Re: [jose] [COSE] COSE/JOSE elliptic curves and their relationship with key types
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 13 July 2021 11:30 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7B573A14CD; Tue, 13 Jul 2021 04:30:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XNzwsHieuhh9; Tue, 13 Jul 2021 04:30:06 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5C313A14CC; Tue, 13 Jul 2021 04:30:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 088F3C3F1B; Tue, 13 Jul 2021 14:29:58 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id 2DSZ8VwDwfE2; Tue, 13 Jul 2021 14:29:57 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id AFD48287; Tue, 13 Jul 2021 14:29:54 +0300 (EEST)
Date: Tue, 13 Jul 2021 14:29:54 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: jose@ietf.org, cose@ietf.org
Message-ID: <YO15MhoS3aU9SPlc@LK-Perkele-VII2.locald>
References: <20210707212059.GX17170@mit.edu> <21116.1625697755@localhost> <20210713034600.GJ17170@mit.edu> <47195B9C-4323-467A-AE27-949DE33C38A4@forgerock.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <47195B9C-4323-467A-AE27-949DE33C38A4@forgerock.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/mWtBhNY7vV2SbEtSB33DDGhh5zw>
Subject: Re: [jose] [COSE] COSE/JOSE elliptic curves and their relationship with key types
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 11:30:13 -0000
On Tue, Jul 13, 2021 at 07:56:55AM +0100, Neil Madden wrote: > My understanding is that single-coordinate representations (OKP) are > safer because they reduce the scope for invalid curve attacks, but > that they were patent-encumbered for many years. With a double- > coordinate representation you have to carefully check that (x,y) > satisfies the curve equation. With a single coordinate you instead > calculate y from x using the curve equation (if you need it), so > it can’t fail to satisfy it. IMO, that should be the preferred > representation for any new curves. To actually eliminate invalid-curve attacks, one needs representation that seamlessly switches between curve and its twist, in addition to the curve being designed so that both it and its twist are strong curves. AFAIK, pretty much the only application one can exploit this is ECDH. Just compressing is not enough: There are square root algorithms that produce some bogus result if given number with no square root. I do not know how such bogus y would interact with elliptic-curve arithmetic, but it might not be good. And while in general, it is preferred that key formats are defined as octet strings, and thus mapped as OKP, in specific case of lwig-curves, since those are short-weierstrass points intended to be used with legacy algorithms, EC2 is much better match. And thinking about future post-quantum algorithms, all the NISTPQC stuff has octet string keys, so OKP would be correct match. However, new algorithms are needed for PQC, especially for KEMs. > Note that if you want to be completely unambiguous then you typically > want a single coordinate (x) plus a bit to say which of the two roots > to use for the y-coordinate. RFC 8037 allows this by not committing > to what “x” represents, but RFC 8152 for COSE says that the “x” field > is the little-endian encoding of the x-coordinate specifically, so > you might need a different type. (In fact, EdDSA public keys are the > *y* coordinate plus a single bit to say which x-coordinate to use, > so I think COSE is already breaking its own contract). Right, to actually get a curve point, you need x and sign bit of y (with Edwards curves, one could alternatively use the more common y coordinate and sign of x representation). And on RFC 8152 saying it is little-endian encoding of x-coordinate, that is just plain incorrect. And in fact, it has led to some confusion. The whole idea of OKP is to abstract on encoding, making it specific to subtype. In JOSE, there are currently two distinct encodings that both use OKP type (and in future, there may be more). -Ilari
- [jose] COSE/JOSE elliptic curves and their relati… Benjamin Kaduk
- Re: [jose] [COSE] COSE/JOSE elliptic curves and t… Michael Richardson
- Re: [jose] [COSE] COSE/JOSE elliptic curves and t… Benjamin Kaduk
- Re: [jose] [COSE] COSE/JOSE elliptic curves and t… Neil Madden
- Re: [jose] [COSE] COSE/JOSE elliptic curves and t… Ilari Liusvaara
- Re: [jose] [COSE] COSE/JOSE elliptic curves and t… Ilari Liusvaara
- Re: [jose] [COSE] COSE/JOSE elliptic curves and t… Neil Madden
- Re: [jose] [COSE] COSE/JOSE elliptic curves and t… Michael Richardson
- Re: [jose] [COSE] COSE/JOSE elliptic curves and t… Benjamin Kaduk
- Re: [jose] [COSE] COSE/JOSE elliptic curves and t… Benjamin Kaduk
- Re: [jose] [COSE] COSE/JOSE elliptic curves and t… Michael Richardson