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2022 12:05:49 -0000
Good to know. I was worrying that I would have to register a encrypt only keypair via the sign only keypair. Really complicates the registration process. Plus the risk that implementors would get it wrong. On 6/21/22 03:54, Göran Selander wrote: > >> Specifically, in Section 2.4: Pairwise Keys. >> >> https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm#section-2.4 >> <https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm#section-2.4> > > >> Adding some more background. There are two modes of use of the asymmetric keys in [1]: “group mode” (message signed by the sender) and “pairwise mode” (message encrypted for the receiver). Communication between group members may use only a single mode (any to all vs. any to any) or a mix of the modes, and the latter is useful for reducing communication overhead: > > > > * In [2], which uses multicast request withoptional unicast > responses, the request can be protected with group mode and the > responseswith pairwise mode, i.e. a MAC instead of a signature, per > response. * Conversely, in [3] multiple clients subscribe to a > particular resource using unicast (protected with pairwise mode) and > receive anotification assinglemulticast (protected with group > mode)instead of individual notifications. > > > > Each group member could have their own double key pairs, one for each > mode, but a single key pair reduces overhead for distribution and > storage. The security of using the same key pair in case of ECDSA was > already known [4] and Ben Kaduk lifted the issue that the result was > not known for EdDSA triggering Erik to prove it. > > > > Göran > > > > > > [1] > https://datatracker.ietf.org/doc/draft-ietf-core-oscore-groupcomm/ > > [2] https://datatracker.ietf.org/doc/draft-ietf-core-groupcomm-bis/ > > [3] > https://datatracker.ietf.org/doc/draft-ietf-core-observe-multicast-notifications/ > > > [4] https://degabriele.info/publications/EMV_Joint_Sec.pdf > > > > *From: *CFRG <cfrg-bounces@irtf.org> on behalf of Manu Sporny > <msporny@digitalbazaar.com> *Date: *Tuesday, 21 June 2022 at 01:46 > *To: *cfrg@irtf.org <cfrg@irtf.org> *Subject: *Re: [CFRG] guidance on > using an Ed25519 keypair for x25519 > > On 6/20/22 6:44 PM, Robert Moskowitz wrote: >> This seems to pop up in places, and I found: >> >> https://eprint.iacr.org/2021/509 >> <https://eprint.iacr.org/2021/509> >> >> Is this covered in any IETF RFC? I am coming up empty; my search >> foo is weak.... > > We point to that document in the 'did:key' Decentralized Identifier > Method specification: > > https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-218b00b6f213fa10&q=1&e=df349bd1-f6ee-4096-964d-6105d7db190d&u=https%3A%2F%2Fw3c-ccg.github.io%2Fdid-method-key%2F%23derive-encryption-key-algorithm > <https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-218b00b6f213fa10&q=1&e=df349bd1-f6ee-4096-964d-6105d7db190d&u=https%3A%2F%2Fw3c-ccg.github.io%2Fdid-method-key%2F%23derive-encryption-key-algorithm> > > > At least one place it's being used, AFAICT, is the OSCORE work: > > https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm > <https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm> > > > Specifically, in Section 2.4: Pairwise Keys. > > https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm#section-2.4 > <https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm#section-2.4> > > > You can find references to that document throughout the OSCORE specification. > > Hope that helps. > > On a related note, we've been told by security researchers that NIST > is unlikely to view such an operation as safe to use with US > government systems, even if the Thormarker proof is found to be > valid, given the general policy against key reuse at NIST. Has anyone > else on here heard the same sort of thing from NIST? > > -- manu > > -- Manu Sporny - > https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-fb3168714b4aa4b6&q=1&e=df349bd1-f6ee-4096-964d-6105d7db190d&u=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fmanusporny%2F > <https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-fb3168714b4aa4b6&q=1&e=df349bd1-f6ee-4096-964d-6105d7db190d&u=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fmanusporny%2F> > > Founder/CEO - Digital Bazaar, Inc. > News: Digital Bazaar Announces New Case Studies (2021) > https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-144df54e6622daf1&q=1&e=df349bd1-f6ee-4096-964d-6105d7db190d&u=https%3A%2F%2Fwww.digitalbazaar.com%2F > <https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-144df54e6622daf1&q=1&e=df349bd1-f6ee-4096-964d-6105d7db190d&u=https%3A%2F%2Fwww.digitalbazaar.com%2F> > > > _______________________________________________ > CFRG mailing list CFRG@irtf.org > https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-9034b67a44f3143f&q=1&e=df349bd1-f6ee-4096-964d-6105d7db190d&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg > <https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-9034b67a44f3143f&q=1&e=df349bd1-f6ee-4096-964d-6105d7db190d&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg> > > > > _______________________________________________ > CFRG mailing list CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [CFRG] guidance on using an Ed25519 keypair for x… Robert Moskowitz
- Re: [CFRG] guidance on using an Ed25519 keypair f… Robert Moskowitz
- Re: [CFRG] guidance on using an Ed25519 keypair f… Manu Sporny
- Re: [CFRG] guidance on using an Ed25519 keypair f… Robert Moskowitz
- Re: [CFRG] guidance on using an Ed25519 keypair f… Göran Selander
- Re: [CFRG] guidance on using an Ed25519 keypair f… Robert Moskowitz
- Re: [CFRG] guidance on using an Ed25519 keypair f… Salz, Rich