Re: [COSE] draft-ietf-lwig-curve-representations-13
Rene Struik <rstruik.ext@gmail.com> Thu, 14 January 2021 14:29 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3614D3A150B for <cose@ietfa.amsl.com>; Thu, 14 Jan 2021 06:29:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.36
X-Spam-Level:
X-Spam-Status: No, score=-2.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.262, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dGm3wDTuW3dL for <cose@ietfa.amsl.com>; Thu, 14 Jan 2021 06:29:30 -0800 (PST)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CCF03A1507 for <cose@ietf.org>; Thu, 14 Jan 2021 06:29:30 -0800 (PST)
Received: by mail-qv1-xf2d.google.com with SMTP id l7so2340101qvt.4 for <cose@ietf.org>; Thu, 14 Jan 2021 06:29:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:cc:references:from:subject:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=LHSkwpx1Uu3rFhmnlWvQUWNGHObXwWt8Ies9ek1KQW0=; b=LndONyOZpK/UAldgDr+WbuMHTfhlI3kMnEvq3w+RJh43WZM4jvnVLgUcHRUGREVi6O jeed0h5kj2v19pbfkJBs/s8AAduKfjsPjxASO25rIk5iQqMt1b06CtSWUeXWNmUjZw90 jdMW4WLivTdxrDrW/edFg14f5/w7AWO/tYi3THbrAVTZ57d7Rbes5cM4prxQHlRmY48B 8OhVxtbQ5Kbi9DK4dr4h7RwMBCqInXX4rV2ya6ITVilqybwSDNhP9gi/lgoxthi/AX0G MsCfjwZZ/4EE5XrYVC4X1rAxT5wZ9bdI5LR8gnvVPshnKjPU+crHjYXOyOls/vUe/GTb GHPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:references:from:subject:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=LHSkwpx1Uu3rFhmnlWvQUWNGHObXwWt8Ies9ek1KQW0=; b=mMX6ir1TxCpGsnpduQszjSZjlKcIH8joIWCnGQwATVgQKxDGXV3aQ7WCOLH90n7yE6 IiMQH0gMmAjsobYZjkSvYfb22Ca4ktIVZoYWFrQPBLWP1BKuCPv+u3e44tJ7IIJS2qf3 wWcR7b+eEES1SINTJvBuqoj5rcN02qW9UYcNvQc9Yo7BFSBFr13zeEO3w3AyC9LKVN0f 9V7VC9OMJQsM8BADyPN1JORpR/u3B7qpkfWzrV6YXLUV3Kv05ynUKKBhd20KLTcY7VGL lxX4Jc27Hxg0TQp12hOmPmAVUyxgjufg6sjNpQj1jaqTca9pp6DNbvKx14aVhgD0nR4f pr4g==
X-Gm-Message-State: AOAM5306qMqFYYoiAlYRl2eUYmdElBRQj6b+B1uQJ1iyxjQaEmHNzPkm RcDJNAF+eexOiwk5r8jC1rHOVWduQrY=
X-Google-Smtp-Source: ABdhPJyh7YpoZTDzS/PCB29cOetBfevugr0MoOO4o9f6YBpvMVVVdCl2CfnBrEgXxxWOOkPn8ubPFg==
X-Received: by 2002:ad4:4aac:: with SMTP id i12mr7479354qvx.10.1610634568678; Thu, 14 Jan 2021 06:29:28 -0800 (PST)
Received: from ?IPv6:2607:fea8:8a0:1397:a160:5898:bc8:aa86? ([2607:fea8:8a0:1397:a160:5898:bc8:aa86]) by smtp.gmail.com with ESMTPSA id x25sm2995645qkx.88.2021.01.14.06.29.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 14 Jan 2021 06:29:27 -0800 (PST)
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "cose@ietf.org" <cose@ietf.org>
References: <HE1PR0702MB36745AEC1C6E929CA4D9A1C7F4ED0@HE1PR0702MB3674.eurprd07.prod.outlook.com> <be8f9113-a74a-7358-383c-927e7fab0f13@gmail.com> <3DEA816D-EBFE-4914-B327-5EA11ECABF45@ericsson.com> <15a95ece-d580-1a28-24f0-0ecb71631c70@gmail.com> <f1f45799-8469-842a-c1d3-81c5362a68f1@gmail.com> <YABDKkUcwk2Sib/5@LK-Perkele-VII>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <2219c654-8e25-1540-44a9-b49c527ec781@gmail.com>
Date: Thu, 14 Jan 2021 09:29:24 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1
MIME-Version: 1.0
In-Reply-To: <YABDKkUcwk2Sib/5@LK-Perkele-VII>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/oFTcLg_HviER-B7ciZGjPLR9xms>
Subject: Re: [COSE] draft-ietf-lwig-curve-representations-13
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2021 14:29:32 -0000
Hi Ilari: I do not understand your posting, which is full of hearsay and ill-defined terms, such as "odd way", "usually", "have not tested this" (which are subjective terms). Can we please stick to facts? ECDSA has been introduced in 1999 [1]. The specification of ECDSA25519 [2] and that of ECDSA448 [3] uses the description in FIPS Pub 186-4, which is unambiguous. If you nevertheless believe there are ambiguities in the specification, please point those out succinctly and in a technical matter, with detailed reference to the alleged substep where this "mishap" occurs. Best regards, Rene Ref: [1] Don Johnson, Alfred Menezes, "The Elliptic Curve Digital Signature Algorithm (ECDSA)", CACR Corr 99-34. [2] https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-19#section-4.3 [3] https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-19#section-4.4 On 2021-01-14 8:12 a.m., Ilari Liusvaara wrote: > On Wed, Jan 13, 2021 at 09:26:15AM -0500, Rene Struik wrote: >> Hi Goran, John: >> >> Please let me know if my response to the COSE mailing list (Dec 19th) works >> for you. If you have comments, please suggest constructive improvements. >> >> I really would like to get closure on this. >> >> I value your feedback, even though you brought up your points more than two >> months after the IETF Last-Call. I hope we can move forward without undue >> delays. >> >> Thanks for your help, Rene >> >> On 2020-12-19 11:01 a.m., Rene Struik wrote: >>> Dear John: >>> >>> Based on your review and other feedback received, I slightly updated the >>> draft and posted the latest revision as [1]. >>> >>> Your review below (of Nov 6, 2020) seems to bring up three topics, viz.: >>> (1) definition of Wei25519 and Wei448 vs. verbiage in NIST docs; (2) >>> need for iana registrations for ECDSA25519 and ECDSA448; (3) need for >>> iana registrations ECDH25519 and ECDH448. >>> >>> Please find below some feedback. >>> >>> General feedback: >>> >>> Please bear in mind that the specifications of ECDSA25519 and ECDH25519 >>> in the lwig curve document aim to yield schemes that are strictly >>> NIST-compliant (i.e., these would allow FIPS 140-2 accreditation if the >>> curves would be in the "NIST recommended" set). See also Note 2 of >>> Section 4.1 of [1]. A similar remark applies to ECDSA448 and ECDH448. > I think the spec should call out the odd way hash truncation in ECDSA > works with these curves, as it is unlikely implementations have > encountered that kind of special case before. > > As far as I understand (z is the integer value representing the message > in both signing and verification... I have not actually tested these, so > there might be bugs): > > 1) Wei25519: > > C = 31; > if len(hash) > C: > z = int.from_bytes(hash[:C],byteorder="big"); > y = hash[C]; > if is_sha2(hashfunc): > z += y // 8 << 8*C; > elif is_sha3_or_shake(hashfunc): > z += y % 32 << 8*C; > else: > raise ValueError("Unsupported hash"); > else: > z = int.from_bytes(hash,byteorder="big"); > > 2) Wei448: > > C = 55; > if len(hash) > C: > z = int.from_bytes(hash[:C],byteorder="big"); > y = hash[C]; > if is_sha2(hashfunc): > z += y // 4 << 8*C; > elif is_sha3_or_shake(hashfunc): > z += y % 64 << 8*C; > else: > raise ValueError("Unsupported hash"); > else: > z = int.from_bytes(hash,byteorder="big"); > > Where is_sha2 and is_sha3_or_shake are predicates for the hash function > that check if the hash function used is one from SHA-2 or from > SHA-3/SHAKE respectively. The dependence on these predicates cause major > issues with traditional signhash-style ECDSA implementations. > > > If the above is wrong (beyond just bugs or typos), it would be > especially necressary to write how the case is handled, as even trying > to carefully work out how it works leads to wrong result. > > > (For comparision, here is what truncation looks for P-256: > > if len(hash) > 32: hash = hash[:32]; > z = int.from_bytes(hash,byteorder="big"); > > > There is no reference to hash function used. > ) > > >>> Detailed feedback: >>> >>> (2) Need for iana registrations for ECDSA25519 and ECDSA448. >>> >>> ECDSA is determined by an instantiation of hash function, curves, and >>> representation conventions for inputs and outputs (i.e., message >>> representation, curve point representation, and signature >>> representation). >>> a) ECDSA448 uses SHAKE256 under the hood, which is currently not defined >>> with COSE. Hence, my request to register ECDSA w/ SHAKE256 and Wei448 as >>> "ECDSA448". >>> b) ECSA25519 uses SHA256 and Wei25519 under the hood. I thought to >>> request to register "ECDSA25519" since this would allow referencing the >>> quite careful write-up (Section 4.3), including bit/byte ordering, >>> checks, and nondeterministic behavior (and, thereby, keeping this >>> concise). Please note that this is very similar to the COSE IANA >>> registry for "ES256k1" (ECDSA w/ SHA256 and Bitcoin curve secp256k1). > This is not how ECDSA is usually used (and this goes to a lot of other > things besides COSE and JOSE, e.g. to TLSv1.2 and PKIX). Usually in ECDSA, > the algorithm determines the hash function, and key determines the curve. > This would presumably still hold if doing agility-by-key (not that either > COSE nor JOSE have the necressary means for that). > > IMO, ES256k1 was a mistake. That should have had alg ES256 and > crv secp256k1. > > (TLSv1.3 mixes hash and curve, but seemingly only to simplify > negotiation, which is not applicable here, since COSE/JOSE are not > interactive. Many implementations probably do not check that the curve > is correct. Mine certainly does not.) > >>> (3) Need for iana registrations ECDH25519 and ECDH448. >>> >>> ECDH25519 and ECDH448 are co-factor Diffie-Hellman key establishment >>> schemes and can, therefore, not be based on (cofactorless) >>> Diffie-Hellman, as defined in RFC 8152. (Please note that there is no >>> difference for the NIST curves, which all of co-factor h=1, but in our >>> case one has h=8 and h=4, respectively). Here, one should note that the >>> ECDH25519 and ECDH448 write-ups (Section 4.1 and 4.3) quite carefully >>> cross-reference co-factor ECDH in a NIST-compliant way. Apart from the >>> co-factor ECDH vs. ECDH issue and objective to comply with all strict >>> NIST validation checks, the objective was also to make sure that >>> ECDH25519 and ECDH448 can be used in settings where either or both >>> parties uses ephemeral keys (which is more flexible than what RFC 8152 >>> allows). Hence, the request to register "ECDH25519" and "ECDH448", to >>> make sure this covers the intent of these schemes accurately and with >>> precise description. > COSE does not just have ECDH, it has many different variants of ECDH. > It would probably be easier to define cofactor ECDH by performing the > cofactor multiplication (which seems to be the only difference between > cofactor and non-cofactor ECDH) in output shared secret conversion. > Otherwise one would need at least 8 new algorithms (SS/ES times KW/KDF > times 128/256). > > > > -Ilari -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
- [COSE] draft-ietf-lwig-curve-representations-13 Göran Selander
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… John Mattsson
- Re: [COSE] draft-ietf-lwig-curve-representations-… Ilari Liusvaara
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] [Lwip] draft-ietf-lwig-curve-represent… Mohit Sethi M
- Re: [COSE] [Lwip] draft-ietf-lwig-curve-represent… John Mattsson
- Re: [COSE] [Lwip] draft-ietf-lwig-curve-represent… Mohit Sethi M
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Ilari Liusvaara
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… John Mattsson
- Re: [COSE] draft-ietf-lwig-curve-representations-… Benjamin Kaduk
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- [COSE] (small timeline correction) Re: draft-ietf… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… John Mattsson
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Benjamin Kaduk
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik
- Re: [COSE] draft-ietf-lwig-curve-representations-… Benjamin Kaduk
- Re: [COSE] draft-ietf-lwig-curve-representations-… Rene Struik