Re: [pkix] Edwards/DJB curves - New PKI(X) work?
Anders Rundgren <anders.rundgren.net@gmail.com> Fri, 15 August 2014 08:02 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 120B51A6F1A for <pkix@ietfa.amsl.com>; Fri, 15 Aug 2014 01:02:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ejWDzjcdubH9 for <pkix@ietfa.amsl.com>; Fri, 15 Aug 2014 01:02:46 -0700 (PDT)
Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2E691A053B for <pkix@ietf.org>; Fri, 15 Aug 2014 01:02:45 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id m15so2021902wgh.27 for <pkix@ietf.org>; Fri, 15 Aug 2014 01:02:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=arbBzzX/n1fQgmTq/uOkDeQob/4Uk/2NcIGulwxHZSY=; b=dmrdFXKWotos3C7LufU2gGUsdqw9nsUQ5THl7eM9cVX+vV84ODgch5C/Keo15f4s46 WIDhs8qDvXLiUuCkT/rSAmFI5+NV591CSMsmgwA5IISD9Nr4UWeMf67PRhF4q3vwuF8y /sfEkoGKq6s3OzRFkVQyAmZ9HOUkICYnjdtBrxFp+w0+DxN7hR79GxRhUz596MQLZZnH q6tZV5MjkJ+1CsPvdtHc1LOSttQ8y76InyBhxdaRrAU5Abq/12OS40bgzgFjDuLekwMj OuOEAAROSKBg8UaBja5I5r1LFEbVxFJOXLW64FIs0MpnCtncy9+rwez4kuQ809zX4WPV 9SIQ==
X-Received: by 10.180.90.11 with SMTP id bs11mr47230702wib.47.1408089764547; Fri, 15 Aug 2014 01:02:44 -0700 (PDT)
Received: from [192.168.1.79] (6.196.130.77.rev.sfr.net. [77.130.196.6]) by mx.google.com with ESMTPSA id co6sm17070562wjb.31.2014.08.15.01.02.43 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 15 Aug 2014 01:02:44 -0700 (PDT)
Message-ID: <53EDBE95.3050204@gmail.com>
Date: Fri, 15 Aug 2014 10:02:29 +0200
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Johannes Merkle <johannes.merkle@secunet.com>, pkix@ietf.org
References: <53EC3F1F.6090706@gmail.com> <53EC9E72.8030701@bbn.com> <53EC9F34.7090403@gmail.com> <53ECCCE4.2060603@secunet.com> <53ECDE4F.6020009@gmail.com> <53EDB8F3.3020400@secunet.com>
In-Reply-To: <53EDB8F3.3020400@secunet.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/KEV2ZCgY-sLC93eXMzmj5SoXnhc
Subject: Re: [pkix] Edwards/DJB curves - New PKI(X) work?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2014 08:02:48 -0000
On 2014-08-15 09:38, Johannes Merkle wrote: > Anders Rundgren wrote on 14.08.2014 18:05: >> On 2014-08-14 16:51, Johannes Merkle wrote: >>> Anders Rundgren wrote on 14.08.2014 13:36: >>>> But the inclusion of new algorithms in X.509 structures sounds >>>> like a PKI(X)-like task. >>>> >>> >>> Well, "new algorithms" is not exactly the right term for introducing a new curve representation; it's rather a new >>> semantic of public keys, digital signatures and cryptograms. (There are some people on the CFRG advocating >>> standardization of simplified ECC-based signature algorithms, like Schnorr signatures, but currently, the discussion >>> focuses on curves and their representation.) But essentially, you are right: if we want to use new semantics in PKIX, >>> new specs for X.509 certs / CRLs, for CMS etc. would be needed. >> >> I'm not a cryptographer you know :-) >> >> Anyway, wouldn't you need algorithms also like EdDSA-SHA256 or would ECDSA-SHA256 apply? >> Again, pardon a non-cryptographer for asking stupid/strange questions... > > The usage of ECDSA-SHA256 within PKIX is already fully specified in RFC 5758. The curve (more specifically, the elliptic > curve parameters) are a property of the public key not of the digital signature, DH value or cipher text. > In order to use other curves, you just need to replace the OID for the named curve which is a parameter of the > SubjectPublicKeyInfo according to RFC 5480. > > As I said, there are ideas to define new digital signature algorithms, like Schnorr signature or EdDSA. The motivation > for this is both performance and ease of (secure) implementation, but is is perfectly possible to use Montogomery or > Edwards curves with ECDSA in a secure and efficient way. There has been some confusion about this, because Daniel > Bernstein has introduced his Edwards curve Ed25519 together with a new signature algorithm (and also suggested to use > the Montgomery curve Curve25519 for DH only), but this combination of curves and algorithms (and, actually, of a > specific arithmetic as well) is just an optimization, and does not really fit the modular approach of PKIX. > > My perception is that CFRG (and tls WG) will take one step after another and will now standardize new curves only. After > that is accomplished, they might consider standardization of new signature algorithms, but this has not been decided yet. > Thanx for the update! It looks very messy to me. Personally I wonder if CFRG will be able to stop new signature algorithms since OpenSSH already supports EdDSA: http://www.gossamer-threads.com/lists/openssh/dev/57162 Anders Anders
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Anders Rundgren
- [pkix] Edwards/DJB curves - New PKI(X) work? Anders Rundgren
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Stephen Kent
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Johannes Merkle
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Anders Rundgren
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Johannes Merkle
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Anders Rundgren
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Paul Hoffman
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Michael StJohns
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Anders Rundgren
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Johannes Merkle
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Anders Rundgren
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Stephen Farrell
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Anders Rundgren
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Stephen Farrell
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Michael StJohns
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Michael StJohns
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Stephen Kent
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Stephen Farrell
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Erwann Abalea
- Re: [pkix] Edwards/DJB curves - New PKI(X) work? Michael StJohns