Re: [COSE] draft-ietf-lwig-curve-representations-13
Benjamin Kaduk <kaduk@mit.edu> Mon, 15 February 2021 19:18 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F7193A1014 for <cose@ietfa.amsl.com>; Mon, 15 Feb 2021 11:18:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.003
X-Spam-Level:
X-Spam-Status: No, score=0.003 tagged_above=-999 required=5 tests=[RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XaTi2l2gL_Oe for <cose@ietfa.amsl.com>; Mon, 15 Feb 2021 11:18:11 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA3BC3A1011 for <cose@ietf.org>; Mon, 15 Feb 2021 11:18:10 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 11FJI0vR016132 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 15 Feb 2021 14:18:04 -0500
Date: Mon, 15 Feb 2021 11:17:59 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Rene Struik <rstruik.ext@gmail.com>
Cc: John Mattsson <john.mattsson@ericsson.com>, "cose@ietf.org" <cose@ietf.org>
Message-ID: <20210215191759.GJ21@kduck.mit.edu>
References: <2DC2C984-C460-41DB-A31D-052192FB4047@ericsson.com> <444d11d1-dff9-80e4-1b49-c642191edcec@gmail.com> <185c290d-fa59-de92-9297-fefe60cb1e9c@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <185c290d-fa59-de92-9297-fefe60cb1e9c@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/PxTJ5ng2XQ8yVymEzZVCy_yRh9Y>
Subject: Re: [COSE] draft-ietf-lwig-curve-representations-13
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 19:18:15 -0000
Hi Rene, Section 16.11 discusses what the IANA Designated Experts should do upon receipt of a registration request, which is a distinct step from what someone making a registration request of IANA should do. I further note that the final bullet of the section says that "Algorithms that do not meet the security requirements of the community and the messages structures should not be registered"; it seems natural to me that a Designated Expert would choose to consult the COSE WG email list in order to get feedback from the community. -Ben On Mon, Feb 15, 2021 at 02:13:15PM -0500, Rene Struik wrote: > Hi John: > > I would be eager to have an answer to the question I posed earlier: > > /I could not find the procedure you seemingly had in mind below in > RFC 8152 (a search in RFC 8152 on the term "email" also did not > yield this info). Isn't this all described in Section 16.11 [1]? If > you could point me to what I am apparently missing, please let me know!/ > > > Since you seem to know much more about IETF processes than I do, any > timely help much appreciated! {I am sure it would also help others more > verses into technical matters than procedural questions.} > > Best regards, Rene > > On 2021-02-14 4:56 p.m., Rene Struik wrote: > > Hi John: > > > > To my knowledge, I followed the steps described in Section 16.11 [1] > > (Expert Review Instructions), already in April 2019 (almost 2 years ago): > > > > 16.11. Expert Review Instructions > > All of the IANA registries established in this document are > > defined as expert review. This section gives some general > > guidelines forwhat the experts should be looking for, but they are > > being designated as experts for a reason, so they should be given > > substantial latitude. > > > > Expert reviewers should take into consideration the following points: > > > > [snip (enumeration of four aspects to consider)] > > > > I could not find the procedure you seemingly had in mind below in RFC > > 8152 (a search in RFC 8152 on the term "email" also did not yield this > > info). Isn't this all described in Section 16.11 [1]? If you could > > point me to what I am apparently missing, please let me know! > > > > In all fairness, I think you would have to agree that I did reach out > > to the relevant actors at the time, in good conscience, in a timely > > manner (in contrast to the language you used in your forelast email). > > > > Best regards, Rene > > > > Ref: [1] https://tools.ietf.org/html/rfc8152#section-16.11 > > > > On 2021-02-14 4:08 p.m., John Mattsson wrote: > >> > >> Hi Rene, > >> > >> True, Jim used to be one the experts. My comment that you did not > >> talk to any of the experts is not true. > >> > >> The only IANA history I know of started on 6 Nov 2020 when Göran (one > >> of the experts) followed the procedure and sent a mail to the COSE > >> mailing list commenting and asking about the COSE registrations. I > >> and several other people in COSE WG seem to share Göran’s concerns. > >> You cannot expect COSE WG to read your draft before somebody send it > >> to the list. If I had written the draft I would personally had sent > >> in to COSE a long time ago. I wish someone would have helped you with > >> that. > >> > >> You need to ask Göran and the other two experts on the status but to > >> me it seems like the COSE WG is aligning on the technical aspects of > >> the IANA registrations: > >> > >> https://mailarchive.ietf.org/arch/browse/cose/?gbt=1&index=IEx4C67-IGkQ9BpI8DUFxhElcwA > >> > >> Cheers, > >> > >> John > >> > >> *From: *Rene Struik <rstruik.ext@gmail.com> > >> *Date: *Sunday, 14 February 2021 at 20:11 > >> *To: *John Mattsson <john.mattsson@ericsson.com>, Göran Selander > >> <goran.selander=40ericsson.com@dmarc.ietf.org>, "lwip@ietf.org" > >> <lwip@ietf.org>, "cose@ietf.org" <cose@ietf.org> > >> *Subject: *(small timeline correction) Re: [COSE] > >> draft-ietf-lwig-curve-representations-13 > >> > >> Correction: LWIG WGLC was in August 2019 and not August 2020, as I > >> mistakenly put in my previous note (i.e., already 18 1/2 months or > >> more than 1 1/2 years ago). > >> > >> See > >> https://datatracker.ietf.org/doc/draft-ietf-lwig-curve-representations/history/ > >> <https://datatracker.ietf.org/doc/draft-ietf-lwig-curve-representations/history/> > >> > >> On 2021-02-14 2:04 p.m., Rene Struik wrote: > >> > >> Hi John: > >> > >> I did have a brief look at my past correspondence on iana-cose > >> code points, where I discussed this with Jim Schaad (designated > >> iana cose expert over the relevant time period): > >> > >> - email correspondences {March 27, 2019; April 12, 2019; April > >> 15, 2019}; > >> > >> - f/u. discussions w/ Jim Schaad (triggered by trying to help out > >> Pascal Thubert on his ap-nd Editor queue draft): phone call {Thu > >> March 16, 2020}; email correspondence {April 6/7/22/25, 2020} > >> > >> History of iana sections in curve-draft document: > >> > >> - iana/cose section has been in there since April 14, 2019 (v04 > >> of the draft). See > >> https://datatracker.ietf.org/doc/draft-ietf-lwig-curve-representations/04/ > >> <https://datatracker.ietf.org/doc/draft-ietf-lwig-curve-representations/04/> > >> > >> - WGLC LWIG group: August 6, 2019; > >> > >> - IETF Last-Call: August 24, 2020 (two-week); > >> > >> - your comment: Nov 9, 2020 > >> > >> - your (nontechnical) email below: today, Feb 14, 2021 (32 days > >> after my last email to the list). > >> > >> Contrary to what you seem to suggest below, my records above > >> indicate I have reached out to the relevant people already almost > >> two (!) years ago, in good conscience (where email and phone > >> conversations with Jim Schaad were productive, with 1-2 days > >> feedback loop). I have trouble understanding why during all this > >> time the technical points you seem to take issue with have not > >> been narrowed down (as I repeatedly suggested offline and which > >> is good engineering practice). Please note that even something as > >> simple an uncontroversial as registering Wei25519 and Wei448 has > >> not been stricken off the list since the November 2020 note. I > >> think one should reflect why this (in an Internet *Engineering* > >> Task Force). > >> > >> Best regards, Rene > >> > >> On 2021-02-14 3:13 a.m., John Mattsson wrote: > >> > >> Hi Rene, > >> > >> >I value your feedback, even though you brought up your points > >> more than two months after the > >> > >> >IETF Last-Call. > >> > >> All the comments has been purely regarding the IANA > >> registrations for COSE. To my understanding you did not > >> discuss these registrations with the dedicated IANA experts > >> or the COSE WG beforehand. The suggested COSE registration > >> are quite strange. Any delay is purely due to you not > >> discussing and anchoring these registrations. I have > >> suggested that that this issue is discussed at the interim on > >> Tuesday, but it is not my job to drive your registrations. I > >> am just commenting on the questions from the dedicated IANA > >> experts. > >> > >> You can always remove the COSE registrations, but I think > >> that would be sad. I agree with you that a registration for > >> Wei25519 is good to have. Another alternative is to move the > >> registration to a separate draft. > >> > >> >I uploaded a new version of the lwig curve draft [1], changing the > >> intended status to "standards track". I hope > >> > >> >this helps. > >> > >> You cannot just change the status from “informational” to > >> “standards track”. They are very different things. > >> Informational is just general information, while standards > >> track means IETF consensus and recommendation. Changing the > >> status would (I assume) require wg consensus and then redoing > >> the last calls. > >> > >> /John > >> > >> *From: *Rene Struik <rstruik.ext@gmail.com> > >> <mailto:rstruik.ext@gmail.com> > >> *Date: *Wednesday, 13 January 2021 at 15:26 > >> *To: *John Mattsson <john.mattsson@ericsson.com> > >> <mailto:john.mattsson@ericsson.com>, Göran Selander > >> <goran.selander=40ericsson.com@dmarc.ietf.org> > >> <mailto:goran.selander=40ericsson.com@dmarc.ietf.org>, > >> "lwip@ietf.org" <mailto:lwip@ietf.org> <lwip@ietf.org> > >> <mailto:lwip@ietf.org>, "cose@ietf.org" > >> <mailto:cose@ietf.org> <cose@ietf.org> <mailto:cose@ietf.org> > >> *Subject: *Re: [COSE] draft-ietf-lwig-curve-representations-13 > >> > >> Hi Goran, John: > >> > >> Please let me know if my response to the COSE mailing list > >> (Dec 19th) works for you. If you have comments, please > >> suggest constructive improvements. > >> > >> I really would like to get closure on this. > >> > >> I value your feedback, even though you brought up your points > >> more than two months after the IETF Last-Call. I hope we can > >> move forward without undue delays. > >> > >> Thanks for your help, Rene > >> > >> On 2020-12-19 11:01 a.m., Rene Struik wrote: > >> > >> Dear John: > >> > >> Based on your review and other feedback received, I > >> slightly updated the draft and posted the latest revision > >> as [1]. > >> > >> Your review below (of Nov 6, 2020) seems to bring up > >> three topics, viz.: (1) definition of Wei25519 and Wei448 > >> vs. verbiage in NIST docs; (2) need for iana > >> registrations for ECDSA25519 and ECDSA448; (3) need for > >> iana registrations ECDH25519 and ECDH448. > >> > >> Please find below some feedback. > >> > >> General feedback: > >> > >> Please bear in mind that the specifications of ECDSA25519 > >> and ECDH25519 in the lwig curve document aim to yield > >> schemes that are strictly NIST-compliant (i.e., these > >> would allow FIPS 140-2 accreditation if the curves would > >> be in the "NIST recommended" set). See also Note 2 of > >> Section 4.1 of [1]. A similar remark applies to ECDSA448 > >> and ECDH448. > >> > >> Detailed feedback: > >> > >> (1) Definition of Wei25519 and Wei448 vs. verbiage in > >> NIST docs. > >> > >> Draft NIST SP 800-186 indeed defines a short-Weierstrass > >> version of Curve25519 [dubbed W-25519] and FIPS 186-5 > >> allows its use; similar for Curve448 [dubbed W-448 > >> there]). I have now added references to these draft > >> specifications in the lwig-curve draft. I have > >> double-checked all domain parameters, mappings between > >> curve models, tables of isogeny details in the lwig draft > >> and provided Sage scripts for the CFRG crypto panel > >> review at the time. I do anticipate that NIST will arrive > >> at the same values in their final publication when they > >> decide to publish this. (I am happy to share Sage scripts > >> for this purpose.) > >> > >> (2) Need for iana registrations for ECDSA25519 and ECDSA448. > >> > >> ECDSA is determined by an instantiation of hash function, > >> curves, and representation conventions for inputs and > >> outputs (i.e., message representation, curve point > >> representation, and signature representation). > >> a) ECDSA448 uses SHAKE256 under the hood, which is > >> currently not defined with COSE. Hence, my request to > >> register ECDSA w/ SHAKE256 and Wei448 as "ECDSA448". > >> b) ECSA25519 uses SHA256 and Wei25519 under the hood. I > >> thought to request to register "ECDSA25519" since this > >> would allow referencing the quite careful write-up > >> (Section 4.3), including bit/byte ordering, checks, and > >> nondeterministic behavior (and, thereby, keeping this > >> concise). Please note that this is very similar to the > >> COSE IANA registry for "ES256k1" (ECDSA w/ SHA256 and > >> Bitcoin curve secp256k1). > >> > >> (3) Need for iana registrations ECDH25519 and ECDH448. > >> > >> ECDH25519 and ECDH448 are co-factor Diffie-Hellman key > >> establishment schemes and can, therefore, not be based on > >> (cofactorless) Diffie-Hellman, as defined in RFC 8152. > >> (Please note that there is no difference for the NIST > >> curves, which all of co-factor h=1, but in our case one > >> has h=8 and h=4, respectively). Here, one should note > >> that the ECDH25519 and ECDH448 write-ups (Section 4.1 and > >> 4.3) quite carefully cross-reference co-factor ECDH in a > >> NIST-compliant way. Apart from the co-factor ECDH vs. > >> ECDH issue and objective to comply with all strict NIST > >> validation checks, the objective was also to make sure > >> that ECDH25519 and ECDH448 can be used in settings where > >> either or both parties uses ephemeral keys (which is more > >> flexible than what RFC 8152 allows). Hence, the request > >> to register "ECDH25519" and "ECDH448", to make sure this > >> covers the intent of these schemes accurately and with > >> precise description. > >> > >> It is possible that I overlooked something in this > >> assessment. If so, any constructive suggestions are welcome. > >> > >> Ref: [1] > >> https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-19 > >> <https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-19> > >> > >> Best regards, Rene > >> > >> On 2020-11-06 5:04 p.m., John Mattsson wrote: > >> > >> Hi, > >> > >> I looked through this draft again. I think it is a > >> very good draft and I think it will be a solution to > >> some of the problems IoT devices have with Ed25519. I > >> will bring up this draft for discussion in the LAKE > >> WG at IETF 109. > >> > >> I find it strange that the IANA registration has not > >> been coordinated with COSE WG at all. I am a bit > >> surprised to see IANA registrations for > >> COSE/JOSE/PKIX/CMS at all in a LWIG draft (is that in > >> charter?). If LWIG wants to register new algorithms, > >> I think LWIG at a minimum should coordinate with COSE > >> WG and other groups. I think this draft should be > >> presented at the next COSE WG meeting. > >> > >> I support registration of W-25519 and W-448 curves as > >> long they agree with NIST. I would like answers to > >> the questions why ECDSA25519 and ECDH25519 are needed > >> at all. There is no ECDSAP256 and no ECDHP256, so why > >> are specific algorithm registration needed for > >> W-25519? It makes no sense to me that a special > >> signature registration is needed for COSE but not for > >> PKIX? If PKIX can use ecdsa-with-SHA256 why cannot > >> COSE use ES256? > >> > >> I don't think ANSI X9.62 is an acceptable normative > >> reference. NIST just removed the normative reference > >> to ANSI X9.62 in SP 186-5. > >> > >> Cheers, > >> > >> John > >> > >> *From: *COSE <cose-bounces@ietf.org> > >> <mailto:cose-bounces@ietf.org> on behalf of Rene > >> Struik <rstruik.ext@gmail.com> > >> <mailto:rstruik.ext@gmail.com> > >> *Date: *Friday, 6 November 2020 at 20:37 > >> *To: *Göran Selander > >> <goran.selander=40ericsson.com@dmarc.ietf.org> > >> <mailto:goran.selander=40ericsson.com@dmarc.ietf.org>, > >> "lwip@ietf.org" <mailto:lwip@ietf.org> > >> <lwip@ietf.org> <mailto:lwip@ietf.org>, > >> "cose@ietf.org" <mailto:cose@ietf.org> > >> <cose@ietf.org> <mailto:cose@ietf.org> > >> *Subject: *Re: [COSE] > >> draft-ietf-lwig-curve-representations-13 > >> > >> Hi Goran: > >> > >> Please find below some brief feedback on your note: > >> > >> - the naming wei25519 has been around since the first > >> draft (Nov 13, 2017, i.e., 3 years minus 1 week ago), > >> see [1]. NIST indeed produced two draft documents, > >> viz. Draft NIST SP 800-186 and Draft FIPS Pub 186-5 > >> (on October 31, 2019), which generated lots of (to my > >> knowledge still unresolved) comments during public > >> review. It is hard to refer to that document, since > >> it is only a draft and unfortunately has quite a few > >> errors. > >> > >> - earlier versions of the lwig draft have received > >> reviews by the crypto review panel (Stanislavslav > >> Smyshlyaev), iotdir early-review (Daniel Migault); > >> the sections on COSE/JOSE code point assignments > >> resulted from a phone call and various email > >> exchanges with Jim Schaad; the section on PKIX/CMS > >> was suggested during IETF Last-Call secdir-review > >> (Russ Housley) and reviewed by him. The document had > >> IETF Last-Call Aug 24, 2020. See, e.g., the status > >> pages [1]. > >> > >> - ECDSA has been around since 1999, has been widely > >> standardized, and has seen lots of analysis, where > >> ECDSA25519 is simply yet another instantiation. > >> Signature generation and verification times for > >> ECDSA25519 should be similar to those of Ed25519 > >> (since timing is dominated by scalar multiplication, > >> where one could simply use Montgomery arithmetic > >> [3]). In my personal view, ECDSA25519 may be more > >> secure than Ed25519 (if only because it is > >> non-deterministic, see Security section [6]); similar > >> side-channel care has to be taken in either case. > >> > >> - As mentioned in the draft, one can easily switch > >> between Wei25519 and Curve25519 (which requires a > >> single field addition or subtraction only, i.e., > >> <.01%, see Appendix E.2 [7]). As mentioned in the > >> draft, one could use Wei25519.-3 with an existing > >> generic implementation that hardcodes the domain > >> parameter a=-3, but needs to compute an isogeny and > >> dual isogeny for this (adding 5-10% cost, see > >> Appendix G.2 [8]]) and a ~9.5kB table (see Section > >> 5.3 [4]). However, if one already has generic > >> hardware support, one may still have a significant > >> win (see Section 6 [5]). > >> > >> - The isogeny for Wei25519.-3 has odd degree l=47, > >> which is co-prime with the order of the curve, so is > >> in fact invertible. With Wei448.-3, the isogeny has > >> degree l=2, so is not invertible; however, this does > >> not really matter, since it is invertible with > >> correctly generated public-private key pairs (which > >> have prime/odd order) and the factor two is absorbed > >> with co-factor ECDH, where h=4 then. > >> > >> I hope this helps. > >> > >> (*) For ease of tracking, it would help if iana > >> related comments are flagged in the subject line > >> (e.g., include (iana) in the beginning hereof). > >> > >> Best regards, Rene > >> > >> Ref with hyperlinks: > >> > >> [1] > >> https://datatracker.ietf.org/doc/html/draft-struik-lwig-curve-representations-00 > >> <https://datatracker.ietf.org/doc/html/draft-struik-lwig-curve-representations-00> > >> > >> [2] > >> https://datatracker.ietf.org/doc/draft-ietf-lwig-curve-representations/ > >> <https://datatracker.ietf.org/doc/draft-ietf-lwig-curve-representations/> > >> > >> [3] > >> https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-13#section-4.3 > >> <https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-13#section-4.3> > >> > >> [4] > >> https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-13#section-5.3 > >> <https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-13#section-5.3> > >> > >> [5] > >> https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-13#section-6 > >> <https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-13#section-6> > >> > >> [6] > >> https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-13#section-8 > >> <https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-13#section-8> > >> > >> [7] > >> https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-13#appendix-E.2 > >> <https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-13#appendix-E.2> > >> > >> [8] > >> https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-13#appendix-G.2 > >> <https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-13#appendix-G.2> > >> > >> On 2020-11-06 11:19 a.m., Göran Selander wrote: > >> > >> Hi, > >> > >> Apologies for cross-posting LWIG and COSE. I had > >> a brief look at > >> draft-ietf-lwig-curve-representations-13 and > >> noticed it registers a lot of new COSE(andJOSE, > >> PKIX, and CMS) algorithms. Has this draft been > >> discussed in COSE(JOSE/CURDLE)? If not, perhaps > >> it should be before being progressed? > >> > >> 1.The draft needs to manage the overlap with NIST > >> SP 800-186, which should be referenced and > >> mappings, name of curves, etc. aligned. The draft > >> defines Wei25519 and Wei448. It is unclear if > >> these are identical to W-25519, W-448 as defined > >> in NIST SP 800-186. We probably would not want > >> two slightly different definitions and/or names, > >> multiple COSE code points, etc. > >> > >> 1.The draft registers the COSE algorithm > >> "ECDSA25519" as "ECDSA with SHA-256 and curve > >> Wei25519". That is not how the other COSE > >> signature algorithms work. They work like PKIX > >> where the curve is given by the public key. Also, > >> why cannot W-25519 be used with the existing > >> ES256 signature algorithm? > >> > >> 2.The draft registers the COSE algorithm > >> "ECDH25519". There are no COSE ECDH algorithms > >> for P-256, why is anECDH algorithm for W-25519 be > >> needed? > >> > >> Other questions. I may have missed it, but > >> > >> 2.is it described what are the expected security > >> properties of ECDSA25519(including mapping) > >> compared to Ed25519? For example w.r.t. side > >> channel attacks? > >> > >> 3.has any performance measurements been made > >> comparing ECDSA25519 (including mapping) and Ed25519? > >> > >> 4.similar questions on security and performance > >> with Wei25519.-3 instead of Wei25519. If I > >> understand right, the former mapping is not > >> reversible, but could benefit from optimized code > >> with hardcoded domain parameters. > >> > >> 5.ANSI X9.62-2005 was withdrawn in 2015 and is > >> behind a paywall, is this reference necessary? > >> > >> Göran > >> > >> > >> > >> > >> > >> _______________________________________________ > >> > >> COSE mailing list > >> > >> COSE@ietf.org <mailto:COSE@ietf.org> > >> > >> https://www.ietf.org/mailman/listinfo/cose <https://www.ietf.org/mailman/listinfo/cose> > >> > >> -- > >> > >> email:rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com> | Skype: rstruik > >> > >> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 > >> > >> --> > >> > >> -- > >> > >> email:rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com> | Skype: rstruik > >> > >> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 > >> > >> -- > >> > >> email:rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com> | Skype: rstruik > >> > >> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 > >> > >> -- > >> > >> email:rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com> | Skype: rstruik > >> > >> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 > >> > >> -- > >> email:rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com> | Skype: rstruik > >> cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 > > > > > > -- > > email:rstruik.ext@gmail.com | Skype: rstruik > > cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 > > > -- > email: rstruik.ext@gmail.com | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose
- [COSE] draft-ietf-lwig-curve-representations-13 Göran Selander
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… John Mattsson
- Re: [COSE] draft-ietf-lwig-curve-representations-… Ilari Liusvaara
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] [Lwip] draft-ietf-lwig-curve-represent… Mohit Sethi M
- Re: [COSE] [Lwip] draft-ietf-lwig-curve-represent… John Mattsson
- Re: [COSE] [Lwip] draft-ietf-lwig-curve-represent… Mohit Sethi M
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Ilari Liusvaara
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… John Mattsson
- Re: [COSE] draft-ietf-lwig-curve-representations-… Benjamin Kaduk
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- [COSE] (small timeline correction) Re: draft-ietf… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… John Mattsson
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Benjamin Kaduk
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Benjamin Kaduk
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik