On Mon, Jan 08, 2024 at 09:15:48AM -0600, Orie Steele wrote:
>
> > The fact that Ed25519 and
> Ed448 are both EdDSA instantiations, or that the X25519 algorithm and the
> Ed25519 algorithm have a similar structure are just useful properties when
> analyzing, specifying, or implementing a primitive. It is not relevant to
> protocols that *use* a primitive. As far as we're concerned, these are just
> names that conform to the signature scheme interface (KeyGen() -> (pk, sk),
> Sign(sk, msg) -> sig, and Verify(pk, msg, sig)).
>
> To me this last part is most compelling.
>
> If changing a part of the named algorithm, breaks this interface, then the
> algorithm is fully specified.
>
> key-gen (signature type) --> private-key --> public-key --> signature
> (signature type)
>
> in data integrity, changing the hash function used, or the canonicalization
> algorithm breaks the signature verification.
>
> the attacker can change these before verification succeeds.
>
> As a practical matter, I cannot generate a key pair with just the word
> "EdDSA", I need to know the curve.
>
> The same is also true of ECDSA.
>
> Differences in registries for algorithms can impact how easy it is to build
> safe APIs or negotiate, for example:
>
> https://github.com/panva/jose/blob/main/docs/functions/key_generate_key_pair.generateKeyPair.md
>
> For none fully specified algorithms, the crv property is required to
> generate a key.
I think part of confusion is confusing encryption and signing.
Encryption in JOSE, let alone COSE, is very flexible, making fully
specified approach infeasible. But signing is relatively simple.
However, there is a subtle difference between ECDSA and EdDSA. Both
are paramerized by curve and hash function. However, ECDSA keys only
depend on curve, while EdDSA keys depend on both curve and hash.
ML-DSA ("Dilithium") and SLH-DSA ("SPINCS+") work like EdDSA despite
completely different parametrizations. RSA works like ECDSA.
Thus:
- EdDSA keys are always fully specified.
- ML-DSA/SLH-DSA keys are always fully specified.
- In COSE, ECDSA keys are fully specified iff there is "alg".
- In JOSE, ECDSA keys are currently fully specified (only one hash
function is allowed for each curve).
- In COSE and JOSE, RSA keys are fully specified iff there is "alg".
And I think a second source of confusion is keys being fully specified
versus algorithms implying key type. For signing, the latter fails for
EdDSA in COSE and JOSE (alg overloading), and ECDSA in COSE (multiple
allowed curves). Some applications misuse signature algorithms in COSE
and JOSE to imply key types.
-Ilari
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
