Re: [openpgp] patch for EdDSA key packet formats
NIIBE Yutaka <gniibe@fsij.org> Tue, 14 February 2017 11:30 UTC
Return-Path: <gniibe@fsij.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 475D81295D5 for <openpgp@ietfa.amsl.com>; Tue, 14 Feb 2017 03:30:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fsij.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TCe4pj83kyfi for <openpgp@ietfa.amsl.com>; Tue, 14 Feb 2017 03:30:31 -0800 (PST)
Received: from akagi.fsij.org (akagi.fsij.org [IPv6:2001:4b98:dc0:41:216:3eff:fe1a:6542]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23589129581 for <openpgp@ietf.org>; Tue, 14 Feb 2017 03:30:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fsij.org; s=main; h=Content-Type:MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:To:From; bh=SBIdhcpDW6jz3fnJxinvmN6o69dlN2Tcb4fycSmo5LQ=; b=sO0fjBMRzOCgUiNW/4Adam3MKMrQyo0G1zKPLOEB7BJOekbPoDAxNA1cFR1meKjnqlwslO5NaMe5oQ6l5cMpZY6TFAj/y+xltb/g7s+rqX4QrMlr908NplTRxTehB1oZxtMBa7knnXokd4rqPn5txuXzVRHXWUiPlVVhGaczw2E8PinUNYG02MqYVNE53KL23QA7/OO4RRfyraQ7obA/HdOSc5V6fVTikofmipwKTXkw7esVVfrZ4tBS/KlWvwrfHpbQPPh7GD7PcRn0U/mrFcA6/HfCNVpZZrIElkbIRzIj55iNnNRPfVtpSd0ntz/Rf2SFobz8qHJAK/CGeL0yqg==;
Received: from z244078.dynamic.ppp.asahi-net.or.jp ([110.4.244.78] helo=c720.gniibe.org) by akagi.fsij.org with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.84_2) (envelope-from <gniibe@fsij.org>) id 1cdbJU-0008Gl-OE; Tue, 14 Feb 2017 12:30:30 +0100
Received: by c720.gniibe.org (sSMTP sendmail emulation); Tue, 14 Feb 2017 20:30:19 +0900
From: NIIBE Yutaka <gniibe@fsij.org>
To: Taylor R Campbell <campbell+ietf-openpgp@mumble.net>, openpgp@ietf.org
In-Reply-To: <20170111143703.593E6603C5@jupiter.mumble.net>
References: <20170111143703.593E6603C5@jupiter.mumble.net>
Date: Tue, 14 Feb 2017 20:30:19 +0900
Message-ID: <87y3x9yppw.fsf@fsij.org>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/-MWyjM0WuyPyCEpQ20uNUbVyjlY>
Subject: Re: [openpgp] patch for EdDSA key packet formats
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2017 11:30:33 -0000
Hello, Taylor R Campbell <campbell+ietf-openpgp@mumble.net> wrote: > The current text describing the EdDSA secret key packet format is > wrong (it is not used as a scalar at all), and the text describing the > public key packet format is confusing (can't find the notation Q > anywhere, and it matches neither the EdDSA papers nor the CFRG EdDSA > draft). I agree these points. But, I'm not sure the fixes in the patch are good enough. In the patch: > From: Taylor R Campbell <campbell+ietf-openpgp@mumble.net> > Date: Wed, 11 Jan 2017 14:21:13 +0000 > Subject: [PATCH] Fix EdDSA secret key packet format with reference to CFRG > notation. > > What is stored is *not* a scalar; it is a b-bit secret input to a > 2b-bit hash function that expands it into > > (a) the b-bit secret scalar a, giving the public key A = a B, where B > is the standard base point; and > (b) the b-bit nonce PRF key. > > While here, clarify EdDSA public key packet format with reference to > CFRG notation too. I agree these are correct and reference to CFRG notation is good. Well, Simon's is now RFC8032: https://datatracker.ietf.org/doc/rfc8032/ Here are my comments for the fixes. > diff --git a/middle.mkd b/middle.mkd > index 5182c7d..905bde1 100644 > --- a/middle.mkd > +++ b/middle.mkd > @@ -1936,8 +1936,9 @@ A version 4 packet contains: > - the octets representing a curve OID, defined in > section NN{FIXME}; > > - - a MPI of an EC point representing a public key Q as described > - under EdDSA Point Format below. > + - a MPI, encoded as described under EdDSA Point Format, of an EC > + point A, in the notation of [](#I-D.irtf-cfrg-eddsa), > + Section 3.2 "Keys". I think that the expression "an EC point A" would not be good. In RFC 8032, Section 3.1 "Encoding" explains about ENC(), the little-endian encoding, and Section 3.2 "Keys" says: The EdDSA public key is ENC(A). ... where A is an EC point. We put the prefix 0x40 to ENC(A), it is not entirely same of the notation of Section 3.2 "Keys". Sorry, as I am not good in English, I don't have my own proposal. > Algorithm-Specific Fields for ECDH keys: > > @@ -2034,8 +2035,8 @@ The packet contains: > > Algorithm-Specific Fields for EdDSA keys: > > - - MPI of an integer representing the secret key, which is a > - scalar of the public EC point. > + - an opaque octet string k, in the notation of > + [](#I-D.irtf-cfrg-eddsa), Section 3.2 "Keys". Right. It's not a scalar of the public EC point. It is the one which generates the scalar. In my opinion, "MPI of an integer representing the secret key" is not wrong. --
- [openpgp] patch for EdDSA key packet formats Taylor R Campbell
- Re: [openpgp] patch for EdDSA key packet formats NIIBE Yutaka
- Re: [openpgp] patch for EdDSA key packet formats Taylor R Campbell
- Re: [openpgp] patch for EdDSA key packet formats NIIBE Yutaka