Axel: As I recall, the feeling was that there might be key re-use, e.g., within a multiple-recipient object. So you need the nonce to ensure that the key is different for each recipient.
James: The choice of 512 bits was just to be conservative and simple. Otherwise you would have to explain that there has to be at least as much entropy as the key, etc. A 512-bit nonce is long enough for pretty much any use for at least the near future, so implementors can just use that length. This should be in the interim minutes, I'm just adding back what got dropped in a subsequent revision :) On Mon, Aug 12, 2013 at 3:40 AM, <[email protected]> wrote: > I think that the ephemeral key is enough entropy. It is randomly > generated, right? > > -Axel > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Manger, James H > Sent: Monday, August 12, 2013 4:00 AM > To: <[email protected]>; Richard Barnes > Subject: Re: [jose] #55: Mandatory entropy in ECC KDF inputs > > Why do we need 512 bits of extra entropy when deriving, say, a 128-bit key? > > How does that match with the NIST spec for this field? Below is the NIST > definition for PartyUInfo, which JOSE calls "apu". > Perhaps the 512 bits of entropy are the nonce mentioned by the NIST text, > though it only requires the nonce for a static-static scheme, not for an > ephemeral-static scheme as used in JOSE. > > > [NIST SP 56A; revision 2, May 2013; section 5.8.1.2 OtherInfo; page 48] > PartyUInfo: A required non-null subfield containing public information > about party U. At a minimum, PartyUInfo shall include ID_U, an identifier > for party U, as a distinct item of information. This subfield could also > include information about the public key(s) contributed to the > key-agreement transaction by party U. The nonce provided by party U as > required in a C(0e, 2s) scheme (see Section 6.3) shall be included in this > subfield. > > > -- > James Manger > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf > > Of jose issue tracker > > Sent: Monday, 12 August 2013 8:56 AM > > To: [email protected]; [email protected] > > Cc: [email protected] > > Subject: [jose] #55: Mandatory entropy in ECC KDF inputs > > > > #55: Mandatory entropy in ECC KDF inputs > > > > At the interim, there was agreement to require at least 512 bits of > > entropy in the "apu" field, in order to ensure sufficient entropy in > > the resulting key. That requirement has been lost in a subsequent > > revision. > > > > -- > > -------------------------+-------------------------------------------- > > -------------------------+- > > - > > -------------------------+--- > > Reporter: [email protected] | Owner: draft-ietf-jose-json-web- > > Type: defect | [email protected] > > Priority: major | Status: new > > Component: json-web- | Milestone: > > algorithms | Version: > > Severity: - | Keywords: > > -------------------------+-------------------------------------------- > > -------------------------+- > > - > > -------------------------+--- > > > > Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/55> > > jose <http://tools.ietf.org/jose/> > > > > _______________________________________________ > > jose mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/jose > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
