Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: Incompatible encoding of EdDSA public keys
Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 29 February 2020 09:52 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 531EC3A0D83 for <cose@ietfa.amsl.com>; Sat, 29 Feb 2020 01:52:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MwJ08qF_KJiE for <cose@ietfa.amsl.com>; Sat, 29 Feb 2020 01:52:33 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A08B13A0D82 for <cose@ietf.org>; Sat, 29 Feb 2020 01:52:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 0815D4EC; Sat, 29 Feb 2020 11:52:31 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id CqbB63-kBe2V; Sat, 29 Feb 2020 11:52:30 +0200 (EET)
Received: from LK-Perkele-VII (87-100-246-37.bb.dnainternet.fi [87.100.246.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id D12552308; Sat, 29 Feb 2020 11:52:25 +0200 (EET)
Date: Sat, 29 Feb 2020 11:52:25 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: 'Neil Madden' <neil.madden@forgerock.com>, 'Andrew Kozlik' <andrew.kozlik@satoshilabs.com>, 'cose' <cose@ietf.org>
Message-ID: <20200229095225.GA1903405@LK-Perkele-VII>
References: <CACvH2enmaEC4TRmP27iCMMtnPmpuO1othFwoaR7z0zgu9D8iAQ@mail.gmail.com> <14708E54-D934-4D74-BF4D-DF75AE549163@forgerock.com> <036601d5ee64$5c75c520$15614f60$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <036601d5ee64$5c75c520$15614f60$@augustcellars.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Kt9i6L3GTMEtFETkvXlM2ruif3o>
Subject: Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: Incompatible encoding of EdDSA public keys
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Feb 2020 09:52:35 -0000
On Fri, Feb 28, 2020 at 10:24:46AM -0800, Jim Schaad wrote: > > I believe that the correct result that has been implemented for both JOSE > and COSE is to take encoding that is specified in RFC 8152 and use that as > the public key. I know that I compared all of my code with the text vectors > in RFC 8152 so that I will be shocked if this is not true. If this is not > clear in either document then we need to change that text. I am not sure I agree. The correct interpretation for JOSE is to take the contents of "x" field, base64url decode it, and stuff the result raw into Ed25519 signing/verification (as defined by RFC 8032) as an octet string (and "d" is base64url decoded and stuffed raw into Ed25519 signing). I can take the keypair test vector from RFC 8037 and stuff it into program that definitely takes the above interpretation (I wrote it) and it both passes key consistency check and passes signature self- verify check. Now, the same program also supports COSE keys. When coding that support, I assumed that COSE way is straightforward port of JOSE (encode constants as integers, encode base64url'd string as raw bstr), and thus the code just stuffs whatever is in "x" field raw into Ed25519 signing/ verification (as defined by RFC 8032) as an octet string (and "d" is another bstr and stuffed raw into Ed25519 signing as octet string). Now RFC 8152 says: "This contains the x-coordinate for the EC point. The octet string represents a little-endian encoding of x." Which is just plain wrong for Ed25519 and Ed448. As the public key is encoding of y coordinate together with sign bit of x coordinate. And even that COSE should not be concerned with: It should treat RFC 8032 public keys as octet strings. And even for X25519 and X448, it is not quite correct, because the X25519 and X448 public keys are not integers, they are octet strings (which happen to be little-endian encoding of x coordinate of an elliptic-curve point). Now, it is possible to recover the y coordinate of Ed25519 and Ed448 keys from the x coordinate, but the algorithm is fairly slow (due to calculating the lth multiple), and I do not think it has ever been implemented. What I think all COSE implementations of EdDSA do is to stuff the bstr x raw into RFC 8032 EdDSA implementations as octet string (that is definitely what my code is doing). -Ilari
- [COSE] draft-ietf-cose-rfc8152bis-algs-06: Incomp… Andrew Kozlik
- Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: In… Neil Madden
- Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: In… Jim Schaad
- Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: In… Ilari Liusvaara
- Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: In… Andrew Kozlik