JCA design for RFC 7748
Adam Petcher
adam.petcher at oracle.com
Tue Aug 8 19:43:52 UTC 2017
On 8/8/2017 12:50 PM, Michael StJohns wrote:
>
> We'll leave this for later. But generally, the JCA is a general
> interface to a set of crypto primitives modeled on just a few key
> types. To go in the direction you want to go it you need to explain
> why its impossible to model an elliptic curve as an elliptic curve.
> As I noted, I think that the inclusion of extension of ECField is
> probably all that's necessary for representing both public and private
> key pairs here.
The problem with the existing EC classes (EllipticCurve, ECPoint, etc.)
is that they are intended to represent curves in Weierstrass form: y^2 =
x^3 + ax + b. EllipticCurve has two parameters "a" and "b" corresponding
to the coefficients in the equation above. RFC 7748 uses elliptic curves
in Montgomery form: y^2 = x^3 + ax^2 + x. So the parameters are
different. Further complicating things: every curve in Montgomery form
has an isomorphic curve in Weierstrass form (but not vice-versa).
So if we reuse EllipticCurve (and related classes), we could map the
parameters onto Montgomery curve coefficients. For example interpret "a"
as the second-degree coefficient instead of the first-degree
coefficient, and ignore "b". But we have the problem that the programmer
may not know when the parameters will be interpreted as Weierstrass
coefficients instead of Montgomery coefficients. I am particularly
concerned about this because these parameters were always interpreted as
Weierstrass coefficients in the past.
So we would want a way to tag the objects and check the tags to ensure
that they are not misused. You suggested making new ECField subclasses
for Montgomery/Edwards curves. The field used in RFC 7748/8032 is GF(p),
which corresponds to the existing class ECFieldFp. So it seems strange
and surprising to use this member to identify how coefficients should be
interpreted, because this has nothing to do with the field. Though I can
see why this approach is appealing, because the field is the only part
of EllipticCurve that was designed to be extensible. If the coefficients
(and their interpretation) were similarly extensible, then we wouldn't
have these problems.
In short: I'm not sure that reusing the existing EC classes is a good
idea, because they were intended for something else, they are not
general enough, and the potential for misuse/confusion is high.
More information about the security-dev
mailing list