idnits 2.17.00 (12 Aug 2021) /tmp/idnits43222/draft-looker-cose-bls-key-representations-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document date (1 March 2022) is 74 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'Ethereum' is mentioned on line 103, but not defined == Missing Reference: 'DFINITY' is mentioned on line 103, but not defined == Missing Reference: 'Algorand' is mentioned on line 103, but not defined -- Possible downref: Non-RFC (?) normative reference: ref. 'BLS' Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 COSE T. Looker 3 Internet-Draft Mattr 4 Intended status: Standards Track M. Jones 5 Expires: 2 September 2022 Microsoft 6 1 March 2022 8 Barreto-Lynn-Scott Elliptic Curve Key Representations for JOSE and COSE 9 draft-looker-cose-bls-key-representations-00 11 Abstract 13 This specification defines how to represent cryptographic keys for 14 the pairing-friendly elliptic curves known as Barreto-Lynn-Scott 15 (BLS), for use with the key representation formats of JSON Web Key 16 (JWK) and COSE (COSE_Key). 18 Discussion Venues 20 This note is to be removed before publishing as an RFC. 22 Source for this draft and an issue tracker can be found at 23 https://github.com/tplooker/draft-looker-cose-bls-key- 24 representations. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on 2 September 2022. 43 Copyright Notice 45 Copyright (c) 2022 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 50 license-info) in effect on the date of publication of this document. 51 Please review these documents carefully, as they describe your rights 52 and restrictions with respect to this document. Code Components 53 extracted from this document must include Revised BSD License text as 54 described in Section 4.e of the Trust Legal Provisions and are 55 provided without warranty as described in the Revised BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 60 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 61 2.1. Representation Definition . . . . . . . . . . . . . . . . 4 62 2.1.1. JSON Web Key Representation . . . . . . . . . . . . . 4 63 2.1.2. COSE_Key Representation . . . . . . . . . . . . . . . 4 64 2.1.3. Curve Parameter Registration . . . . . . . . . . . . 5 65 3. Security Considerations . . . . . . . . . . . . . . . . . . . 5 66 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 67 4.1. JSON Web Key (JWK) Elliptic Curve Registrations . . . . . 6 68 4.2. COSE Elliptic Curve Registrations . . . . . . . . . . . . 7 69 5. Normative References . . . . . . . . . . . . . . . . . . . . 9 70 6. Informative References . . . . . . . . . . . . . . . . . . . 9 71 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 10 72 Appendix B. Document History . . . . . . . . . . . . . . . . . . 11 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 75 1. Introduction 77 This specification defines how to represent cryptographic keys for 78 the pairing-friendly elliptic curves known as Barreto-Lynn-Scott 79 [BLS], for use with the key representation formats of JSON Web Key 80 (JWK) and COSE_Key. This specification registers the elliptic curves 81 in appropriate IANA JOSE and COSE registries. 83 There are a variety of applications for pairing based cryptography 84 including schemes already published as RFCs, such as Identity-Based 85 Cryptography [RFC5091] Sakai-Kasahara Key Encryption (SAKKE) 86 [RFC6508], and Identity-Based Authenticated Key Exchange (IBAKE) 87 [RFC6539]. SAKKE is applied to Multimedia Internet KEYing (MIKEY) 88 [RFC6509]. 90 This branch of cryptography has also been used to develop privacy- 91 preserving cryptographic hardware attestations schemes, including the 92 Elliptic Curve Direct Anonymous Attestation (ECDAA) in the Trusted 93 Platform Modules [TPM] specified by the Trusted Computing Group. 94 Further work on similar schemes has also occurred at the FIDO 95 Alliance [ECDAA]. Similarly, Intel released [EPID] which provides a 96 solution to remote hardware attestation for Intel Software Guard 97 Extension (SGX) enabled environments. 99 More recently, applications of pairing based cryptography using the 100 Barreto-Lynn-Scott curves include the standardization effort for BLS 101 Signatures [id.draft.bls-signature-04], which are used extensively in 102 multiple blockchain projects due to their unique signature 103 aggregation properties, including [Ethereum] [DFINITY] [Algorand]. 104 Additionally, efforts are under way to standardize the general 105 purpose short group signature scheme of BBS Signatures [BBS], which 106 features novel properties such as multi-message signing and selective 107 disclosure alongside zero knowledge proving. It is intended that 108 this draft will help with these efforts by standardizing the 109 associated cryptographic key representation in the popular formats of 110 JWK and COSE_Key. 112 Other relevant work to this draft includes [JWP] which is extending 113 the JOSE family of specifications to provide support for representing 114 a variety of new proof based cryptographic schemes such as [BBS] 115 which as referred to above uses the Barreto-Lynn-Scott curves. 117 There are multiple different pairing-friendly curves in active use; 118 however, this draft focuses on a definition for the Barreto-Lynn- 119 Scott curves due to them being the most "widely used" and "efficient" 120 whilst achieving 128-bit and 256-bit security (BLS12-381 and 121 BLS48-581 respectively). 123 More extensive discussion on the broader application of pairing based 124 cryptography and the assessment of various elliptic curves (including 125 the BLS family) can be found in 126 [id.draft.pairing-friendly-curves-10]. 128 2. Conventions and Definitions 130 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 131 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 132 "OPTIONAL" in this document are to be interpreted as described in BCP 133 14 [RFC2119] [RFC8174] when, and only when, they appear in all 134 capitals, as shown here. 136 2.1. Representation Definition 138 The following definitions apply to the pairing-friendly elliptic 139 curves known as the Barreto-Lynn-Scott (BLS) curves. 141 2.1.1. JSON Web Key Representation 143 When expressing a cryptographic key for these curves in JSON Web Key 144 (JWK) form, the following rules apply: 146 * The parameter "kty" MUST be present and set to "OKP". 148 * The parameter "crv" MUST be present and value MUST be one defined 149 in Section 2.1.3. 151 * The parameter "x" MUST be present whose value represents the curve 152 point for the public key. This value MUST be encoded using the 153 serialization defined in [id.draft.pairing-friendly-curves-10] 154 Appendix C and MUST be base64url encoded without padding as 155 defined in [RFC7515] Appendix C. 157 * The parameter "d" MUST be present for private key representations 158 whose value MUST contain the little-endian representation of the 159 private key base64url encoded without padding as defined in 160 [RFC7515] Appendix C. This parameter MUST NOT be present for 161 public keys. 163 2.1.2. COSE_Key Representation 165 When expressing a cryptographic key for these curves in COSE_Key 166 form, the following rules apply: 168 * The parameter "kty" (1) MUST be present and set to "OKP" (1). 170 * The parameter "crv" (-1) MUST be present and value MUST be one 171 defined in Section 2.1.3. 173 * The parameter "x" (-2) MUST be present whose value represents the 174 curve point for the public key. This value MUST be encoded using 175 the serialization defined in [id.draft.pairing-friendly-curves-10] 176 Appendix C. 178 * The parameter "d" (-4) MUST be present for private key 179 representations whose value MUST contain the little-endian 180 representation of the private key. This parameter MUST NOT be 181 present for public keys. 183 2.1.3. Curve Parameter Registration 185 +============+============+=====================================+ 186 | JWK "crv" | COSE_Key | Description | 187 | value | "crv" | | 188 | | value | | 189 +============+============+=====================================+ 190 | Bls12381G1 | TBD (13 | A cryptographic key on the Barreto- | 191 | | requested) | Lynn-Scott (BLS) curve featuring an | 192 | | | embedding degree 12 with 381-bit p | 193 | | | in the subgroup of G1 defined as | 194 | | | E(GF(p)) of order r | 195 +------------+------------+-------------------------------------+ 196 | Bls12381G2 | TBD (14 | A cryptographic key on the Barreto- | 197 | | requested) | Lynn-Scott (BLS) curve featuring an | 198 | | | embedding degree 12 with 381-bit p | 199 | | | in the subgroup of G1 defined as | 200 | | | E(GF(p^2)) of order r | 201 +------------+------------+-------------------------------------+ 202 | Bls48581G1 | TBD (15 | A cryptographic key on the Barreto- | 203 | | requested) | Lynn-Scott (BLS) curve featuring an | 204 | | | embedding degree 48 with 581-bit p | 205 | | | in the subgroup of G1 defined as | 206 | | | E(GF(p)) of order r | 207 +------------+------------+-------------------------------------+ 208 | Bls48581G2 | TBD (16 | A cryptographic key on the Barreto- | 209 | | requested) | Lynn-Scott (BLS) curve featuring an | 210 | | | embedding degree 48 with 581-bit p | 211 | | | in the subgroup of G1 defined as | 212 | | | E(GF(p^8)) of order r | 213 +------------+------------+-------------------------------------+ 215 Table 1 217 3. Security Considerations 219 See [id.draft.pairing-friendly-curves-10] for additional details on 220 security considerations for the curves used. Implementers should 221 also consider the general guidance provided in Section 9 of [RFC7517] 222 and Section 17 of [RFC8152] when using this specification. 224 Furthermore, because this specification only defines the 225 cryptographic key representations and not the usage of these keys 226 with specific algorithms, implementers should be aware to follow any 227 guidance that may be provided around appropriate usage of the keys 228 and or additional steps that may be required to validate the keys 229 within the context of particular algorithms. 231 4. IANA Considerations 233 4.1. JSON Web Key (JWK) Elliptic Curve Registrations 235 This section registers the following values in the IANA "JSON Web Key 236 Elliptic Curve" registry [IANA.JOSE.Curves]. 238 Bls12381G1 240 * Curve Name: Bls12381G1 242 * Curve Description: 381 bit with an embedding degree of 12 Barreto- 243 Lynn-Scott pairing-friendly curve using the r-order subgroup of 244 E(GF(p)) 246 * JOSE Implementation Requirements: Optional 248 * Change Controller: IESG 250 * Specification Document(s): Section 2.1.1 252 Bls12381G2 254 * Curve Name: Bls12381G2 256 * Curve Description: 381 bit with an embedding degree of 12 Barreto- 257 Lynn-Scott pairing-friendly curve using the r-order subgroup of 258 E'(GF(p^2)) 260 * JOSE Implementation Requirements: Optional 262 * Change Controller: IESG 264 * Specification Document(s): Section 2.1.1 266 Bls48581G1 268 * Curve Name: Bls48581G1 270 * Curve Description: 581 bit with an embedding degree of 48 Barreto- 271 Lynn-Scott pairing-friendly curve using the r-order subgroup of 272 E(GF(p)) 274 * JOSE Implementation Requirements: Optional 276 * Change Controller: IESG 278 * Specification Document(s): Section 2.1.1 279 Bls48581G2 281 * Curve Name: Bls48581G2 283 * Curve Description: 581 bit with an embedding degree of 48 Barreto- 284 Lynn-Scott pairing-friendly curve using the r-order subgroup of 285 E'(GF(p^8)) 287 * JOSE Implementation Requirements: Optional 289 * Change Controller: IESG 291 * Specification Document(s): Section 2.1.1 293 4.2. COSE Elliptic Curve Registrations 295 This section registers the following value in the IANA "COSE Elliptic 296 Curves" registry [IANA.COSE.Curves]. 298 Bls12381G1 300 * Curve Name: Bls12381G1 302 * Value: TBD (13 requested) 304 * Key Type: OKP 306 * Curve Description: 381 bit with an embedding degree of 12 Barreto- 307 Lynn-Scott pairing-friendly curve using the r-order subgroup of 308 E(GF(p)) 310 * JOSE Implementation Requirements: Optional 312 * Change Controller: IESG 314 * Specification Document(s): Section 2.1.2 316 * Recommended: Yes 318 Bls12381G2 320 * Curve Name: Bls12381G2 322 * Value: TBD (14 requested) 324 * Key Type: OKP 325 * Curve Description: 381 bit with an embedding degree of 12 Barreto- 326 Lynn-Scott pairing-friendly curve using the r-order subgroup of 327 E'(GF(p^2)) 329 * JOSE Implementation Requirements: Optional 331 * Change Controller: IESG 333 * Specification Document(s): Section 2.1.2 335 * Recommended: Yes 337 Bls48581G1 339 * Curve Name: Bls48581G1 341 * Value: TBD (15 requested) 343 * Key Type: OKP 345 * Curve Description: 581 bit with an embedding degree of 48 Barreto- 346 Lynn-Scott pairing-friendly curve using the r-order subgroup of 347 E(GF(p)) 349 * JOSE Implementation Requirements: Optional 351 * Change Controller: IESG 353 * Specification Document(s): Section 2.1.2 355 * Recommended: Yes 357 Bls48581G2 359 * Curve Name: Bls48581G2 361 * Value: TBD (16 requested) 363 * Key Type: OKP 365 * Curve Description: 581 bit with an embedding degree of 48 Barreto- 366 Lynn-Scott pairing-friendly curve using the r-order subgroup of 367 E'(GF(p^8)) 369 * JOSE Implementation Requirements: Optional 371 * Change Controller: IESG 372 * Specification Document(s): Section 2.1.2 374 * Recommended: Yes 376 5. Normative References 378 [BLS] Barreto, P., Lynn, B., and M. Scott, "Constructing 379 Elliptic Curves with Prescribed Embedding Degrees", 2003. 381 [IANA.COSE.Curves] 382 IANA, "COSE Elliptic Curves", 383 . 386 [IANA.JOSE.Curves] 387 IANA, "JOSE Elliptic Curves", 388 . 391 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 392 Requirement Levels", BCP 14, RFC 2119, 393 DOI 10.17487/RFC2119, March 1997, 394 . 396 [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 397 Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 398 2015, . 400 [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, 401 DOI 10.17487/RFC7517, May 2015, 402 . 404 [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", 405 RFC 8152, DOI 10.17487/RFC8152, July 2017, 406 . 408 [id.draft.bls-signature-04] 409 IETF CFRG, "BLS Signature", 410 . 413 [id.draft.pairing-friendly-curves-10] 414 IETF CFRG, "Pairing-Friendly Curves", 415 . 418 6. Informative References 420 [BBS] Decentralized Identity Foundation, "The BBS Signature 421 Scheme", . 424 [ECDAA] FIDO Alliance, "ECDAA Algorithm", 2018, 425 . 428 [EPID] Intel Corporation, "Intel (R) SGX: Intel (R) EPID 429 Provisioning and Attestation Services", 430 . 433 [JWP] Miller, J. and M. Jones, "JSON Web Proof", . 437 [RFC5091] Boyen, X. and L. Martin, "Identity-Based Cryptography 438 Standard (IBCS) #1: Supersingular Curve Implementations of 439 the BF and BB1 Cryptosystems", RFC 5091, 440 DOI 10.17487/RFC5091, December 2007, 441 . 443 [RFC6508] Groves, M., "Sakai-Kasahara Key Encryption (SAKKE)", 444 RFC 6508, DOI 10.17487/RFC6508, February 2012, 445 . 447 [RFC6509] Groves, M., "MIKEY-SAKKE: Sakai-Kasahara Key Encryption in 448 Multimedia Internet KEYing (MIKEY)", RFC 6509, 449 DOI 10.17487/RFC6509, February 2012, 450 . 452 [RFC6539] Cakulev, V., Sundaram, G., and I. Broustis, "IBAKE: 453 Identity-Based Authenticated Key Exchange", RFC 6539, 454 DOI 10.17487/RFC6539, March 2012, 455 . 457 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 458 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 459 May 2017, . 461 [TPM] Trusted Computing Group, "Trusted Platform Module", 462 . 464 Appendix A. Acknowledgments 466 The authors would like to acknowledge the work of Kyle Den Hartog, 467 which was used as the foundation for this draft. 469 Appendix B. Document History 471 -00 473 * Initial version 475 Authors' Addresses 477 Tobias Looker 478 Mattr 479 Email: tobias.looker@mattr.global 481 Michael B. Jones 482 Microsoft 483 Email: mbj@microsoft.com 484 URI: https://self-issued.info/