IETF Logo Mail Archive

Re: [pkix] Edwards/DJB curves - New PKI(X) work?

Johannes Merkle <johannes.merkle@secunet.com> Fri, 15 August 2014 07:38 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 487A51A0931 for <pkix@ietfa.amsl.com>; Fri, 15 Aug 2014 00:38:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.268
X-Spam-Level:
X-Spam-Status: No, score=-3.268 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NR3-kyY67Nr7 for <pkix@ietfa.amsl.com>; Fri, 15 Aug 2014 00:38:40 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0ADF91A08E5 for <pkix@ietf.org>; Fri, 15 Aug 2014 00:38:39 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id CD73D1A0080; Fri, 15 Aug 2014 09:38:34 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id I6jJgoYVR-xZ; Fri, 15 Aug 2014 09:38:26 +0200 (CEST)
Received: from mail-essen-01.secunet.de (unknown [10.53.40.204]) by a.mx.secunet.com (Postfix) with ESMTP id ED0E21A007F; Fri, 15 Aug 2014 09:38:25 +0200 (CEST)
Received: from [172.16.40.201] (172.16.40.201) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server (TLS) id 14.3.195.1; Fri, 15 Aug 2014 09:38:28 +0200
Message-ID: <53EDB8F3.3020400@secunet.com>
Date: Fri, 15 Aug 2014 09:38:27 +0200
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Anders Rundgren <anders.rundgren.net@gmail.com>, pkix@ietf.org
References: <53EC3F1F.6090706@gmail.com> <53EC9E72.8030701@bbn.com> <53EC9F34.7090403@gmail.com> <53ECCCE4.2060603@secunet.com> <53ECDE4F.6020009@gmail.com>
In-Reply-To: <53ECDE4F.6020009@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.16.40.201]
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/b0J5eP5kXYm3giAozhyXWRPf4pQ
Subject: Re: [pkix] Edwards/DJB curves - New PKI(X) work?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2014 07:38:42 -0000

Anders Rundgren wrote on 14.08.2014 18:05:
> On 2014-08-14 16:51, Johannes Merkle wrote:
>> Anders Rundgren wrote on 14.08.2014 13:36:
>>> But the inclusion of new algorithms in X.509 structures sounds
>>> like a PKI(X)-like task.
>>>
>>
>> Well, "new algorithms" is not exactly the right term for introducing a new curve representation; it's rather a new
>> semantic of public keys, digital signatures and cryptograms. (There are some people on the CFRG advocating
>> standardization of simplified ECC-based signature algorithms, like Schnorr signatures, but currently, the discussion
>> focuses on curves and their representation.) But essentially, you are right: if we want to use new semantics in PKIX,
>> new specs for X.509 certs / CRLs, for CMS etc. would be needed.
> 
> I'm not a cryptographer you know :-)
> 
> Anyway, wouldn't you need algorithms also like EdDSA-SHA256 or would ECDSA-SHA256 apply?
> Again, pardon a non-cryptographer for asking stupid/strange questions...

The usage of ECDSA-SHA256 within PKIX is already fully specified in RFC 5758. The curve (more specifically, the elliptic
curve parameters) are a property of the public key not of the digital signature, DH value or cipher text.
In order to use other curves, you just need to replace the OID for the named curve which is a parameter of the
SubjectPublicKeyInfo according to RFC 5480.

As I said, there are ideas to define new digital signature algorithms, like Schnorr signature or EdDSA. The motivation
for this is both performance and ease of (secure) implementation, but is is perfectly possible to use Montogomery or
Edwards curves with ECDSA in a secure and efficient way. There has been some confusion about this, because Daniel
Bernstein has introduced his Edwards curve Ed25519 together with a new signature algorithm (and also suggested to use
the Montgomery curve Curve25519 for DH only), but this combination of curves and algorithms (and, actually, of a
specific arithmetic as well) is just an optimization, and does not really fit the modular approach of PKIX.

My perception is that CFRG (and tls WG) will take one step after another and will now standardize new curves only. After
that is accomplished, they might consider standardization of new signature algorithms, but this has not been decided yet.

-- 
Johannes

v2.23.0 | Report a Bug | By Email