Re: [Cfrg] [irsg] [Errata Verified] RFC8032 (5519)
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Tue, 28 July 2020 06:38 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F5943A0CDC; Mon, 27 Jul 2020 23:38:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tq8sMydPWUny; Mon, 27 Jul 2020 23:38:12 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DA473A0CD9; Mon, 27 Jul 2020 23:38:12 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id r19so19849153ljn.12; Mon, 27 Jul 2020 23:38:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qiMablLWC6qU8RU7L8ziJA2Oy9GJO1ZtZndx9baEh5s=; b=vKRAtI98metXd2M3JhOmalKEMHqffTbSaA4bGCw1OJ+qQ7HSXXsfmAnPDg7WryaSrP MFXEUfDoeISi/+sJgC8OF93+mEc4wlw31bwpV89O6FyH+Hi6RWvaRRdIHSI92Gx8MEjz xUb2pgXDGZ3p2/me0ft2sENtq++gtsZf8L3+11GfCybIgXLGCLWtHCWUjEvx27UP/lai s/4oNZRehEes+OYQ53f+Aw9MR5EYoZto7E+n6jBBwKoiZLiCk3PhTDBC7VnwbtyGErfU JEloQ/yTXxYuw1gFJW/3KOIfAvqogsSyT/f/psRU3gKZ4bwG7TJatfjUqqV57qt13dh5 +AfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qiMablLWC6qU8RU7L8ziJA2Oy9GJO1ZtZndx9baEh5s=; b=qsrDJUXntuaSNDsQIqgPRpp81P6AbNZyjMuACSpGoyllwAyJiTXZ7/Q8TZmRynZpAJ h477c0TTJBQEEwvpRiIYFVRXAaXkHdi+M3NuoMB2nrVfr0UXSBJ3josHwxInuBaBHhcA v44fg/cy5YYapQjONrvNe1w0eY6jLcnVJeByddG5csuXZZiscF7CS3/z6X+1RaaTaQkk eNekMMTw9qGqxPbKPkxfEc4zCuuYHtuZGOxTaM/lgDArvMmgX7hGgQT+mxWgW6CZRy7S R2btbpjbjpFeREebXcA7WAAuiB+MwmW+hes8cGA/8H2tIv3ges2pCB5dPJoU0kKN9IoQ 72jg==
X-Gm-Message-State: AOAM532i2FK1ZT9Bxeg0rPzb/ruUVvtFHJz1mlhMrjPxieNb2mPTtn6H km2U/LyIMrYMfLwJHEXEo8bcOcFZDcOzFGbVcaQ=
X-Google-Smtp-Source: ABdhPJz0PDrlcTVuuaigR9Ai7oOT4ipZQhcs4mEH1Lg+j63moEepUe614u6NUZYkSPoiw8C8dnGstXALxOdzpvN2BUY=
X-Received: by 2002:a2e:9d53:: with SMTP id y19mr5340494ljj.2.1595918290628; Mon, 27 Jul 2020 23:38:10 -0700 (PDT)
MIME-Version: 1.0
References: <20190409163213.7EFCCB80E80@rfc-editor.org> <CALW8-7LhKhH7tabJFhU+=cWcOeadbPj4JLPkuf3jgWhk-3kBEw@mail.gmail.com> <49462255-FA53-467D-92F6-D34340ABE924@csperkins.org>
In-Reply-To: <49462255-FA53-467D-92F6-D34340ABE924@csperkins.org>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Tue, 28 Jul 2020 09:38:06 +0300
Message-ID: <CAMr0u6ktnCROFUXCt1HESYmpdsQqnVkV73vCdW1Xk-nidWoXbg@mail.gmail.com>
To: Colin Perkins <csp@csperkins.org>
Cc: Dmitry Khovratovich <khovratovich@gmail.com>, Simon Josefsson <simon@josefsson.org>, Internet Research Steering Group <irsg@irtf.org>, CFRG <cfrg@irtf.org>, sus-e@ubiquitous-ai.com, RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: multipart/alternative; boundary="000000000000cdb31205ab7aaef5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3SGlbVhYOPmfgd74WBkgSNK5Sy8>
Subject: Re: [Cfrg] [irsg] [Errata Verified] RFC8032 (5519)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 06:38:15 -0000
Dear Colin and Dmitry, I agree with both changes (one about "S" instead of "s" in the inequality, the other about R' instead of R to keep the same notation as in 5.1.6) proposed by Dmitry. Regards, Stanislav On Tue, 28 Jul 2020 at 00:52, Colin Perkins <csp@csperkins.org> wrote: > Thanks, Dimity. > > Can someone else in the RG double-check to confirm? Once that’s done, I > can work with the RFC Editor to get correct fix recorded. > > Colin > > > > On 23 Jul 2020, at 13:43, Dmitry Khovratovich <khovratovich@gmail.com> > wrote: > > It seems there is another typo in 5.1.7, as public key and its encoding > are confused: > > Decode the first half as a > point R, and the second half as an integer S, in the range > 0 <= s < L. Decode the public key A as point A'. If any of the > decodings fail (including S being out of range), the signature is > invalid. > > 2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the > 64-octet digest as a little-endian integer k. > > 3. Check the group equation [8][S]B = [8]R + [8][k]A'. It's > sufficient, but not required, to instead check [S]B = R + [k]A'. > > > > Should be > > > Decode the first half R as a > point R`, and the second half as an integer S, in the range > 0 <= S < L. Decode the public key A as point A'. If any of the > decodings fail (including S being out of range), the signature is > invalid. > > 2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the > 64-octet digest as a little-endian integer k. > > 3. Check the group equation [8][S]B = [8]R` + [8][k]A'. It's > sufficient, but not required, to instead check [S]B = R` + [k]A'. > > > Dmitry Khovratovich > > > On Tue, Apr 9, 2019 at 6:32 PM RFC Errata System < > rfc-editor@rfc-editor.org> wrote: > >> The following errata report has been verified for RFC8032, >> "Edwards-Curve Digital Signature Algorithm (EdDSA)". >> >> -------------------------------------- >> You may review the report below and at: >> http://www.rfc-editor.org/errata/eid5519 >> >> -------------------------------------- >> Status: Verified >> Type: Editorial >> >> Reported by: Susumu Endoh <sus-e@ubiquitous-ai.com> >> Date Reported: 2018-10-10 >> Verified by: Colin Perkins (IRSG) >> >> Section: 5.1.7 >> >> Original Text >> ------------- >> Decode the first half as a point R, and the second half as an integer S, >> in the range 0 <= s < L. >> >> >> Corrected Text >> -------------- >> Decode the first half as a point R, and the second half as an integer S, >> in the range 0 <= S < L. >> >> >> Notes >> ----- >> original document expression is ' 0 <= s < L', but it must be '0 <= S < >> L'. upper/lower case problem. >> >> -------------------------------------- >> RFC8032 (draft-irtf-cfrg-eddsa-08) >> -------------------------------------- >> Title : Edwards-Curve Digital Signature Algorithm (EdDSA) >> Publication Date : January 2017 >> Author(s) : S. Josefsson, I. Liusvaara >> Category : INFORMATIONAL >> Source : Crypto Forum Research Group >> Area : N/A >> Stream : IRTF >> Verifying Party : IRSG >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> > > > -- > Best regards, > Dmitry Khovratovich > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > > > > > -- > Colin Perkins > https://csperkins.org/ > > > > >
- [Cfrg] [Errata Verified] RFC8032 (5519) RFC Errata System
- Re: [Cfrg] [Errata Verified] RFC8032 (5519) Dmitry Khovratovich
- Re: [Cfrg] [Errata Verified] RFC8032 (5519) Colin Perkins
- Re: [Cfrg] [irsg] [Errata Verified] RFC8032 (5519) Stanislav V. Smyshlyaev
- Re: [Cfrg] [irsg] [Errata Verified] RFC8032 (5519) Dmitry Khovratovich