IETF Logo Mail Archive

[COSE] draft-ietf-cose-rfc8152bis-algs-06: Incompatible encoding of EdDSA public keys

Andrew Kozlik <andrew.kozlik@satoshilabs.com> Thu, 27 February 2020 15:14 UTC

Return-Path: <andrew.kozlik@satoshilabs.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAD0B3A07D0 for <cose@ietfa.amsl.com>; Thu, 27 Feb 2020 07:14:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=satoshilabs.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0iN4tC8y8sAE for <cose@ietfa.amsl.com>; Thu, 27 Feb 2020 07:14:14 -0800 (PST)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A15EC3A0B36 for <cose@ietf.org>; Thu, 27 Feb 2020 07:14:14 -0800 (PST)
Received: by mail-ed1-x536.google.com with SMTP id e25so748767edq.5 for <cose@ietf.org>; Thu, 27 Feb 2020 07:14:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=satoshilabs.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=/Y4DuWxYOJhIMFdkFNHQyi5ONZM97IRectPN9how+IA=; b=L5mPK+9LIuUBH+t0jXMMYclFqz2W7gXrupyAV4dAR/NQKbzPap7MUfRdQcru6OuDQJ PKLNYHDEeT520G3tAirAHgRGesPWci10fgnBsQqoR7SSl3rp+aJW0rbyTc6Q+OjaGU7u D5hEaI7dwMWxne5ujYlEvAOF0IQPRt1OhprAZX+BsxdhR+6Agyn38CBkeLGyDZE9D7M1 0gqSWdpe/3k/rujIqlxYJgkPVGxRJr71WuFOJOKffzUEselBbfCKS3DGzEfpMI2/bnNz 8HXCvWfliE4qT25qKCfDySjsPoSpaR1GsesjbDG+bYbIdNyqYGutYgivtDumoww62VB5 EP1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=/Y4DuWxYOJhIMFdkFNHQyi5ONZM97IRectPN9how+IA=; b=cof59vgvbNz/cMeWKhCF8VLNGoKXCf7YLLYzMJ8svQak7dH6S/JOZ1UDVlp99W3j/A PL2Mbl8QjMQuKBMHfpamc0YfO22AY5Ik+6rOFBZyh9GiipivQIvBoS9xvLNEFT+vycOm ZU1/Mx8wKWUYanm3mX2aOxqs92v1OVbib1Zw8puxxL8uLOP/lew2A/FMozUn7+dLzWi9 Bbh8IqNoKs5RvPcjDyOvY6zvrq7J4kbUFiMwlbV4BpzR66OdJJmuAUUTGJJpKRMNlnqi eQDFxavNGaxqTV8mGiv6lwr9IVzWBe/W8MVZfXoA5x/6+3hncVEycspIKgD5Ldwglhvi aXqQ==
X-Gm-Message-State: APjAAAWlRjOfiP/pfmousdwAMBhd8Xo/LsghijM5Me9vSTbVGocrHkZV 6DOuIfBhRYzM5QYQ2wj2jncW4URcPBjTH0eHwJXQU1QnABwsjQ==
X-Google-Smtp-Source: APXvYqyTb6YCe4ZzVGkzjVFKWVCHGU55IDiTT4gUEF+UOeJpur/0RHQVqP6Om5ak6amsRTjQa2RLGGsi8i9yhc+8aGM=
X-Received: by 2002:aa7:c5d2:: with SMTP id h18mr4587411eds.182.1582816452697; Thu, 27 Feb 2020 07:14:12 -0800 (PST)
MIME-Version: 1.0
From: Andrew Kozlik <andrew.kozlik@satoshilabs.com>
Date: Thu, 27 Feb 2020 16:14:01 +0100
Message-ID: <CACvH2enmaEC4TRmP27iCMMtnPmpuO1othFwoaR7z0zgu9D8iAQ@mail.gmail.com>
To: cose@ietf.org
Content-Type: multipart/alternative; boundary="000000000000688f28059f902c6f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/V9GXBGZ14xOdzml4GI2yF4McKkA>
Subject: [COSE] draft-ietf-cose-rfc8152bis-algs-06: Incompatible encoding of EdDSA public keys
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2020 15:17:20 -0000

Hello everyone,

I encountered a bug in libfido2 (
https://github.com/Yubico/libfido2/issues/136), which leads me to propose
some changes in COSE encoding of EdDSA public keys. Here is the problem:

The standard encoding of EdDSA public keys as defined in
https://tools.ietf.org/html/rfc8032#section-5.1.2 encodes the y-coordinate
and the sign of the x-coordinate of the EC point as the public key. COSE on
the other hand encodes only the x-coordinate as the public key, see
https://tools.ietf.org/html/draft-ietf-cose-rfc8152bis-algs-06#section-7.2.
There are two problems with this discrepancy:

1. As far as I know, all libraries support only the standard RFC 8032
encoding of public EdDSA keys. Computing the y-coordinate from the
x-coordinate and vice versa is not straightforward, because it involves
some multi-precision modular arithmetic, making it very problematic to use
the COSE format for anyone who is not well versed in the mathematics of
ECC. Even if libraries were to support both encodings in the future, it
would cause a lot of pointless confusion to developers.

2. There is no way to determine the sign of the y-coordinate from knowing
only the x-coordinate. Thus when verifying a signature, one has to try both
signs for the y-coordinate of the public key and accept the signature if
either of the two signature verifications passes.

To resolve these issues, I propose the following changes:

1. In Table 18,
https://tools.ietf.org/html/draft-ietf-cose-rfc8152bis-algs-06#section-7.1,
the key type of Ed25519 and Ed448 keys should be changed to EC2.

2. In Section 7.1.1,
https://tools.ietf.org/html/draft-ietf-cose-rfc8152bis-algs-06#section-7.1.1,
the 'x' parameter of EC2 keys should be allowed to contain either the sign
bit or the value of the x-coordinate for the EC point. In addition there
should be a requirement stating that if the 'x' or 'y' parameter is present
in the structure, then at least one of them MUST be of CBOR type bstr.

Cheers,
Andrew Kozlik

v2.23.0 | Report a Bug | By Email