[core] Concerns with EC key joint signature and DH usage in draft-ietf-core-oscore-groupcomm

[Benjamin Kaduk <kaduk@mit.edu>]

Hi all,

A recent feature request for openssl
(https://github.com/openssl/openssl/issues/13630) pointed out that this
document rather blithely proposes to reuse signature (e.g., EdDSA and
ECDSA) keys for purposes of ECDH key agreement.  (This is part of the
"pairwise keys" construction in Section 2.3, specifically in 2.3.1.)

Use of a given key with multiple algorithms diverges from general
cryptographic best practice, and I do see that this draft acknowledges
this fact and attempts to justify the choice in the security
considerations (Section 10.12) with reference to [Degabriele]
(https://eprint.iacr.org/2011/615).  However, I do not think that the
current discussion (in the -10) is anywhere close to sufficient
justification that the proposed behavior is secure.  Specifically, the
referenced paper primarily focuses on methods used for EMV standards,
and in particular limits itself to ECIES (which combines key agreement
and message encryption).  While OSCORE provides mechanisms conceptually
similar to ECIES, the actual mechanics of the cryptography and wire
protocol are, to my knowledge, different, and so the referenced paper
does not seem to directly apply.  This document does not attempt to
"bridge the gap" between what it does in practice and the
(ECIES-specific) proof, so based on my current understanding, it must
still be considered as defying best current practice without formal
cryptographic justification.

In my opinion, we need to either produce a reference/proof that does
apply to OSCORE's usage, or remove this mechanism from the protocol.

-Ben