IETF Logo Mail Archive

Re: [COSE] draft-ietf-lwig-curve-representations-13

Rene Struik <rstruik.ext@gmail.com> Thu, 14 January 2021 14:29 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3614D3A150B for <cose@ietfa.amsl.com>; Thu, 14 Jan 2021 06:29:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.36
X-Spam-Level:
X-Spam-Status: No, score=-2.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.262, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dGm3wDTuW3dL for <cose@ietfa.amsl.com>; Thu, 14 Jan 2021 06:29:30 -0800 (PST)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CCF03A1507 for <cose@ietf.org>; Thu, 14 Jan 2021 06:29:30 -0800 (PST)
Received: by mail-qv1-xf2d.google.com with SMTP id l7so2340101qvt.4 for <cose@ietf.org>; Thu, 14 Jan 2021 06:29:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:cc:references:from:subject:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=LHSkwpx1Uu3rFhmnlWvQUWNGHObXwWt8Ies9ek1KQW0=; b=LndONyOZpK/UAldgDr+WbuMHTfhlI3kMnEvq3w+RJh43WZM4jvnVLgUcHRUGREVi6O jeed0h5kj2v19pbfkJBs/s8AAduKfjsPjxASO25rIk5iQqMt1b06CtSWUeXWNmUjZw90 jdMW4WLivTdxrDrW/edFg14f5/w7AWO/tYi3THbrAVTZ57d7Rbes5cM4prxQHlRmY48B 8OhVxtbQ5Kbi9DK4dr4h7RwMBCqInXX4rV2ya6ITVilqybwSDNhP9gi/lgoxthi/AX0G MsCfjwZZ/4EE5XrYVC4X1rAxT5wZ9bdI5LR8gnvVPshnKjPU+crHjYXOyOls/vUe/GTb GHPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:references:from:subject:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=LHSkwpx1Uu3rFhmnlWvQUWNGHObXwWt8Ies9ek1KQW0=; b=mMX6ir1TxCpGsnpduQszjSZjlKcIH8joIWCnGQwATVgQKxDGXV3aQ7WCOLH90n7yE6 IiMQH0gMmAjsobYZjkSvYfb22Ca4ktIVZoYWFrQPBLWP1BKuCPv+u3e44tJ7IIJS2qf3 wWcR7b+eEES1SINTJvBuqoj5rcN02qW9UYcNvQc9Yo7BFSBFr13zeEO3w3AyC9LKVN0f 9V7VC9OMJQsM8BADyPN1JORpR/u3B7qpkfWzrV6YXLUV3Kv05ynUKKBhd20KLTcY7VGL lxX4Jc27Hxg0TQp12hOmPmAVUyxgjufg6sjNpQj1jaqTca9pp6DNbvKx14aVhgD0nR4f pr4g==
X-Gm-Message-State: AOAM5306qMqFYYoiAlYRl2eUYmdElBRQj6b+B1uQJ1iyxjQaEmHNzPkm RcDJNAF+eexOiwk5r8jC1rHOVWduQrY=
X-Google-Smtp-Source: ABdhPJyh7YpoZTDzS/PCB29cOetBfevugr0MoOO4o9f6YBpvMVVVdCl2CfnBrEgXxxWOOkPn8ubPFg==
X-Received: by 2002:ad4:4aac:: with SMTP id i12mr7479354qvx.10.1610634568678; Thu, 14 Jan 2021 06:29:28 -0800 (PST)
Received: from ?IPv6:2607:fea8:8a0:1397:a160:5898:bc8:aa86? ([2607:fea8:8a0:1397:a160:5898:bc8:aa86]) by smtp.gmail.com with ESMTPSA id x25sm2995645qkx.88.2021.01.14.06.29.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 14 Jan 2021 06:29:27 -0800 (PST)
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "cose@ietf.org" <cose@ietf.org>
References: <HE1PR0702MB36745AEC1C6E929CA4D9A1C7F4ED0@HE1PR0702MB3674.eurprd07.prod.outlook.com> <be8f9113-a74a-7358-383c-927e7fab0f13@gmail.com> <3DEA816D-EBFE-4914-B327-5EA11ECABF45@ericsson.com> <15a95ece-d580-1a28-24f0-0ecb71631c70@gmail.com> <f1f45799-8469-842a-c1d3-81c5362a68f1@gmail.com> <YABDKkUcwk2Sib/5@LK-Perkele-VII>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <2219c654-8e25-1540-44a9-b49c527ec781@gmail.com>
Date: Thu, 14 Jan 2021 09:29:24 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1
MIME-Version: 1.0
In-Reply-To: <YABDKkUcwk2Sib/5@LK-Perkele-VII>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/oFTcLg_HviER-B7ciZGjPLR9xms>
Subject: Re: [COSE] draft-ietf-lwig-curve-representations-13
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2021 14:29:32 -0000

Hi Ilari:

I do not understand your posting, which is full of hearsay and 
ill-defined terms, such as "odd way", "usually", "have not tested this" 
(which are subjective terms). Can we please stick to facts?

ECDSA has been introduced in 1999 [1]. The specification of ECDSA25519 
[2] and that of ECDSA448 [3] uses the description in FIPS Pub 186-4, 
which is unambiguous.

If you nevertheless believe there are ambiguities in the specification, 
please point those out succinctly and in a technical matter, with 
detailed reference to the alleged substep where this "mishap" occurs.

Best regards, Rene

Ref:
[1] Don Johnson, Alfred Menezes, "The Elliptic Curve Digital Signature 
Algorithm (ECDSA)", CACR Corr 99-34.
[2] 
https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-19#section-4.3 

[3] 
https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-19#section-4.4



On 2021-01-14 8:12 a.m., Ilari Liusvaara wrote:
> On Wed, Jan 13, 2021 at 09:26:15AM -0500, Rene Struik wrote:
>> Hi Goran, John:
>>
>> Please let me know if my response to the COSE mailing list (Dec 19th) works
>> for you. If you have comments, please suggest constructive improvements.
>>
>> I really would like to get closure on this.
>>
>> I value your feedback, even though you brought up your points more than two
>> months after the IETF Last-Call. I hope we can move forward without undue
>> delays.
>>
>> Thanks for your help, Rene
>>
>> On 2020-12-19 11:01 a.m., Rene Struik wrote:
>>> Dear John:
>>>
>>> Based on your review and other feedback received, I slightly updated the
>>> draft and posted the latest revision as [1].
>>>
>>> Your review below (of Nov 6, 2020) seems to bring up three topics, viz.:
>>> (1) definition of Wei25519 and Wei448 vs. verbiage in NIST docs; (2)
>>> need for iana registrations for ECDSA25519 and ECDSA448; (3) need for
>>> iana registrations ECDH25519 and ECDH448.
>>>
>>> Please find below some feedback.
>>>
>>> General feedback:
>>>
>>> Please bear in mind that the specifications of ECDSA25519 and ECDH25519
>>> in the lwig curve document aim to yield schemes that are strictly
>>> NIST-compliant (i.e., these would allow FIPS 140-2 accreditation if the
>>> curves would be in the "NIST recommended" set). See also Note 2 of
>>> Section 4.1 of [1]. A similar remark applies to ECDSA448 and ECDH448.
> I think the spec should call out the odd way hash truncation in ECDSA
> works with these curves, as it is unlikely implementations have
> encountered that kind of special case before.
>
> As far as I understand (z is the integer value representing the message
> in both signing and verification... I have not actually tested these, so
> there might be bugs):
>
> 1) Wei25519:
>
> C = 31;
> if len(hash) > C:
>    z = int.from_bytes(hash[:C],byteorder="big");
>    y = hash[C];
>    if is_sha2(hashfunc):
>      z += y // 8 << 8*C;
>    elif is_sha3_or_shake(hashfunc):
>      z += y % 32 << 8*C;
>    else:
>      raise ValueError("Unsupported hash");
> else:
>      z = int.from_bytes(hash,byteorder="big");
>
> 2) Wei448:
>
> C = 55;
> if len(hash) > C:
>    z = int.from_bytes(hash[:C],byteorder="big");
>    y = hash[C];
>    if is_sha2(hashfunc):
>      z += y // 4 << 8*C;
>    elif is_sha3_or_shake(hashfunc):
>      z += y % 64 << 8*C;
>    else:
>      raise ValueError("Unsupported hash");
> else:
>      z = int.from_bytes(hash,byteorder="big");
>
> Where is_sha2 and is_sha3_or_shake are predicates for the hash function
> that check if the hash function used is one from SHA-2 or from
> SHA-3/SHAKE respectively. The dependence on these predicates cause major
> issues with traditional signhash-style ECDSA implementations.
>
>
> If the above is wrong (beyond just bugs or typos), it would be
> especially necressary to write how the case is handled, as even trying
> to carefully work out how it works leads to wrong result.
>
>
> (For comparision, here is what truncation looks for P-256:
>
> if len(hash) > 32: hash = hash[:32];
> z = int.from_bytes(hash,byteorder="big");
>
>
> There is no reference to hash function used.
> )
>
>
>>> Detailed feedback:
>>>
>>> (2) Need for iana registrations for ECDSA25519 and ECDSA448.
>>>
>>> ECDSA is determined by an instantiation of hash function, curves, and
>>> representation conventions for inputs and outputs (i.e., message
>>> representation, curve point representation, and signature
>>> representation).
>>> a) ECDSA448 uses SHAKE256 under the hood, which is currently not defined
>>> with COSE. Hence, my request to register ECDSA w/ SHAKE256 and Wei448 as
>>> "ECDSA448".
>>> b) ECSA25519 uses SHA256 and Wei25519 under the hood. I thought to
>>> request to register "ECDSA25519" since this would allow referencing the
>>> quite careful write-up (Section 4.3), including bit/byte ordering,
>>> checks, and nondeterministic behavior (and, thereby, keeping this
>>> concise). Please note that this is very similar to the COSE IANA
>>> registry for "ES256k1" (ECDSA w/ SHA256 and Bitcoin curve secp256k1).
> This is not how ECDSA is usually used (and this goes to a lot of other
> things besides COSE and JOSE, e.g. to TLSv1.2 and PKIX). Usually in ECDSA,
> the algorithm determines the hash function, and key determines the curve.
> This would presumably still hold if doing agility-by-key (not that either
> COSE nor JOSE have the necressary means for that).
>
> IMO, ES256k1 was a mistake. That should have had alg ES256 and
> crv secp256k1.
>
> (TLSv1.3 mixes hash and curve, but seemingly only to simplify
> negotiation, which is not applicable here, since COSE/JOSE are not
> interactive. Many implementations probably do not check that the curve
> is correct. Mine certainly does not.)
>
>>> (3) Need for iana registrations ECDH25519 and ECDH448.
>>>
>>> ECDH25519 and ECDH448 are co-factor Diffie-Hellman key establishment
>>> schemes and can, therefore, not be based on (cofactorless)
>>> Diffie-Hellman, as defined in RFC 8152. (Please note that there is no
>>> difference for the NIST curves, which all of co-factor h=1, but in our
>>> case one has h=8 and h=4, respectively). Here, one should note that the
>>> ECDH25519 and ECDH448 write-ups (Section 4.1 and 4.3) quite carefully
>>> cross-reference co-factor ECDH in a NIST-compliant way. Apart from the
>>> co-factor ECDH vs. ECDH issue and objective to comply with all strict
>>> NIST validation checks, the objective was also to make sure that
>>> ECDH25519 and ECDH448 can be used in settings where either or both
>>> parties uses ephemeral keys (which is more flexible than what RFC 8152
>>> allows).  Hence, the request to register "ECDH25519" and "ECDH448", to
>>> make sure this covers the intent of these schemes accurately and with
>>> precise description.
> COSE does not just have ECDH, it has many different variants of ECDH.
> It would probably be easier to define cofactor ECDH by performing the
> cofactor multiplication (which seems to be the only difference between
> cofactor and non-cofactor ECDH) in output shared secret conversion.
> Otherwise one would need at least 8 new algorithms (SS/ES times KW/KDF
> times 128/256).
>
>
>
> -Ilari


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867

v2.23.0 | Report a Bug | By Email