RE: [pkcs11] CKM_EC_EDWARDS_KEY_PAIR_GEN

[Hamish Cameron <Hamish.Cameron@entrust.com>]

Hi Dieter, Jonathan,

 

Thanks for the info here, nCipher (Entrust) has now raised a defect on the PARAM’s name to allow the use of the correct name and OID. The reference to many specs also the different type of PARAM’s can make this confusing. But we are correcting this now.

 

On reading the v3 spec again I notice in section.

PKCS #11 Cryptographic Token Interface Current Mechanisms Specification Version 3.0 (oasis-open.org)

Section 2.3.8 Montgomery Elliptic curve private key objects

-          The second paragraph also starts talking about Edwards curves again so can add to the confusion referring to the second spec for Montgomery

 

Section 6.3.8 in pkcs11-spec-v3.1-wd02 draft spec is still incorrect and should refer to Montgomery again second paragraph.

 

Best Regards

Hamish

 

 

From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org> On Behalf Of Jonathan Schulze-Hewett
Sent: 05 January 2021 05:15
To: Dieter.Bong@utimaco.com; pkcs11@lists.oasis-open.org
Subject: RE: [pkcs11] CKM_EC_EDWARDS_KEY_PAIR_GEN

 

Dieter,

 

Thanks for the reply. I agree with your opinion, but that’s exactly the issue I’m trying to raise. It’s an opinion and it doesn’t carry the weight of the spec. In this case I’d argue that the spec should just list the values to be used rather than point folks to things that are open for interpretation.

 

Sincerely,

Jonathan

 

 

From: Dieter Bong <Dieter.Bong@utimaco.com>
Sent: Tuesday, January 5, 2021 8:01 AM
To: Jonathan Schulze-Hewett <schulze-hewett@infoseccorp.com>; pkcs11@lists.oasis-open.org
Subject: RE: [pkcs11] CKM_EC_EDWARDS_KEY_PAIR_GEN

 

Hi Jonathan,

 

The RFCs are quite clear in my opinion:

• RFC 8032 states in section 5: This section instantiates the general EdDSA algorithm for the edwards25519 and edwards448 curves, …
• RFC 7748 states in section 4.1 “… Montgomery curve v^2 = u^3 + A*u^2 + u, called "curve25519"… ”. And a bit further below in that same section “This curve is birationally equivalent to a twisted Edwards curve -x^2 + y^2 = 1 + d*x^2*y^2, called "edwards25519" …”

 

curve25519 is thus a Montgomery curve, and must be used with CKM_EC_MONTGOMERY_KEY_PAIR_GEN, and edwards25519 is an Edwards curve to be used with CKM_EC_EDWARDS_KEY_PAIR_GEN. That said, SoftHSM is right and nCipher is wrong in my opinion.

 

Best regards,

Dieter

 

From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org> On Behalf Of Jonathan Schulze-Hewett
Sent: Wednesday, December 23, 2020 8:20 PM
To: pkcs11@lists.oasis-open.org
Subject: [pkcs11] CKM_EC_EDWARDS_KEY_PAIR_GEN (WARNING!!! S/MIME with incorrect signature)

 

All,

 

For CKM_EC_EDWARDS_KEY_PAIR_GEN, what are the curveNames? SoftHSM2 wants edwards25519. nCipher wants curve25519. The spec simply refers me to the RFCs. The OIDs are pretty clear, but the curveName option appears to be open to interpretation. Considering it’s two values, perhaps the spec could just list what they are or otherwise provide some specificity?

 

Sincerely,

Jonathan

 

Jonathan Schulze-Hewett

Director of Development

Information Security Corp

708-445-1704 (o) | 708-822-2926 (m)

schulze-hewett@infoseccorp.com

 

 

 

---

Utimaco IS GmbH
Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com
Seat: Aachen – Registergericht Aachen HRB 18922
VAT ID No.: DE 815 496 496
Managementboard: Stefan Auerbach (Chairman) CEO, Malte Pollmann CSO, Martin Stamm CFO

This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email.