Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: Incompatible encoding of EdDSA public keys
Andrew Kozlik <andrew.kozlik@satoshilabs.com> Sat, 29 February 2020 11:32 UTC
Return-Path: <andrew.kozlik@satoshilabs.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 785013A0815 for <cose@ietfa.amsl.com>; Sat, 29 Feb 2020 03:32:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=satoshilabs.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H4Qr_lEXYob4 for <cose@ietfa.amsl.com>; Sat, 29 Feb 2020 03:32:41 -0800 (PST)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4169C3A0814 for <cose@ietf.org>; Sat, 29 Feb 2020 03:32:41 -0800 (PST)
Received: by mail-ed1-x533.google.com with SMTP id g19so6668992eds.11 for <cose@ietf.org>; Sat, 29 Feb 2020 03:32:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=satoshilabs.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sU5yb5VX7HBla2EYzLZiTcRh7YdQz55w4j72dMZi0dQ=; b=i9FSowoKed46xjr3nmJJuXnJsvLcFYGnkFxLu4IY4JIm0N29g66c3IwxcMluFziF8L 0qXATKZ01zdmXfgVUIcIYddPqN2Cqr18vZbLJuOOB7G+IH/ge5+Pd0R62DZmsME+wmJq ThqZh7Wup9SmjwCyeNT3WZKsqtJjWcus0EiPgp4DnSSHldrcFQSxUBJHBc+QpAvC9Ze+ yNS/GO5UWH0uzthNIyMkrWPPOqNXLxsBb0ntz6m5j/347eYlIW9uXMb2xU6Cst/Jz+e3 KoFiwAlTFdfhUTNCuVGxfM7gchLjZpX6NNIFSW2ND17IVCzKl4hJ89+HmWJcBsGRG+tz Qdfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sU5yb5VX7HBla2EYzLZiTcRh7YdQz55w4j72dMZi0dQ=; b=c7KCbzFuE5S3x62y+tzXI4/pKBCkY9DGl8X/aYq9W7FUwGgzfr0si5geAkPtpOrUmp cBd5jsKjRjnPuQ7J/86AS1jL4RFN68MDNBKjRA+wxd0s2mUJ3Jg2cKVkcyBRJBq5IHqT LSO+nL3L+iNCUzpUwT7sZpxyH2qDRBnwpMDzgDeOekFZFsXthRsl33TYAlcHzSs2DNwn tbkzjtwz0c5OFvCvh5RskYHRsEqd4+39ICsCA4delYTce2R3FbgYIsCid6T4mgbv5LZB OhHZOJ8Ohpo9OEXFAEpbfP/a1/oWaWjnbJe5faSlslY1jPkkhdsmEC+fkTeOR6/Us7kh sD+Q==
X-Gm-Message-State: APjAAAVr80YddVJrQtwvQ7vkkzofeJVJb6Ax49+em8Zziy3rVRbI8/Bt KT6cckuGIs9/SAJcFZCH1/FpbXLZfVtp6arqv06FcA==
X-Google-Smtp-Source: APXvYqyjUv1Gx5sstkf7VEGawA2wJ0kAucrDMXRrS1oMS/KpTiduGFECDNe2S/8OKcixuxn/vlqs/+bKQr5mpRcdlPs=
X-Received: by 2002:aa7:d94d:: with SMTP id l13mr7946708eds.328.1582975959569; Sat, 29 Feb 2020 03:32:39 -0800 (PST)
MIME-Version: 1.0
References: <CACvH2enmaEC4TRmP27iCMMtnPmpuO1othFwoaR7z0zgu9D8iAQ@mail.gmail.com> <14708E54-D934-4D74-BF4D-DF75AE549163@forgerock.com> <036601d5ee64$5c75c520$15614f60$@augustcellars.com> <20200229095225.GA1903405@LK-Perkele-VII>
In-Reply-To: <20200229095225.GA1903405@LK-Perkele-VII>
From: Andrew Kozlik <andrew.kozlik@satoshilabs.com>
Date: Sat, 29 Feb 2020 12:32:28 +0100
Message-ID: <CACvH2e=Z5aDB257pLr6go9DXbuYojNRovcPr7Je=h=9+U6N2Yw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Jim Schaad <ietf@augustcellars.com>, Neil Madden <neil.madden@forgerock.com>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c24441059fb54f51"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/ZJEHrtWwQpiZ7oz-gRn63QsGySQ>
Subject: Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: Incompatible encoding of EdDSA public keys
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Feb 2020 11:32:44 -0000
Neil and Ilari, thank you for your feedback, you have identified the problem correctly. Based on all of the responses I see that the intention was to define the OKP key type in COSE to be compatible with the JOSE definition, which is something that I wholeheartedly support. I therefore retract my initial proposal of changing the key type to EC2. Clearly then, the COSE definition of OKP which is currently given in RFC 8152 is completely wrong for Ed25519 and Ed448 and needs to be fixed. Neil, I don't think it's necessary to define a separate type for x-only public keys. Changing the name of the 'x' parameter to something more generic like 'pub' would make a lot of sense though, especially seeing as it got Jim so terribly confused. Andrew On Sat, Feb 29, 2020 at 10:52 AM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Fri, Feb 28, 2020 at 10:24:46AM -0800, Jim Schaad wrote: > > > > I believe that the correct result that has been implemented for both JOSE > > and COSE is to take encoding that is specified in RFC 8152 and use that > as > > the public key. I know that I compared all of my code with the text > vectors > > in RFC 8152 so that I will be shocked if this is not true. If this is > not > > clear in either document then we need to change that text. > > I am not sure I agree. > > The correct interpretation for JOSE is to take the contents of "x" > field, base64url decode it, and stuff the result raw into Ed25519 > signing/verification (as defined by RFC 8032) as an octet string > (and "d" is base64url decoded and stuffed raw into Ed25519 signing). > > I can take the keypair test vector from RFC 8037 and stuff it into > program that definitely takes the above interpretation (I wrote it) > and it both passes key consistency check and passes signature self- > verify check. > > Now, the same program also supports COSE keys. When coding that support, > I assumed that COSE way is straightforward port of JOSE (encode > constants as integers, encode base64url'd string as raw bstr), and thus > the code just stuffs whatever is in "x" field raw into Ed25519 signing/ > verification (as defined by RFC 8032) as an octet string (and "d" is > another bstr and stuffed raw into Ed25519 signing as octet string). > > > Now RFC 8152 says: > > "This contains the x-coordinate for the EC point. The octet string > represents a little-endian encoding of x." > > Which is just plain wrong for Ed25519 and Ed448. As the public key is > encoding of y coordinate together with sign bit of x coordinate. And > even that COSE should not be concerned with: It should treat RFC 8032 > public keys as octet strings. > > And even for X25519 and X448, it is not quite correct, because the > X25519 and X448 public keys are not integers, they are octet strings > (which happen to be little-endian encoding of x coordinate of an > elliptic-curve point). > > Now, it is possible to recover the y coordinate of Ed25519 and Ed448 > keys from the x coordinate, but the algorithm is fairly slow (due to > calculating the lth multiple), and I do not think it has ever been > implemented. > > What I think all COSE implementations of EdDSA do is to stuff the > bstr x raw into RFC 8032 EdDSA implementations as octet string (that is > definitely what my code is doing). > > > -Ilari >
- [COSE] draft-ietf-cose-rfc8152bis-algs-06: Incomp… Andrew Kozlik
- Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: In… Neil Madden
- Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: In… Jim Schaad
- Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: In… Ilari Liusvaara
- Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: In… Andrew Kozlik