Re: [Lwip] Magnus Westerlund's Discuss on draft-ietf-lwig-curve-representations-19: (with DISCUSS)
Rene Struik <rstruik.ext@gmail.com> Wed, 17 February 2021 15:51 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3EBF3A1B1D; Wed, 17 Feb 2021 07:51:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XEWhXg2rH8h4; Wed, 17 Feb 2021 07:51:04 -0800 (PST)
Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D19243A1B1A; Wed, 17 Feb 2021 07:51:03 -0800 (PST)
Received: by mail-qv1-xf2c.google.com with SMTP id c25so6454979qvb.4; Wed, 17 Feb 2021 07:51:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:cc:references:from:subject:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=nsybx/EFG0NoM8DeyVY98Er3Hp6uenwOAnCgVJjJYaE=; b=uKlL4iaiVkeaG2qQSvayKodb7G905EefuBNEQlCg7wXzofrB+lMvyk7+Bsh7NMCKwv rJH/ONlWMYhhl3wZWHSysk2U+vyWqKaaa5bijGk92Znuj6FODl5xg/a0JO9RWiWOX8dc DEBcK48aBDwFPnt9wELsSDcNni2JvU0sAsye9tYL3UwB79uszAHT3mXqiiUVSwaFcOHq fismnBAhMVqspfRTfwperKWt+qcBeT9E0t2a/ofPBgq6Rjc4U2lh70R3pPcMFrJIhRDL /HdIDzlVw1O5bdnVWL+pDK1rWwhg228Do4SmJ6ImSKo9PGrYvcDODrWNhFdvs0uo423N yWJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:references:from:subject:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=nsybx/EFG0NoM8DeyVY98Er3Hp6uenwOAnCgVJjJYaE=; b=DUAkpLfAbCDgV8NVdHz/hZeTNs3DIZVn9dWExHGp6S3DmqRx6SD+tqNU8Mp3A32BQ/ hK1nMVWOSJ/ahteJLoUMm7nX+TfMrDrstcTGt21ltddBpxyej9i5WmeiHdMfm6NQ/rHM how4FpJqKn+TeDaaBSZm/fYLzZHb0tI2ghSLjfkPEnmoiYamlc3tM3f5JFSBlpj4unJk +kdpCzDd48AIORGvoeQmm5tvMTECOyWTN4kHnLgugrd79ZzX8DzYCMiB+vBJJGTaH2/T pnO/RGmXqrwnSZnDzxcFoep3nRoyFLH+fXJyusQHMWJDU+wlV2jYGBiVUU29fjAY5dA6 Mhnw==
X-Gm-Message-State: AOAM532+tCDuP9X75rgIvSLWxrBOrK6jqaZH941oOlZYyGPPtVmgaW12 oJ5H/PNx4TpX4YQNwXfuBSn0dBWxTqI=
X-Google-Smtp-Source: ABdhPJx2lRuuJ0UTkGf8Bk5F974Er43EL6m+5RIxemRvOzCZV8flaiLQCLYTQBuht8uWgR3GZO3GxQ==
X-Received: by 2002:a0c:a5e2:: with SMTP id z89mr25098191qvz.37.1613577062699; Wed, 17 Feb 2021 07:51:02 -0800 (PST)
Received: from ?IPv6:2607:fea8:8a0:1397:a435:70e6:5d49:5f59? ([2607:fea8:8a0:1397:a435:70e6:5d49:5f59]) by smtp.gmail.com with ESMTPSA id 199sm1951417qkj.9.2021.02.17.07.51.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 17 Feb 2021 07:51:02 -0800 (PST)
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, The IESG <iesg@ietf.org>
Cc: draft-ietf-lwig-curve-representations@ietf.org, lwig-chairs@ietf.org, lwip@ietf.org, Mohit Sethi <mohit.m.sethi@ericsson.com>
References: <161356897308.14208.11423622413442209985@ietfa.amsl.com>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <116cb13e-22f1-4686-61c3-7b556eea730c@gmail.com>
Date: Wed, 17 Feb 2021 10:50:58 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <161356897308.14208.11423622413442209985@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------F8E079BAD00ACA719C38F831"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/HWPm4EtdqXVC3wnRqxeN7VtHJsQ>
Subject: Re: [Lwip] Magnus Westerlund's Discuss on draft-ietf-lwig-curve-representations-19: (with DISCUSS)
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 15:51:08 -0000
Hi Magnus: I don't think a brief glimpse at 00 document does this document or my efforts on this justice ("my brief review of the 00"). However, let me walk you through this draft document. Perhaps, this helps in appreciating it better. {First off, though: this draft has received extensive reviews by Daniel Migault, Russ Housley, Stanislav Smyshlyaev. John Mattson (Nov 6, 2020, 5.06pm EST): "I looked through this draft again. I think it is a very good draft and I think it will be a solution to some of the problems IoT devices have with Ed25519. I will bring up this draft for discussion in the LAKE WG at IETF 109") Now, the walk-through: According to the abstract of the lwig curve document, this document deals with different representations of the same objects: This document specifies how to represent Montgomery curves and (twisted) Edwards curves as curves in short-Weierstrass form and illustrates how this can be used to carry out elliptic curve computations using existing implementations of, e.g., ECDSA and ECDH using NIST prime curves. We also provide extensive background material that may be useful for implementers of elliptic curve cryptography. It is shown in Section 4 how this can be used to reuse existing implementations and existing specifications (thereby assisting the community in lowering development and maintenance cost): Any existing specification of cryptographic schemes using elliptic curves in Weierstrass form and that allows introduction of a new elliptic curve (here: Wei25519) is amenable to similar constructs, thus spawning "offspring" protocols, simply by instantiating these using the new curve in short-Weierstrass form, thereby allowing code and/or specifications reuse and, for implementations that so desire, carrying out curve computations "under the hood" on Montgomery curve and twisted Edwards curve cousins hereof (where these exist). This would simply require definition of a new object identifier for any such envisioned "offspring" protocol. This could significantly simplify standardization of schemes and help keeping at bay thresource and maintenance cost of implementations supporting algorithm agility [RFC7696 <https://datatracker.ietf.org/doc/html/rfc7696>]. Section 4 illustrates how to a) {Section 4.1} reuse an *existing* NIST SP 800-56a-compliant implementation of co-factor ECDH (which requires a specific, so-called short-Weierstrass, representation of curve points to be compliant. It does not define anything new. In fact, the entire point of ECDH25519 is to be strictly compliant with *existing* NIST specifications, including all representations of bit/byte-strings and all necessary security checks (e.g., public key validation), so that one can amortize development cost and, perhaps, gets this FIPS-ed. See Note 2. b) {Section 4.2} reuse an *existing* Montgomery ladder to implement EdDSA (RFC 8032), where the "gap" between Curve25519 and Ed25519 is bridged by a simple representation change. This is a public transformation. See also the first sentence of Section 8, which writes: The different representations of elliptic curve points discussed in this document are all obtained using a publicly known transformation, which is either an isomorphism or a low-degree isogeny. c) {Section 4.3} reuse an *existing* implementation of FIPS 186-4 compliant implementation of ECDSA w/ SHA256 and P-256 and simple swap the domain parameters of Wei25519 for P-256. This reuses all existing representations (bit/byte-ordering), and all necessary security checks that have been specified for 1 1/2 decades. d) {Section 4.4} reuse any other existing implementation, where this is simply illustrated for Curve448 (the other CFRG curve besides Curve25519). Section 7 provides evidence that this indeed works, where the reference to the NXP chip (but Infineon chips [not mentioned] can do the same) is of particular interest, since a chipset out in the field that implements generic HW-assisted curve arithmetic with all the "nice on the box logo capabilities" that one knows of devices that can do ECDH, ECDSA as NIST specified 1 1/2 decades ago. The main contribution of this document is to illustrate how simple this is and how much overdue appreciation of this is. The only technicality is that some existing chipsets may have hardbaked curve parameters (a=-3) in there, which requires a little bit more computations: in this case one needs a so-called isogeny, rather than a trivial x-coordinate shift (as the representation switch above does). This makes the representation material more complete, but by necessity requires more explanation. The corresponding mappings and representations, and examples are printed in the internet draft, but these are by *no* means standardized: I wanted to keep this simple and trivial to implement with existing libraries. (So, no Wei25519.-3, but only Wei25519, etc.) Why so many appendices? The answer is simple: this is to serve the community, since it fills the current void that there is no other ietf document that specifies these things and confusion/myth-forming can be avoided by simply being able to reuse this. How does this draft fit with lwig's scope, as articulated in the charter? The purpose of the LWIG working group is to collect experiences fromimplementors of IP stacks in constrained devices. Thegroup shall focus only on techniques that have been used in actualimplementations and do not impact interoperability with other devices. RS>> More elaborated upon below. This document will be helpful for the implementors of new devices or for theimplementors of new general-purpose small IP stacks. RS>> See RFC 8928 - Address-Protected Neighbor Discovery for Low-Power and Lossy Networks and next item It is also expectedthat the document increases our knowledge of what existing smallimplementations do, and helps in the further optimization of theexisting implementations. RS>> This allows implementors to minimize implementation cost, e.g., by having ECDSA w/ SHA256 and {NIST curve P-256 or curve Wei25519} under the hood (reuse everything, except other modular arithmetic constants). On areas where the considerations for smallimplementations have already been documented the group shall make aneffort to refer to those documents instead of developing its own. RS>> See Implementation Considerations and Implementation Status section. Generic hardware design advice and software implementation techniquesare outside the scope of this work, as such expertise is not within theIETF domain. Protocol implementation experience, however, is within the IETF domain. RS>> The material on alternative elliptic curve representations, though extremely simple, now has a place and can be simply used by implementors and developers. The group shall also not develop any new protocols orprotocol behavior modifications beyond what is already allowed byexisting RFCs, because it is important to ensure that different types ofdevices can work together. RS>> the entire point of the document is how to reuse existing specifications and implementations. Everything is used modularly, where algorithms are used as have been specified 1 1/2 decades ago and are used widely. The group shall not develop assumptions orprofiles about the operating environment of the devices, because, ingeneral, it is not possible to guarantee any special configuration. RS>> n/a. Finally, while implementation techniques relating to security mechanismsare within scope, mere removal of security functionality from a protocolis not an acceptable recommendation. RS>> This draft avoids all shortcuts, since examples are strictly compliant with existing NIST and FIPS specifications, without taking out seemingly unnecessary security checks. On 2021-02-17 8:36 a.m., Magnus Westerlund via Datatracker wrote: > Magnus Westerlund has entered the following ballot position for > draft-ietf-lwig-curve-representations-19: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-lwig-curve-representations/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > So this discuss is on the process violations that has occurred for this > document. > > The first which is fairly straightforward to address is in regards to that the > document would require a new IETF last call for proposed standard as it was > last called only as informational on 2020-08-25. However, there is no point of > doing this before the second part of this discuss has been addressed. > > The second part of the discuss is that this document is out of charter for the > LWIG WG. The LWIG charter is clear on that the WG shall not define protocols, > only describe how one does implementation that are lightweight but standard > compliants. Thus, the document in its current form where it define a number of > new curves is thus outside of this charter and that needs to be addressed > before this work has a chance to be progressed. I think it is important that > this is taken serious as this work defines new curves even if derived from > existing ones do need proper review in relevant WG or RG where interested > parties are more likely to see and comment on this work. I think a good > illustration of this is the reaction in COSE WG when people become aware of > this work. So lets look at what I think are a couple of potential ways of > dealing with this, in falling preferences from my perspective. > > 1) Move the draft to an appropriate WG/RG, I think CFRG could be a reasonable > choice but I assume the SEC ADs might have better guidance on this. 2) Rewrite > the document to fit the LWIG chartered scope, i.e. not define any new curves > only document how one can realize existing standard curves using the transform > method in this document. 3) Recharter LWIG to allow this work. I think this is > a bad choice as doing security standard specification appears to be out of > scope. 4) Declare the work dead > > A path here needs to be chosen. I can understand that this is frustrating for > the author and other proponents. However, there appear to exist venues within > IETF and IRTF which do works on curve specifications and their application to > various protocols. Thus, we need to use these to ensure proper review. > > I don't think there is much reason to try to place any blame here. There are > multiple parties that appears to have made less than optimal decision during > the process since WG adoption. What is clear to me is that the scope of the > draft has crept from its original adoption into LWIG when it appears to have > been in scope from my brief review of the 00. > > > > > -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 287-3867
- [Lwip] Magnus Westerlund's Discuss on draft-ietf-… Magnus Westerlund via Datatracker
- Re: [Lwip] Magnus Westerlund's Discuss on draft-i… Rene Struik
- Re: [Lwip] Magnus Westerlund's Discuss on draft-i… Magnus Westerlund
- Re: [Lwip] Magnus Westerlund's Discuss on draft-i… Rene Struik
- [Lwip] (clarification) Re: Magnus Westerlund's Di… Rene Struik
- Re: [Lwip] Magnus Westerlund's Discuss on draft-i… Erik Kline
- Re: [Lwip] Magnus Westerlund's Discuss on draft-i… Rene Struik
- Re: [Lwip] Magnus Westerlund's Discuss on draft-i… Daniel Migault
- Re: [Lwip] Magnus Westerlund's Discuss on draft-i… Rene Struik
- Re: [Lwip] Magnus Westerlund's Discuss on draft-i… Benjamin Kaduk
- Re: [Lwip] Magnus Westerlund's Discuss on draft-i… Murray S. Kucherawy
- Re: [Lwip] Magnus Westerlund's Discuss on draft-i… Erik Kline
- Re: [Lwip] Magnus Westerlund's Discuss on draft-i… Mohit Sethi M
- Re: [Lwip] Magnus Westerlund's Discuss on draft-i… Rene Struik