IETF Logo Mail Archive

Re: [jose] [COSE] COSE/JOSE elliptic curves and their relationship with key types

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 13 July 2021 11:30 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7B573A14CD; Tue, 13 Jul 2021 04:30:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XNzwsHieuhh9; Tue, 13 Jul 2021 04:30:06 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5C313A14CC; Tue, 13 Jul 2021 04:30:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 088F3C3F1B; Tue, 13 Jul 2021 14:29:58 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id 2DSZ8VwDwfE2; Tue, 13 Jul 2021 14:29:57 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id AFD48287; Tue, 13 Jul 2021 14:29:54 +0300 (EEST)
Date: Tue, 13 Jul 2021 14:29:54 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: jose@ietf.org, cose@ietf.org
Message-ID: <YO15MhoS3aU9SPlc@LK-Perkele-VII2.locald>
References: <20210707212059.GX17170@mit.edu> <21116.1625697755@localhost> <20210713034600.GJ17170@mit.edu> <47195B9C-4323-467A-AE27-949DE33C38A4@forgerock.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <47195B9C-4323-467A-AE27-949DE33C38A4@forgerock.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/mWtBhNY7vV2SbEtSB33DDGhh5zw>
Subject: Re: [jose] [COSE] COSE/JOSE elliptic curves and their relationship with key types
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 11:30:13 -0000

On Tue, Jul 13, 2021 at 07:56:55AM +0100, Neil Madden wrote:
> My understanding is that single-coordinate representations (OKP) are
> safer because they reduce the scope for invalid curve attacks, but
> that they were patent-encumbered for many years. With a double-
> coordinate representation you have to carefully check that (x,y)
> satisfies the curve equation. With a single coordinate you instead
> calculate y from x using the curve equation (if you need it), so
> it can’t fail to satisfy it. IMO, that should be the preferred
> representation for any new curves. 

To actually eliminate invalid-curve attacks, one needs representation
that seamlessly switches between curve and its twist, in addition to
the curve being designed so that both it and its twist are strong
curves. AFAIK, pretty much the only application one can exploit this is
ECDH.

Just compressing is not enough: There are square root algorithms that
produce some bogus result if given number with no square root. I do
not know how such bogus y would interact with elliptic-curve
arithmetic, but it might not be good.

And while in general, it is preferred that key formats are defined as
octet strings, and thus mapped as OKP, in specific case of lwig-curves,
since those are short-weierstrass points intended to be used with
legacy algorithms, EC2 is much better match.

And thinking about future post-quantum algorithms, all the NISTPQC
stuff has octet string keys, so OKP would be correct match. However,
new algorithms are needed for PQC, especially for KEMs.

> Note that if you want to be completely unambiguous then you typically
> want a single coordinate (x) plus a bit to say which of the two roots
> to use for the y-coordinate. RFC 8037 allows this by not committing
> to what “x” represents, but RFC 8152 for COSE says that the “x” field
> is the little-endian encoding of the x-coordinate specifically, so
> you might need a different type. (In fact, EdDSA public keys are the
> *y* coordinate plus a single bit to say which x-coordinate to use,
> so I think COSE is already breaking its own contract).

Right, to actually get a curve point, you need x and sign bit of y
(with Edwards curves, one could alternatively use the more common
y coordinate and sign of x representation).

And on RFC 8152 saying it is little-endian encoding of x-coordinate,
that is just plain incorrect. And in fact, it has led to some
confusion. The whole idea of OKP is to abstract on encoding, making
it specific to subtype. In JOSE, there are currently two distinct
encodings that both use OKP type (and in future, there may be more).


-Ilari

v2.23.0 | Report a Bug | By Email