Re: [CFRG] [Technical Errata Reported] RFC7748 (7824)
Mike Hamburg <mike@shiftleft.org> Tue, 27 February 2024 17:17 UTC
Return-Path: <mike@SHIFTLEFT.ORG>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C74DC15198C; Tue, 27 Feb 2024 09:17:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id flZiK2fJIZI1; Tue, 27 Feb 2024 09:17:13 -0800 (PST)
Received: from wanderer.shiftleft.org (wanderer.shiftleft.org [45.79.68.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3C0DC151983; Tue, 27 Feb 2024 09:17:13 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) (Authenticated sender: mike) by wanderer.shiftleft.org (Postfix) with ESMTPSA id D02CF43B20; Tue, 27 Feb 2024 17:17:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1709054232; bh=IqOFtKZqKKymVWSBDt9T0yJRknU6sv92Q5xApwgKgcQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=EyNR34U51SCpb0xLEORJDiSRKpIKWrQ9TGeMYNHJ/pnqbICn09887wzDFHt2NAVll KbTNuaEuRJC9Ssf3HE1fWKiSx9SHrGEkzJ58I7enlu7gqG1O8R41uazgaCN2WB9dea eSHh5lgI2FGAMB0zef/MFIP4+iaWMuF/w/z816FU=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
From: Mike Hamburg <mike@shiftleft.org>
In-Reply-To: <20240227115008.9C10C1F8D6E0@rfcpa.amsl.com>
Date: Tue, 27 Feb 2024 18:16:44 +0100
Cc: agl@google.com, sean@sn3rd.com, Internet Research Steering Group <irsg@irtf.org>, cfrg@irtf.org, jamador@jtsec.es
Content-Transfer-Encoding: quoted-printable
Message-Id: <C6463A4C-9F39-4630-A312-E87451A3C8DF@shiftleft.org>
References: <20240227115008.9C10C1F8D6E0@rfcpa.amsl.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/cAYh2Mj29xDEEbNAENbJynhksQk>
Subject: Re: [CFRG] [Technical Errata Reported] RFC7748 (7824)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 17:17:18 -0000
Hi all, I’m not sure whether replying here is the right way to respond to this, but this choice was intentional. Like the X25519 function, the X448 function is specified in such a way that it works for u-coordinates of points on the Curve448 Montgomery curve, and also for u-coordinates of points on its quadratic twist, and indeed it does not even check which set the input is in. Curve448 was chosen with its twist’s order also 4*prime, so that operating on the twist is also secure. Because the X448 function is defined for both sets of u-coordinates, it’s important to have test vectors for both. Perhaps the test vectors should include more information, for whether they are on the curve or the twist? Cheers, — Mike > On Feb 27, 2024, at 12:50 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: > > The following errata report has been submitted for RFC7748, > "Elliptic Curves for Security". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7824 > > -------------------------------------- > Type: Technical > Reported by: Jose Luis Amador Moreno <jamador@jtsec.es> > > Section: 5.2 > > Original Text > ------------- > Input scalar: > 203d494428b8399352665ddca42f9de8fef600908e0d461cb021f8c5 > 38345dd77c3e4806e25f46d3315c44e0a5b4371282dd2c8d5be3095f > Input scalar as a number (base 10): > 633254335906970592779259481534862372382525155 > 252028961056404001332122152890562527156973881 > 968934311400345568203929409663925541994577184 > Input u-coordinate: > 0fbcc2f993cd56d3305b0b7d9e55d4c1a8fb5dbb52f8e9a1e9b6201b > 165d015894e56c4d3570bee52fe205e28a78b91cdfbde71ce8d157db > Input u-coordinate as a number (base 10): > 622761797758325444462922068431234180649590390 > 024811299761625153767228042600197997696167956 > 134770744996690267634159427999832340166786063 > Output u-coordinate: > 884a02576239ff7a2f2f63b2db6a9ff37047ac13568e1e30fe63c4a7 > ad1b3ee3a5700df34321d62077e63633c575c1c954514e99da7c179d > > Corrected Text > -------------- > Input scalar: > 203d494428b8399352665ddca42f9de8fef600908e0d461cb021f8c5 > 38345dd77c3e4806e25f46d3315c44e0a5b4371282dd2c8d5be3095f > Input scalar as a number (base 10): > 633254335906970592779259481534862372382525155 > 252028961056404001332122152890562527156973881 > 968934311400345568203929409663925541994577184 > Input u-coordinate: > 1e37b1e6368991ebce5815bf6b567cedfec0d32246815a6707f02c4a > 61247656f5df569f02613cc5bcedf7a924424ff063c9c0aff5b395ae > Input u-coordinate as a number (base 10): > 495683502945530038677307449626580741146441879 > 406119444019011021926629134928724388368946852 > 962833749157931574628774133988199037473470238 > Output u-coordinate: > d34142faca68f7a3ddf805fa39cc706d5ab3f5633ceff5e6462b775d > ef45f33083461dcf821cc3f0f74a813277e6895a35d958feef79a5bf > > Notes > ----- > Regarding Section 5.2, X448, second vector, the given input u-coordinate is not part of a valid point on the Montgomery form of Curve448. > > I suggest replacing the point with a valid one: (2^447 + 100)*G > > See the SageMath code (permalink): https://web.archive.org/web/20240227114733/https://pastebin.com/yAuzvEJG > > Instructions: > ------------- > This erratum is currently posted as "Reported". (If it is spam, it > will be removed shortly by the RFC Production Center.) Please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > will log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC7748 (draft-irtf-cfrg-curves-11) > -------------------------------------- > Title : Elliptic Curves for Security > Publication Date : January 2016 > Author(s) : A. Langley, M. Hamburg, S. Turner > Category : INFORMATIONAL > Source : Crypto Forum Research Group > Area : N/A > Stream : IRTF > Verifying Party : IRSG
- [CFRG] [Technical Errata Reported] RFC7748 (7824) RFC Errata System
- Re: [CFRG] [Technical Errata Reported] RFC7748 (7… Mike Hamburg