[COSE] Response to IETF 111 Agenda questions for draft-denhartog-pairing-curves-jose-cose
Kyle Den Hartog <kyle.denhartog@mattr.global> Mon, 02 August 2021 06:08 UTC
Return-Path: <kyle.denhartog@mattr.global>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1A993A0BB2 for <cose@ietfa.amsl.com>; Sun, 1 Aug 2021 23:08:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mattrglobal242.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QIPN_STTVeVA for <cose@ietfa.amsl.com>; Sun, 1 Aug 2021 23:08:20 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01on2108.outbound.protection.outlook.com [40.107.108.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69C8F3A0BB1 for <cose@ietf.org>; Sun, 1 Aug 2021 23:08:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gYFKoJG3Ip5J8nZdh8q1PjykU1qrAVwI5pcxtFVVADeMBaDaH4Le8jHt6n8JvjXufrD80vK5OX8EYFiC6TdMbj+HGM1h6TrylonSQH/WL8GnUgd+XMAF4QiK8E1z43Jq2Lbsb1cRspXYREXXs1WAKsap9R+tWZMHQEL/SIvyhyV/GES38mmCd0VHRHBXrkt2bHpYxTwncqshIC7X6ozmVH4DDQyaifVl46Cbzq8pDYOOEr2F5YtppHafUyCVULuZvJ6jkNw6m1U3uk4W1yzq8FzaupUoK+PwfTgbcHtLq13UJsgCkluAgNKHxI4ozreuvd9DcK04aEYN0Sh+59oygg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ibfnvm3iVBDu7Ls5gFYJp8iOGSaoS/x1ac5sV0M1TFo=; b=HSLSVSRtZowOln+c4juH6C89xGOokxMKAaOta+nwpHvG7SATE3i4Km3RFMihXp6OH4lvCXsqhI3laFJZGxJe4hhznemLU/TNI6G8JFCSlq7MjMrOxN/pTfp/EU11Gd+mKNmIZ00hylPrcUdMUWvJ6U5KIP5eZuIwYxznBkJxedhuSPCQoWxnkL2M05G9m8EfwMFRBDTGLVuq5nc7CHrECOSiKCJqClHKQFkAl8VoCx71T9Wsxfv6QGrS+q2euZCOV1IfT2Hg+UJYWGYejHBvhaSX3hQUx6wHYGl+4Ew3teLNIMQHYshJx2wOn5Na8d4e85ibDRO47aLtWOkuLoo9og==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mattr.global; dmarc=pass action=none header.from=mattr.global; dkim=pass header.d=mattr.global; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mattrglobal242.onmicrosoft.com; s=selector1-mattrglobal242-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ibfnvm3iVBDu7Ls5gFYJp8iOGSaoS/x1ac5sV0M1TFo=; b=IGuOOmXQBUUhZzdq+b5RzuDSoiUUBb2qUbjQrfHsa018o8CSKN5qKZmkz59RhjtDNtFAnNx3OpqMwLJjOyoBgHVbyVL+SAHXLnAApE6Cwmn891UYOroQK3UT783GxXkJm4Rxyi4ZOlmc9hfAIUGYEjhKHd229UPF2FfUYqK3HCA=
Received: from SY4P282MB0796.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:a9::8) by SYBP282MB0667.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:18::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.20; Mon, 2 Aug 2021 06:08:16 +0000
Received: from SY4P282MB0796.AUSP282.PROD.OUTLOOK.COM ([fe80::1d34:fe2a:57a1:28e]) by SY4P282MB0796.AUSP282.PROD.OUTLOOK.COM ([fe80::1d34:fe2a:57a1:28e%7]) with mapi id 15.20.4373.026; Mon, 2 Aug 2021 06:08:16 +0000
From: Kyle Den Hartog <kyle.denhartog@mattr.global>
To: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: Response to IETF 111 Agenda questions for draft-denhartog-pairing-curves-jose-cose
Thread-Index: AQHXh14rDCNZ4UEEXka/UfIWuuJSyg==
Date: Mon, 02 Aug 2021 06:08:16 +0000
Message-ID: <SY4P282MB079646C3E9D472CE7A34D233FCEF9@SY4P282MB0796.AUSP282.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=mattr.global;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5c4492b6-b51b-4b53-b3ea-08d9557beb74
x-ms-traffictypediagnostic: SYBP282MB0667:
x-microsoft-antispam-prvs: <SYBP282MB0667F3590E65E399FF0B4222FCEF9@SYBP282MB0667.AUSP282.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BKS5BhyxKV6gThtqgmxIfaL9WoeTuJXQI9P3SWdTfON1YI0Ui8wxAUzqATVGFz5vho6JLq0sOcgnYqs2y87tGe1L+GhUtTDOyKYqIm3ICm4G2wffouXEtQOW3tNXf8U+hI/dGlD4pbZHE8Idn/SjvHvTe6h/rE/1Wq8L/NHvJES/ixuAoM501Z5E1BvrTr3T4kpNYTs6zrAvwxQ8K4YjOS2vby198CJxuku6jvjhXt4/AXRjn0h+cfpNG4OGI3y/K4EnK3NHI5qfzlOYbftJ59/gy/dw3xLWZBGjUc2L2hAEQDrvFm78QLetEvaZx/gmeQv5BJad+EpnZBVxyib75QxpIaQTH0SzfSGYXBT0uhaXBzrFf2YYySve65OdLU9xEuAa5xLGP+0T0JAlbbipkzk2pG4fDc2zWqCXHaM4ig1M7BTMuDbzG3ihGGOKsLRI3k93C5J7T6c6V0CjruMTsBUdNzkC+8RA6byvzFbei/b2NrXVqjDbJ7F6KS61To4QYrfcrYhARW6CUzwQ4t0qK6FPyJkQduas/euC5mJPs+x4We8xJ7rYQOSD/Ej9x1I7JOD1L2VGM+vFGmXRdNzDxMUEXTtR6m7enkOxtYipSc+F2Q4vNtMnHvGiajIPRTwfuph6jXs9ASK2egL2VwcAO29wORMJ/ResmWS7wY8N0AQlO9a3ZcDrVGv/6snxbfHTPg9PISnjBCKmFsMbQm5OcUWxGu9nhmD5KA+guy/bx2WOscVlOW5vZvCORKwaYJMf58JhcDJcbQ+nbPlKUzt5jA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4P282MB0796.AUSP282.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(396003)(366004)(376002)(39830400003)(346002)(136003)(66476007)(186003)(66946007)(8936002)(478600001)(66446008)(64756008)(66556008)(71200400001)(76116006)(38070700005)(33656002)(6916009)(38100700002)(8676002)(2906002)(19627235002)(6506007)(55016002)(19627405001)(9686003)(166002)(7696005)(52536014)(966005)(83380400001)(122000001)(316002)(5660300002)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: CK2eNYQJWx1hjzG/665cSPJl3BTVu4byc3KJ65KwrV8fsAHVEpTIOALGf4mrhTkWzXvRA2cBjylK8aBq22Imk7ovyIoXBvIpefrffMflUbKiylMAPlK+ZZoCRN/3Ap/wrzSrAg2qF0b4YhIQXerwq7i2bA2zXY/ogDXmftg876Vy8+GpcQ0hAmPoZMI5OQAh+7YUqwzz/VA+JYgJiTjY8IH++r1O5a5PO8rMKxjbDluXEN92zuINqGUtEcthSExZgz9/L1ki2RIloNX6/oheatksx2H4auVUx322Z3O6OLTwi0ArRr2UWY1u6Y+SJpEZOkDmaFNug1RhpwEd8WIDdgGLE/M89BGx/+N8l6jpT3rtTflWNJhRlYKpAtyMAP9l6hz5cs60jhBKY9eh5qK68hzQdq0v8TqYCnJU7nmGSabII1DhUAMRb+iQXuUobpdOhZ60375w6wDv9mX15W6mBaMwl+B61+GyjPkkXQWrnwXdNtEP99VuWalu1cNDyURNuYgcjHFSQT3NrZkDNlT14igg7Jcf+TWGe5dOkz2wQa+n6vAXDcBe/JXVWIYYR/FE69hrM3+R3K/TbJXZ3gGk5thgXCSrC0RrhKacA7kqUupuQvER4bP6WYN8jaRj7HMXsFfTavHEh4fDA5GBGy0y4L08Ppz6v38kS35agsrldmVKeYyAmDPyy246/w4mSmRXkUTIjpd2BbqiAtdnsNyLfYbE/pFhU+kcdHQZJJeKD51Q9ujFv0QaFDIlXc3e4kRn9HbiW1nrlnjf6Ax+VMMnoVTkuhJIX+VLj3SsTLipyXZ8MKaJnqp6fmWD973WvmczbEd+e6wJuGv+gqxLSNodpYPgtJlReZKETGy011YD3oQpfUj1zFUKgQL58hGyUnzmEUeUkpkM2SyvpcqN3yYnlytaTsf0WElnk7sLD3I/jthx3bL/70BYW48/xKOIoX1K9NZWQeieS9L7JU7Yo7ebHhrbtZaPCCTAexYi5xqNRmd3QfQXMy9GtjhPYf9TAkLK05E+lQWqRy5b5K/dSeecatwHuRQGDkC+qv/CPwqKju9MJaEEEledR/25LuRokJaQDN3q7H1EDQ2xPfWRgHv1dDvlP+DS7LevrykkX45x8HGiyMpjJ2hWfCdaiXNMUUANT0zP0xH1f5fPwfybxPJN++V+fLSZ90t3TB7gQ6E30Gi+I5+SZAR835S3GX6S+8dkjAhPBgrJ2yi4GE3u33y7+YnrB9MMljpI7N8qKod0D8DCtK9pRFMR9g/l/aCyTIBMJrmu3GOsPToZuiRgeeCC6gxbK00zaJI7K6il/gNuNw2FkCksoB7bb5KiqdPa/L2H0lSxcigmvES7gbp2bKcTQXlKj1rTfSn712ZNEmh5OSU=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SY4P282MB079646C3E9D472CE7A34D233FCEF9SY4P282MB0796AUSP_"
MIME-Version: 1.0
X-OriginatorOrg: mattr.global
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4P282MB0796.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5c4492b6-b51b-4b53-b3ea-08d9557beb74
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2021 06:08:16.8730 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c2c9cf73-6aae-4702-9844-02adab723771
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IYvvvGvv+swvp9sRgLUubcNWMSBAHtQKHaxXYj1WgfILHKIFfPQfrF7XTI/9JEo9PQDBaulbwhtaNXZ4F4YUVGls44v5x6GtkYM6pNCauZw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBP282MB0667
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/o96s7i2j8Ns8XeV6HNSJDa8sh14>
Subject: [COSE] Response to IETF 111 Agenda questions for draft-denhartog-pairing-curves-jose-cose
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 06:08:26 -0000
First off thanks Mike Jones for jumping in and PowerPoint jockeying through the slides for me. Sorry for missing the meeting I had a time zone mix up. I was able to rewatch the portion of the recording afterwards and wanted to weigh in on a few questions I heard and had prompted on the slides.
1. Should we use EC2 vs OKP?
* This is where I was going with this question. It was asked to me if SEC1 encoding was commonly in use today. I realize now that the draft doesn't accurately convey that when I referenced SEC1 that I was implying the usage of SEC1 point compression which would then use OKP. I'll need to update that. As far as I've seen it's mainly gone towards OKP (with a single compressed point and a sign) so my take was that we follow that pattern as well. However, the latest pairing-friendly-curves draft[1] references draft-ietf-lwig-curve-representations[2] (note it's draft 08 while the latest draft it's now in Appendix I.5). In this case, my questions was trying to figure out if the draft should use the SEC1 compression serialization of the keys which seems more common in JOSE and COSE or if it would be better to continue in the serialization method described in section 2.5. In this case, I didn't fully understand what was being described in the lwig-curve draft, so I opted to go with SEC1 compressions in the initial draft. I'd like to get others to weigh in on if this is even possible first, and then for us to consider what is the better direction.
2. Whether Bn256G1/G2 should be registered and prohibited?
* The discussion hit the nail on the head here. Thank you, Jonathan Hammell, for jumping in and explaining the background on the security issue. My concern was that because the security has been reduced to 100 bits rather than 128 bits does this warrant the draft defining it and marking it as prohibited. My take was "yes" hence the original question.
3. Regarding the G1/G2 question:
* This was largely heading in the direction of trying to figure out if it makes sense to recogonize these separate finite fields as independent "curves" or would it make more sense to use a different way to differentiate them. One suggestion on the github repo has been to use multicodec as an alternative serialization to SEC1 and lwigs-curve and then use that as a way to represent the sub groups. My general take is that this didn't align well with the traditional approach COSE/JOSE have used and so it's going to introduce some new dependencies in many implementations I'd suspect. For this reason I would prefer to not go this route, but am not necessarily certain if my "crv" route is the right way either.
4. Regarding defining these with signatures:
* My general take would be that I'd prefer to not have to do this. Since we haven't implemented any of the signatures schemes that utilize these curves in JOSE or COSE, it would be a bit of a yak shaving exercise for us and our primary goals at this point to have to also define those. I know of some related proposals that are looking to define these signatures (BBS+) in JOSE in the very introductory stages which may pair well with this, but for now I'm of the opinion we could just as easily separate the works. If there is a desire to define at least one signature scheme with this, the IRTF does have the BLS signatures[3] being worked on which would pair well with this work if there's a desire to add threshold signatures to JOSE/COSE.
Hopefully with this additional context to the slides, people may have a better understanding and some further opinions on the various questions to date.
[1]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-10#section-2.5
[2]: https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-08#appendix-J.4
[3]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04/
Thanks,
Kyle Den Hartog
- [COSE] Response to IETF 111 Agenda questions for … Kyle Den Hartog
- Re: [COSE] Response to IETF 111 Agenda questions … Kyle Den Hartog
- Re: [COSE] Response to IETF 111 Agenda questions … David Waite
- Re: [COSE] EXTERNAL: Re: Response to IETF 111 Age… Kyle Den Hartog