IETF Logo Mail Archive

Re: [Cfrg] [irsg] [Errata Verified] RFC8032 (5519)

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Tue, 28 July 2020 06:38 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F5943A0CDC; Mon, 27 Jul 2020 23:38:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tq8sMydPWUny; Mon, 27 Jul 2020 23:38:12 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DA473A0CD9; Mon, 27 Jul 2020 23:38:12 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id r19so19849153ljn.12; Mon, 27 Jul 2020 23:38:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qiMablLWC6qU8RU7L8ziJA2Oy9GJO1ZtZndx9baEh5s=; b=vKRAtI98metXd2M3JhOmalKEMHqffTbSaA4bGCw1OJ+qQ7HSXXsfmAnPDg7WryaSrP MFXEUfDoeISi/+sJgC8OF93+mEc4wlw31bwpV89O6FyH+Hi6RWvaRRdIHSI92Gx8MEjz xUb2pgXDGZ3p2/me0ft2sENtq++gtsZf8L3+11GfCybIgXLGCLWtHCWUjEvx27UP/lai s/4oNZRehEes+OYQ53f+Aw9MR5EYoZto7E+n6jBBwKoiZLiCk3PhTDBC7VnwbtyGErfU JEloQ/yTXxYuw1gFJW/3KOIfAvqogsSyT/f/psRU3gKZ4bwG7TJatfjUqqV57qt13dh5 +AfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qiMablLWC6qU8RU7L8ziJA2Oy9GJO1ZtZndx9baEh5s=; b=qsrDJUXntuaSNDsQIqgPRpp81P6AbNZyjMuACSpGoyllwAyJiTXZ7/Q8TZmRynZpAJ h477c0TTJBQEEwvpRiIYFVRXAaXkHdi+M3NuoMB2nrVfr0UXSBJ3josHwxInuBaBHhcA v44fg/cy5YYapQjONrvNe1w0eY6jLcnVJeByddG5csuXZZiscF7CS3/z6X+1RaaTaQkk eNekMMTw9qGqxPbKPkxfEc4zCuuYHtuZGOxTaM/lgDArvMmgX7hGgQT+mxWgW6CZRy7S R2btbpjbjpFeREebXcA7WAAuiB+MwmW+hes8cGA/8H2tIv3ges2pCB5dPJoU0kKN9IoQ 72jg==
X-Gm-Message-State: AOAM532i2FK1ZT9Bxeg0rPzb/ruUVvtFHJz1mlhMrjPxieNb2mPTtn6H km2U/LyIMrYMfLwJHEXEo8bcOcFZDcOzFGbVcaQ=
X-Google-Smtp-Source: ABdhPJz0PDrlcTVuuaigR9Ai7oOT4ipZQhcs4mEH1Lg+j63moEepUe614u6NUZYkSPoiw8C8dnGstXALxOdzpvN2BUY=
X-Received: by 2002:a2e:9d53:: with SMTP id y19mr5340494ljj.2.1595918290628; Mon, 27 Jul 2020 23:38:10 -0700 (PDT)
MIME-Version: 1.0
References: <20190409163213.7EFCCB80E80@rfc-editor.org> <CALW8-7LhKhH7tabJFhU+=cWcOeadbPj4JLPkuf3jgWhk-3kBEw@mail.gmail.com> <49462255-FA53-467D-92F6-D34340ABE924@csperkins.org>
In-Reply-To: <49462255-FA53-467D-92F6-D34340ABE924@csperkins.org>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Tue, 28 Jul 2020 09:38:06 +0300
Message-ID: <CAMr0u6ktnCROFUXCt1HESYmpdsQqnVkV73vCdW1Xk-nidWoXbg@mail.gmail.com>
To: Colin Perkins <csp@csperkins.org>
Cc: Dmitry Khovratovich <khovratovich@gmail.com>, Simon Josefsson <simon@josefsson.org>, Internet Research Steering Group <irsg@irtf.org>, CFRG <cfrg@irtf.org>, sus-e@ubiquitous-ai.com, RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: multipart/alternative; boundary="000000000000cdb31205ab7aaef5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3SGlbVhYOPmfgd74WBkgSNK5Sy8>
Subject: Re: [Cfrg] [irsg] [Errata Verified] RFC8032 (5519)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 06:38:15 -0000

Dear Colin and Dmitry,

I agree with both changes (one about "S" instead of "s" in the inequality,
the other about R' instead of R to keep the same notation as in 5.1.6)
proposed by Dmitry.

Regards,
Stanislav

On Tue, 28 Jul 2020 at 00:52, Colin Perkins <csp@csperkins.org> wrote:

> Thanks, Dimity.
>
> Can someone else in the RG double-check to confirm? Once that’s done, I
> can work with the RFC Editor to get correct fix recorded.
>
> Colin
>
>
>
> On 23 Jul 2020, at 13:43, Dmitry Khovratovich <khovratovich@gmail.com>
> wrote:
>
> It seems there is another typo in 5.1.7, as public key and its encoding
> are confused:
>
> Decode the first half as a
>        point R, and the second half as an integer S, in the range
>        0 <= s < L.  Decode the public key A as point A'.  If any of the
>        decodings fail (including S being out of range), the signature is
>        invalid.
>
>    2.  Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the
>        64-octet digest as a little-endian integer k.
>
>    3.  Check the group equation [8][S]B = [8]R + [8][k]A'.  It's
>        sufficient, but not required, to instead check [S]B = R + [k]A'.
>
>
>
> Should be
>
>
> Decode the first half R as a
>        point R`, and the second half as an integer S, in the range
>        0 <= S < L.  Decode the public key A as point A'.  If any of the
>        decodings fail (including S being out of range), the signature is
>        invalid.
>
>    2.  Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the
>        64-octet digest as a little-endian integer k.
>
>    3.  Check the group equation [8][S]B = [8]R` + [8][k]A'.  It's
>        sufficient, but not required, to instead check [S]B = R` + [k]A'.
>
>
> Dmitry Khovratovich
>
>
> On Tue, Apr 9, 2019 at 6:32 PM RFC Errata System <
> rfc-editor@rfc-editor.org> wrote:
>
>> The following errata report has been verified for RFC8032,
>> "Edwards-Curve Digital Signature Algorithm (EdDSA)".
>>
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata/eid5519
>>
>> --------------------------------------
>> Status: Verified
>> Type: Editorial
>>
>> Reported by: Susumu Endoh <sus-e@ubiquitous-ai.com>
>> Date Reported: 2018-10-10
>> Verified by: Colin Perkins (IRSG)
>>
>> Section: 5.1.7
>>
>> Original Text
>> -------------
>> Decode the first half as a point R, and the second half as an integer S,
>> in the range 0 <= s < L.
>>
>>
>> Corrected Text
>> --------------
>> Decode the first half as a point R, and the second half as an integer S,
>> in the range 0 <= S < L.
>>
>>
>> Notes
>> -----
>> original document expression is ' 0 <= s < L', but it must be '0 <= S <
>> L'. upper/lower case problem.
>>
>> --------------------------------------
>> RFC8032 (draft-irtf-cfrg-eddsa-08)
>> --------------------------------------
>> Title               : Edwards-Curve Digital Signature Algorithm (EdDSA)
>> Publication Date    : January 2017
>> Author(s)           : S. Josefsson, I. Liusvaara
>> Category            : INFORMATIONAL
>> Source              : Crypto Forum Research Group
>> Area                : N/A
>> Stream              : IRTF
>> Verifying Party     : IRSG
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
>
>
> --
> Best regards,
> Dmitry Khovratovich
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
>
>
>
> --
> Colin Perkins
> https://csperkins.org/
>
>
>
>
>

v2.23.0 | Report a Bug | By Email