Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: Incompatible encoding of EdDSA public keys

Jim Schaad <ietf@augustcellars.com> Fri, 28 February 2020 18:25 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E39773A0E0C for <cose@ietfa.amsl.com>; Fri, 28 Feb 2020 10:25:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDT1TxJqfvKN for <cose@ietfa.amsl.com>; Fri, 28 Feb 2020 10:25:04 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6E153A0E01 for <cose@ietf.org>; Fri, 28 Feb 2020 10:25:03 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 28 Feb 2020 10:24:48 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Neil Madden' <neil.madden@forgerock.com>, 'Andrew Kozlik' <andrew.kozlik=40satoshilabs.com@dmarc.ietf.org>
CC: 'cose' <cose@ietf.org>
References: <CACvH2enmaEC4TRmP27iCMMtnPmpuO1othFwoaR7z0zgu9D8iAQ@mail.gmail.com> <14708E54-D934-4D74-BF4D-DF75AE549163@forgerock.com>
In-Reply-To: <14708E54-D934-4D74-BF4D-DF75AE549163@forgerock.com>
Date: Fri, 28 Feb 2020 10:24:46 -0800
Message-ID: <036601d5ee64$5c75c520$15614f60$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0367_01D5EE21.4E539690"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLZxn/MzwHIKW6utgQec6Ba19Uf+gJ68ZLophVhh6A=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/bFL9esa8sd3sVa9PZuipQAccXjE>
Subject: Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: Incompatible encoding of EdDSA public keys
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 18:25:12 -0000

This would seem to be more of an issue of what the text label in the OKP key
type is.  I have no problems with changing this is the COSE document as the
text label is completely arbitrary.   On the other hand, keeping the
correspondence to what is in the JOSE draft also seems to be of importance.
It would be easy to make the change and have a note that dealt with the
differences however.

 

Andrew, I completely disagree with you that there are two fields are the
result of encoding a public key in the EdDSA draft.  Section 5.1.2 makes it
clear that when you are finished you only have an integer value of 32
octets.  There is no separate sign bit so changing it to EC2 would be
completely inappropriate.     If you look at the examples in section 7 you
will see that the Public Key is clearly just a single 32 octet value with no
place for a sign bit.

 

I believe that the correct result that has been implemented for both JOSE
and COSE is to take encoding that is specified in RFC 8152 and use that as
the public key.  I know that I compared all of my code with the text vectors
in RFC 8152 so that I will be shocked if this is not true.  If this is not
clear in either document then we need to change that text.

 

Jim

 

 

From: COSE <cose-bounces@ietf.org> On Behalf Of Neil Madden
Sent: Thursday, February 27, 2020 8:23 AM
To: Andrew Kozlik <andrew.kozlik=40satoshilabs.com@dmarc.ietf.org>
Cc: cose <cose@ietf.org>
Subject: Re: [COSE] draft-ietf-cose-rfc8152bis-algs-06: Incompatible
encoding of EdDSA public keys

 

This seems to be an unfortunate choice (mistake?) in RFC 8152. The OKP key
type for JOSE (https://tools.ietf.org/html/rfc8037#section-2) uses the "x"
field for the public key (however encoded), so for EdDSA keys the "x" field
in an OKP is actually the encoded form specified in RFC 8032: a y-coordinate
and the sign bit of the x-coordinate.

 

IMO the OKP key type in JOSE is a bit of a mess. It would have been better
to define separate key types for Montgomery x-only public keys vs EdDSA
keys, or else otherwise call that field "pub" or something less likely to be
misinterpreted. I'm not sure trying to cram Edwards curves into the EC2 key
type makes things any better and may break assumptions in code about EC2
keys always being used for Weierstrass-form curves only.

 

I think it would be best to either register an errata against RFC 8152 (and
fix in the draft) that brings the COSE OKP type into alignment with JOSE and
state that the "x" field for EdDSA keys is the RFC 8032 encoded form. Or
otherwise define an entirely new key type and deprecate the use of OKP for
EdDSA keys.

 

On 27 Feb 2020, at 15:14, Andrew Kozlik
<andrew.kozlik=40satoshilabs.com@dmarc.ietf.org
<mailto:andrew.kozlik=40satoshilabs.com@dmarc.ietf.org> > wrote:

 

Hello everyone,

 

I encountered a bug in libfido2
(https://github.com/Yubico/libfido2/issues/136), which leads me to propose
some changes in COSE encoding of EdDSA public keys. Here is the problem: 

 

The standard encoding of EdDSA public keys as defined in
https://tools.ietf.org/html/rfc8032#section-5.1.2
<https://tools.ietf.org/html/rfc8032#section-5.1..2>  encodes the
y-coordinate and the sign of the x-coordinate of the EC point as the public
key. COSE on the other hand encodes only the x-coordinate as the public key,
see
https://tools.ietf.org/html/draft-ietf-cose-rfc8152bis-algs-06#section-7.2.
There are two problems with this discrepancy:

 

1. As far as I know, all libraries support only the standard RFC 8032
encoding of public EdDSA keys. Computing the y-coordinate from the
x-coordinate and vice versa is not straightforward, because it involves some
multi-precision modular arithmetic, making it very problematic to use the
COSE format for anyone who is not well versed in the mathematics of ECC.
Even if libraries were to support both encodings in the future, it would
cause a lot of pointless confusion to developers.

 

2. There is no way to determine the sign of the y-coordinate from knowing
only the x-coordinate. Thus when verifying a signature, one has to try both
signs for the y-coordinate of the public key and accept the signature if
either of the two signature verifications passes.


To resolve these issues, I propose the following changes:

 

1. In Table 18,
https://tools.ietf.org/html/draft-ietf-cose-rfc8152bis-algs-06#section-7.1,
the key type of Ed25519 and Ed448 keys should be changed to EC2.

 

2. In Section 7.1.1,
https://tools.ietf.org/html/draft-ietf-cose-rfc8152bis-algs-06#section-7.1.1
, the 'x' parameter of EC2 keys should be allowed to contain either the sign
bit or the value of the x-coordinate for the EC point. In addition there
should be a requirement stating that if the 'x' or 'y' parameter is present
in the structure, then at least one of them MUST be of CBOR type bstr.

 

Cheers,

Andrew Kozlik

_______________________________________________
COSE mailing list
COSE@ietf.org <mailto:COSE@ietf.org> 
https://www.ietf.org/mailman/listinfo/cose