Re: [Cfrg] CFRG feedback on signing with secp256k1 curve
Dan Brown <danibrown@blackberry.com> Tue, 12 June 2018 02:37 UTC
Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7C15130EEA for <cfrg@ietfa.amsl.com>; Mon, 11 Jun 2018 19:37:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fNIUYEJWW5Vh for <cfrg@ietfa.amsl.com>; Mon, 11 Jun 2018 19:37:01 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1270D130DD2 for <cfrg@irtf.org>; Mon, 11 Jun 2018 19:37:00 -0700 (PDT)
X-Spoof:
Received: from xct108cnc.rim.net ([10.65.161.208]) by mhs211cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Jun 2018 22:36:58 -0400
Received: from XCT112CNC.rim.net (10.65.161.212) by XCT108CNC.rim.net (10.65.161.208) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 11 Jun 2018 22:36:57 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT112CNC.rim.net ([::1]) with mapi id 14.03.0319.002; Mon, 11 Jun 2018 22:36:56 -0400
From: Dan Brown <danibrown@blackberry.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] CFRG feedback on signing with secp256k1 curve
Thread-Index: AQHUAfY62JGoiE5DO0WcGgfv9Jdu/w==
Date: Tue, 12 Jun 2018 02:36:56 +0000
Message-ID: <20180612023654.8654932.3984.25717@blackberry.com>
References: <MW2PR00MB0300CA51291C5238E7272C52F57F0@MW2PR00MB0300.namprd00.prod.outlook.com>
In-Reply-To: <MW2PR00MB0300CA51291C5238E7272C52F57F0@MW2PR00MB0300.namprd00.prod.outlook.com>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_201806120236548654932398425717blackberrycom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/twPwTCZabIwyh209yf2H4A-eJTE>
Subject: Re: [Cfrg] CFRG feedback on signing with secp256k1 curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2018 02:37:06 -0000
Hi Mike, To clarify 2 points on my role, secp256k1 appeared in version 1.0 of SEC2, and I had no part in designing the curve or in writing version 1.0 of SEC2. I believe the design and writing was a group effort, of Gallant, Lambert, Vanstone, Qu, Blake-Wilson, and others. By the time of SEC2 version 2.0, I had become the editor for SEC2, due to personnel changes, and was listed as the contact in the update. It was still a group effort back then, so many people were involved in the decision to keep the various that were kept. Also, AFAIK, P-256 was described by NIST before it was added to SEC2. Best regards, Dan From: Mike Jones Sent: Monday, June 11, 2018 8:03 PM To: cfrg@irtf.org Subject: [Cfrg] CFRG feedback on signing with secp256k1 curve Dear CFRG, You’ll recall that the “secp256k1” elliptic curve is described by Dan Brown and Certicom in “SEC 2: Recommended Elliptic Curve Domain Parameters” http://www.secg.org/sec2-v2.pdf (the same document that described the secp256r1 curve – a.k.a., P-256). I recently wrote https://tools.ietf.org/html/draft-jones-webauthn-secp256k1-00<https://tools.ietf..org/html/draft-jones-webauthn-secp256k1-00> with a very specific and narrow purpose: to register JOSE and COSE curve identifiers for the SECG secp256k1 elliptic curve and associated algorithm identifiers for signing. This curve is already being used by FIDO UAF, the W3C Verifiable Claims interest group, and several blockchain projects. I want to get standard identifiers registered so these projects can use standards-based, rather than ad-hoc, cryptographic representations. A path forward for this document is being discussed at secdispatch@ietf.org<mailto:secdispatch@ietf.org>. As part of the SECDISPATCH evaluation, Ekr had suggested that I ask the CFRG for references to security analyses of secp256k1. No matter what you or I may think of Blockchain, because Blockchain is using secp256k1 and is under tremendous scrutiny, it’s my assumption that if major security flaws were known, people would be widely talking about them. But I’d like to replace my assumption with an actual security analysis or two and thoughts from the CFRG, if possible. Thanks, -- Mike
- Re: [Cfrg] CFRG feedback on signing with secp256k… Dan Brown
- Re: [Cfrg] CFRG feedback on signing with secp256k… Dan Brown
- Re: [Cfrg] CFRG feedback on signing with secp256k… Dan Brown
- Re: [Cfrg] CFRG feedback on signing with secp256k… Peter Gutmann
- Re: [Cfrg] CFRG feedback on signing with secp256k… denis bider
- [Cfrg] CFRG feedback on signing with secp256k1 cu… Mike Jones
- Re: [Cfrg] CFRG feedback on signing with secp256k… Richard Barnes