Re: [COSE] draft-ietf-lwig-curve-representations-13
Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 09 November 2020 16:19 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DFF53A11A6 for <cose@ietfa.amsl.com>; Mon, 9 Nov 2020 08:19:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.622
X-Spam-Level:
X-Spam-Status: No, score=-1.622 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.276, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BfEWiYDDqW9F for <cose@ietfa.amsl.com>; Mon, 9 Nov 2020 08:19:29 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9096C3A118C for <cose@ietf.org>; Mon, 9 Nov 2020 08:19:29 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 3544F12DA0; Mon, 9 Nov 2020 18:19:27 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id Esg0GbWhVEsk; Mon, 9 Nov 2020 18:19:26 +0200 (EET)
Received: from LK-Perkele-VII (78-27-99-170.bb.dnainternet.fi [78.27.99.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id A313972; Mon, 9 Nov 2020 18:19:24 +0200 (EET)
Date: Mon, 09 Nov 2020 18:19:24 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cose@ietf.org" <cose@ietf.org>
Cc: Göran Selander <goran.selander@ericsson.com>
Message-ID: <20201109161924.GA3285781@LK-Perkele-VII>
References: <HE1PR0702MB36745AEC1C6E929CA4D9A1C7F4ED0@HE1PR0702MB3674.eurprd07.prod.outlook.com> <be8f9113-a74a-7358-383c-927e7fab0f13@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <be8f9113-a74a-7358-383c-927e7fab0f13@gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/3WATdZGKvprM7qCZ_axVccvfYzU>
Subject: Re: [COSE] draft-ietf-lwig-curve-representations-13
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2020 16:19:32 -0000
On Fri, Nov 06, 2020 at 02:37:01PM -0500, Rene Struik wrote: > Hi Goran: > > Please find below some brief feedback on your note: > > - ECDSA has been around since 1999, has been widely standardized, and has > seen lots of analysis, where ECDSA25519 is simply yet another instantiation. Unfortunately, there are some issues: - ECDSA signing involves inversion modulo order, which is nasty to implement and slow. Especially as it needs to be made resistant to side-channel attacks, as side channels against that can be used to recover the private key. - ECDSA25519 is not well-defined in general case. The issue is that it depends on bit order of hash function output as it involves truncating hash to 253 bits (which is not divisible by 8), and not all hash functions define their output bit order. And even with hash functions that do define output bit order, not all define it the same way. For example, output bit order of SHA-256 and SHA3-256 (and SHAKE*) seems to be different, and thus ECDSA25519 of SHA-256 hash is calculated differently than ECDSA25519 of SHA3-256 hash. Even if one restricts to NIST-approved hash functions, this breaks traditional signahash-style ECDSA interface, as hash function used is not passed in. None of P-256, P-384 nor brainpool curves ever trigger this special case. P-521 in theory could, but in practice that does not happen either, as it would require kind of hash function nobody uses. B-x curves could also in theory, but in practice those are either not used, or used with hashes that do not need truncation. > Signature generation and verification times for ECDSA25519 should be similar > to those of Ed25519 (since timing is dominated by scalar multiplication, > where one could simply use Montgomery arithmetic [3]). In my personal view, > ECDSA25519 may be more secure than Ed25519 (if only because it is > non-deterministic, see Security section [6]); similar side-channel care has > to be taken in either case. I do not think that is correct, because ECDSA has that inversion mod order: - The time to perform that is not negligible. Even compared to scalar multiplication. - In signing, it is one more operation to be side-channel resistant. (the outer hash computation in Ed25519 does not need to be side- channel resistant). And that determinism versus non-determinism is not hard property of the signature schemes. There is deterministic ECDSA, and that can be appiled with any curve where ECDSA is well-defined. And while making Ed25519 noisy or non-deterministic breaks the specificaition, it does not break interoperability. (I have actually written non-deterministic Ed25519 implementation as part of really horrible special-purpose TLS 1.3 implmentation. Yes, it does interoperate in real world.) And some notes about making version of Ed25519 that uses SHA-256: - The Ed25519 subkey derivation needs to be split into two hashes instead of running once and splitting the result. The input fits into one block anyway, so it will still be fast. For example, a=SHA256(0|k_priv) and seed=SHA256(1|k_priv). - It is not trivially possible to replace the inner hash SHA512(seed|M) with SHA256(seed|M). However, it turns out that the order in fact does allow this replacement. - If one wants noisy signatures, one way is to replace SHA256(seed|M) with SHA256(seed|M)^noise. The noise must be independent of the private key and seed, but otherwise bad noise (including completely broken one) will not cause immediate catastrophic failure. - If one wants randomized signatures, due to the same reasons as why the inner hash may be replaced, it is recommended to generate more randomness than 256 bits, and then use SHA256 to squash it to 256 bits. This hedges against not-quite-ideal random number generators that would otherwise cause catastrophic failure. However, it will not prevent broken random number generator from causing immediate catastrophic failure. - The outer hash SHA512(R|A|M) can trivially be replaced by SHA256(R|A|M). However, if one truly wants the lightest signatures in code size, AFAIK there is no beating qDSA-type constructions. The notes above about randomized, noisy and deterministic signatures apply here too (except for the seed expansion, one could use seed=SHA256(2|k_priv)), as the nontrivialities are tied to order, and Curve25519 and Edwards25519 being isomorphic/isogenous share the order. The different seed expansion is to remove nasty interaction between the two signatures. As otherwise signing the same message with both using the same private key results in key compromise. qDSA operates on x-only montgomery ladder, which means it does not need point compression and can share most of the key agreement code. One drawback of this is issues with fault attacks. And with regards to Edwards448/Curve448, analogous nontrivialities would apply to hash function with at least 448-bit output, which means one could use 512-bit hash with curve of that order. -Ilari
- [COSE] draft-ietf-lwig-curve-representations-13 Göran Selander
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… John Mattsson
- Re: [COSE] draft-ietf-lwig-curve-representations-… Ilari Liusvaara
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] [Lwip] draft-ietf-lwig-curve-represent… Mohit Sethi M
- Re: [COSE] [Lwip] draft-ietf-lwig-curve-represent… John Mattsson
- Re: [COSE] [Lwip] draft-ietf-lwig-curve-represent… Mohit Sethi M
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Ilari Liusvaara
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… John Mattsson
- Re: [COSE] draft-ietf-lwig-curve-representations-… Benjamin Kaduk
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- [COSE] (small timeline correction) Re: draft-ietf… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… John Mattsson
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Benjamin Kaduk
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Benjamin Kaduk
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik