Re: [Cfrg] [Errata Verified] RFC8032 (5519)
Dmitry Khovratovich <khovratovich@gmail.com> Thu, 23 July 2020 12:43 UTC
Return-Path: <khovratovich@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 588BC3A09FD; Thu, 23 Jul 2020 05:43:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WE4SBVphQTzU; Thu, 23 Jul 2020 05:43:51 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B55623A09FF; Thu, 23 Jul 2020 05:43:51 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id l17so6036541iok.7; Thu, 23 Jul 2020 05:43:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ECewOS9Vlhh9F6YbsQPW/Er8irhPH9tnQgvWTTt6jgg=; b=e9pPTqQW69eYaw2S0z0QxpN6JtxVgBi7sy7GDn/WroUZCBrhMsmub9tl/x+Q/Pj1T5 Id61wg83m/GSd2LZts5iS5HgkMyoLjZrtl3bmUWm79IyE4pP2+Knch1P4iO5ENeV2mHK ipLR+Rkv7UukatQvfxVPmgvRULqpFTsbmc3i1Y9g2EdY52ZSpQxqVR5LyfVhyh7/KbAP xTDbQGgSXq/eMJkGYWTujwrSpipt5r4F+6xLll+IG2SZCXwl4swjelvzz4dHTwqS13Sf /F50ydXnFbMqHLIflrVTdlp06KnSfhTSBki+cY0l4i8DSiXifPIstktD0l40vvmkHoN6 s4hA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ECewOS9Vlhh9F6YbsQPW/Er8irhPH9tnQgvWTTt6jgg=; b=Avx0PfZqr+4mwL9TkuOuflR0TLlzfBIQk3DM4LhA0UYTivzR1Dx0IICUP0TaE4DSoP bS9POj7uPSiwbnden3DqP2N678OlWAmBUQHjYYsmHKD8bJ3d2cJ7Tc4DjjYGwS7rMtlD aZt3Uy/9WTZ6ZJ9p730FMZ3a4oWDA4WLwufxxGn/enjoQEF2pRl+XEw/S6oxAdX1tqCV reUzEyK03Xm3YFGgDX9nBgoRIsXCn1HOvV1Gm1iGKTydjowiUbdTKSC3DeMbtUXDFxPR PvEB86FqAdzkLfiS1Ofg+CNG7LxW9ARfPnd3TGcrDRC5oA0/3F25BXXETPsBdhpxZZ1o MdYg==
X-Gm-Message-State: AOAM531VTOuk0lG3Teva8P0DEJYeNSIEZUr7CNeJDQsi4P+UL7KOYX3G hdgowWg4Utsy9wfbW1eHL8XMANM80a3NWgsHJsA=
X-Google-Smtp-Source: ABdhPJyLUSe19a29jlNPahs0GATuC4k8ZjXCkCxMqWrKc0DIxqcrfBFLq/ptqKyX1Ag4kyW/Spl1BzZlk/vvxJsuobg=
X-Received: by 2002:a05:6602:2809:: with SMTP id d9mr4671986ioe.79.1595508231003; Thu, 23 Jul 2020 05:43:51 -0700 (PDT)
MIME-Version: 1.0
References: <20190409163213.7EFCCB80E80@rfc-editor.org>
In-Reply-To: <20190409163213.7EFCCB80E80@rfc-editor.org>
From: Dmitry Khovratovich <khovratovich@gmail.com>
Date: Thu, 23 Jul 2020 14:43:39 +0200
Message-ID: <CALW8-7LhKhH7tabJFhU+=cWcOeadbPj4JLPkuf3jgWhk-3kBEw@mail.gmail.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: sus-e@ubiquitous-ai.com, Simon Josefsson <simon@josefsson.org>, ilariliusvaara@welho.com, cfrg@irtf.org, irsg@irtf.org
Content-Type: multipart/alternative; boundary="0000000000005861fe05ab1b35a4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/FiaHYf2Sld23ZbGepbTAs1yH9n8>
Subject: Re: [Cfrg] [Errata Verified] RFC8032 (5519)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 12:43:53 -0000
It seems there is another typo in 5.1.7, as public key and its encoding are
confused:
Decode the first half as a
point R, and the second half as an integer S, in the range
0 <= s < L. Decode the public key A as point A'. If any of the
decodings fail (including S being out of range), the signature is
invalid.
2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the
64-octet digest as a little-endian integer k.
3. Check the group equation [8][S]B = [8]R + [8][k]A'. It's
sufficient, but not required, to instead check [S]B = R + [k]A'.
Should be
Decode the first half R as a
point R`, and the second half as an integer S, in the range
0 <= S < L. Decode the public key A as point A'. If any of the
decodings fail (including S being out of range), the signature is
invalid.
2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the
64-octet digest as a little-endian integer k.
3. Check the group equation [8][S]B = [8]R` + [8][k]A'. It's
sufficient, but not required, to instead check [S]B = R` + [k]A'.
Dmitry Khovratovich
On Tue, Apr 9, 2019 at 6:32 PM RFC Errata System <rfc-editor@rfc-editor.org>
wrote:
> The following errata report has been verified for RFC8032,
> "Edwards-Curve Digital Signature Algorithm (EdDSA)".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata/eid5519
>
> --------------------------------------
> Status: Verified
> Type: Editorial
>
> Reported by: Susumu Endoh <sus-e@ubiquitous-ai.com>
> Date Reported: 2018-10-10
> Verified by: Colin Perkins (IRSG)
>
> Section: 5.1.7
>
> Original Text
> -------------
> Decode the first half as a point R, and the second half as an integer S,
> in the range 0 <= s < L.
>
>
> Corrected Text
> --------------
> Decode the first half as a point R, and the second half as an integer S,
> in the range 0 <= S < L.
>
>
> Notes
> -----
> original document expression is ' 0 <= s < L', but it must be '0 <= S <
> L'. upper/lower case problem.
>
> --------------------------------------
> RFC8032 (draft-irtf-cfrg-eddsa-08)
> --------------------------------------
> Title : Edwards-Curve Digital Signature Algorithm (EdDSA)
> Publication Date : January 2017
> Author(s) : S. Josefsson, I. Liusvaara
> Category : INFORMATIONAL
> Source : Crypto Forum Research Group
> Area : N/A
> Stream : IRTF
> Verifying Party : IRSG
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
--
Best regards,
Dmitry Khovratovich
- [Cfrg] [Errata Verified] RFC8032 (5519) RFC Errata System
- Re: [Cfrg] [Errata Verified] RFC8032 (5519) Dmitry Khovratovich
- Re: [Cfrg] [Errata Verified] RFC8032 (5519) Colin Perkins
- Re: [Cfrg] [irsg] [Errata Verified] RFC8032 (5519) Stanislav V. Smyshlyaev
- Re: [Cfrg] [irsg] [Errata Verified] RFC8032 (5519) Dmitry Khovratovich