IETF Logo Mail Archive

Re: [jose] JWK Elliptic Curve key representations and new curves

Richard Barnes <rlb@ipv.sx> Thu, 14 August 2014 13:43 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E31B1A0929 for <jose@ietfa.amsl.com>; Thu, 14 Aug 2014 06:43:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iAif-HOQIgqJ for <jose@ietfa.amsl.com>; Thu, 14 Aug 2014 06:43:01 -0700 (PDT)
Received: from mail-oa0-f52.google.com (mail-oa0-f52.google.com [209.85.219.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8B121A073C for <jose@ietf.org>; Thu, 14 Aug 2014 06:43:01 -0700 (PDT)
Received: by mail-oa0-f52.google.com with SMTP id o6so974959oag.25 for <jose@ietf.org>; Thu, 14 Aug 2014 06:43:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=RXSqt4OxFr/JjETW+gmLq0pqDI6fqCkcfgD1rDDawqo=; b=FDHooPhh1hGWHFhYpWqoxPulwn3ZssPyqm1pKdII0/Fdp3pcsMfn+wUXSAHZlBfHqd CHn9a0gv3mZDFgyCyVkD1PBwd4XuPUBWXhh4hkl+CFyeT80TlEWcOGMryUuFKn1kA4/I bZJNRSL1/hTDcY9Zqby2QFKoEABC8HHPEpTzJFHRIaKqFdofd4xU2YgyasdZ7T+8617+ wdisVRCmwD+iX+E2VPeWcp58lXD3CYozVD5k7YQ957ou5SQKzFu7j0JmbqJFYj3ubouV Y5q1tzc2TvAq3s5/m1GT7ZjJHmXZropv4TN83lM9SZRZxqS+7enxAvIrAJzyfeD50N39 hBbA==
X-Gm-Message-State: ALoCoQmlIXoXILI5W+NdFjDCstlafPMyGDWDywyAmh+d/Rt1iBuSvKd1NhDvFToe5tAxqma3Ypy9
MIME-Version: 1.0
X-Received: by 10.60.115.133 with SMTP id jo5mr12808730oeb.39.1408023780965; Thu, 14 Aug 2014 06:43:00 -0700 (PDT)
Received: by 10.76.106.202 with HTTP; Thu, 14 Aug 2014 06:43:00 -0700 (PDT)
In-Reply-To: <1408004416408.82777@certivox.com>
References: <4E1F6AAD24975D4BA5B16804296739439AE1989B@TK5EX14MBXC293.redmond.corp.microsoft.com> <CAG8k2+4rBnaZ4U4N49AgceAcNXeXcxjCzg+PgEy4woREAg=SmA@mail.gmail.com> <1408004416408.82777@certivox.com>
Date: Thu, 14 Aug 2014 09:43:00 -0400
Message-ID: <CAL02cgQCVWBWQgFC5SAvHYXYfd+G8ma6_bzOTq6Gggh9CFR=Kw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Scott <mike.scott@certivox.com>
Content-Type: multipart/alternative; boundary="089e012953444cda3705009715b8"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/1Mn8ZohoPVz-WGlntyd6gZvEhYc
Cc: Trevor Perrin <trevp@trevp.net>, Daniel Holth <dholth@gmail.com>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] JWK Elliptic Curve key representations and new curves
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2014 13:43:04 -0000

I think it has to be a new "kty" value, unless the Curve25519 crowd are
willing to do conversion from little-endian to big.  If that's the case, we
could update the "EC" spec to say that "y" is optional in cases where there
is no ambiguity.

It would be very much preferable, however, to keep this on ice until the
CFRG debate settles.  There appear to be all sorts of slight variations in
how these new curves like to represent points, so it will be helpful to
have a more consolidated set of targets, so that we don't have to come up
with N point formats.  It would also be helpful if the proponents of the
various curves could lay down their weapons for a second and agree on a
format that works for all of them.

--Richard


On Thu, Aug 14, 2014 at 4:22 AM, Mike Scott <mike.scott@certivox.com> wrote:

> Be careful not to confuse Ed25519 with Curve25519. The former uses Edwards
> coordinates in which case (x,y) coordinates are appropriate. The latter
> uses Montgomery coordinates, which only require an x coordinate for the
> special case of an implementation of the Diffie-Hellman key exchange.
>
> In fact all coordinate systems can use a "compressed" form of just x and
> at most 1 bit to indicate the sign of y (recall that x and y are related
> via the curve equation). However compression (or some forms of it) was
> patented, and hence avoided. However I believe that patent has now lapsed
> (?) As I recall IEEE1363 supports a compressed representation of points.
>
> Also "decompression" has a cost associated with it, although this doesn't
> arise for Curve25519 where it is never required to recover the y coordinate
>
>
> Mike Scott
>
> ________________________________________
> From: jose <jose-bounces@ietf.org> on behalf of Daniel Holth <
> dholth@gmail.com>
> Sent: 14 August 2014 03:20
> To: Mike Jones
> Cc: Trevor Perrin; jose@ietf.org
> Subject: Re: [jose] JWK Elliptic Curve key representations and new curves
>
> On Wed, Aug 13, 2014 at 9:39 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
> > It has come up in recent discussions in the CRFG, the W3C WebCrypto
> working
> > group, and the TLS working group that not all elliptic curves or curve
> > protocols use two coordinates (x and y) in their public key
> representations.
> > For instance, a Curve25519 public key is a single 32-byte value.
>  Especially
> > in light of the request by TLS to the CRFG to recommend new curves, and
> that
> > some of the curves in consideration use only a single value in their
> public
> > key representation, I believe that JOSE should consider how to represent
> > such keys as JWKs.
> >
> >
> >
> > I see there being two logical ways to address this:
> >
> >
> >
> > CHOICE 1 – MAKE THE “EC” KEY TYPE MORE FLEXIBLE:  One obvious
> possibility is
> > to make it a property of the “crv” parameter for JWKs with “kty”: “EC”
> what
> > fields are required.  So for instance, when “crv” is “P-256”, “P-384”, or
> > “P-521”, both “x” and “y” members would be used, but other curves might
> use
> > a different set of members, such as just “x” for public keys.
> >
> >
> >
> > CHOICE 2 – USE A DIFFERENT KEY TYPE:  Another possibility is to leave the
> > “kty”: “EC” definition as it is but to define a related “kty”: “EC1”
> value
> > to be used by elliptic curves for which only one value “x” is used in the
> > public key representation and an additional value “d” is used in the
> private
> > key representation.
> >
> >
> >
> > Within choice 2, there are actually two sub-choices available to us:
> >
> >
> >
> > CHOICE 2A – DEFINE A NEW KEY TYPE VALUE IN JWA NOW:  If we think that
> there
> > are only two kinds of elliptic curve key representations that we will
> ever
> > care about, we could define the second one in JWA now.  However, this
> would
> > almost certainly start a debate within JOSE about whether we should add
> any
> > additional curve definitions using this new key type.  If we do, it
> should
> > almost certainly be because we have followed the CFRG’s and TLS’s lead in
> > the new curve choices, although doing so would almost certainly further
> > delay our completion.
> >
> > CHOICE 2B – DEFINE THE NEW KEY TYPE IN A NEW SPEC:   This could be done
> by
> > writing an individual draft that registers “kty”: “EC1” and later
> possibly
> > adopting it as a working group item.  This would allow our current specs
> to
> > proceed as-is, while giving us time to sync with CFRG and TLS as their
> curve
> > choices move forwards.
> >
> >
> >
> > One additional pesky detail worth noting is that the normal Curve25519
> key
> > representation uses little-endian 32-bit numbers whereas SEC1 (which we
> use
> > for “x”, “y”, and “d”) uses big-endian numbers.  So for any of these
> choices
> > above, we’d also have to decide whether to allow different curves to
> specify
> > different endianness, require all to use big-endian representations, or
> to
> > say that for some curves, the value is an octet array of a given size
> and be
> > silent on endianness.
> >
> >
> >
> > While I’m reluctant to even bring this up at this point in the
> development
> > of our specs, I also don’t want those designing potential applications of
> > JWKs to believe that their choices of curves are limited by decisions
> that
> > JOSE has made.  It’s clear that JWK can be extended to accommodate curves
> > using only a single value in their public key representations.
> >
> >
> >
> > How do you think we should do that?
> >
> >
> >
> >                                                                 -- Mike
> >
> >
> >
> > P.S.  Thanks to Trevor Perrin for private discussions that informed some
> of
> > the contents of this note.
>
> I didn't find the existing spec a burden. My JWK-derived system uses {
> "kty" : "Ed25519", vk : "the base64url-encoded verifying key" } and
> uses "Ed25519" as alg as well. (In the less necessary JWK private key
> representation "sk" : "..." is used for the secret part).
>
> Is there some economy that makes it desirable to have a Ed25519 JWK
> look similar to any other elliptic curve key that only uses one
> (opaque?) parameter? The constant-time implementation (no secret
> branching) is monolithic, specialized to that curve and is not built
> out of reconfigurable pieces.
>
> Curve1174 "Elligator" is another elliptic curve system by DJB etc.
> that looks like it shares some of the attributes of Ed25519.
>
> Daniel Holth
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>

v2.23.0 | Report a Bug | By Email