IETF Logo Mail Archive

Re: [openpgp] patch for EdDSA key packet formats

NIIBE Yutaka <gniibe@fsij.org> Tue, 14 February 2017 11:30 UTC

Return-Path: <gniibe@fsij.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 475D81295D5 for <openpgp@ietfa.amsl.com>; Tue, 14 Feb 2017 03:30:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fsij.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TCe4pj83kyfi for <openpgp@ietfa.amsl.com>; Tue, 14 Feb 2017 03:30:31 -0800 (PST)
Received: from akagi.fsij.org (akagi.fsij.org [IPv6:2001:4b98:dc0:41:216:3eff:fe1a:6542]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23589129581 for <openpgp@ietf.org>; Tue, 14 Feb 2017 03:30:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fsij.org; s=main; h=Content-Type:MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:To:From; bh=SBIdhcpDW6jz3fnJxinvmN6o69dlN2Tcb4fycSmo5LQ=; b=sO0fjBMRzOCgUiNW/4Adam3MKMrQyo0G1zKPLOEB7BJOekbPoDAxNA1cFR1meKjnqlwslO5NaMe5oQ6l5cMpZY6TFAj/y+xltb/g7s+rqX4QrMlr908NplTRxTehB1oZxtMBa7knnXokd4rqPn5txuXzVRHXWUiPlVVhGaczw2E8PinUNYG02MqYVNE53KL23QA7/OO4RRfyraQ7obA/HdOSc5V6fVTikofmipwKTXkw7esVVfrZ4tBS/KlWvwrfHpbQPPh7GD7PcRn0U/mrFcA6/HfCNVpZZrIElkbIRzIj55iNnNRPfVtpSd0ntz/Rf2SFobz8qHJAK/CGeL0yqg==;
Received: from z244078.dynamic.ppp.asahi-net.or.jp ([110.4.244.78] helo=c720.gniibe.org) by akagi.fsij.org with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:256) (Exim 4.84_2) (envelope-from <gniibe@fsij.org>) id 1cdbJU-0008Gl-OE; Tue, 14 Feb 2017 12:30:30 +0100
Received: by c720.gniibe.org (sSMTP sendmail emulation); Tue, 14 Feb 2017 20:30:19 +0900
From: NIIBE Yutaka <gniibe@fsij.org>
To: Taylor R Campbell <campbell+ietf-openpgp@mumble.net>, openpgp@ietf.org
In-Reply-To: <20170111143703.593E6603C5@jupiter.mumble.net>
References: <20170111143703.593E6603C5@jupiter.mumble.net>
Date: Tue, 14 Feb 2017 20:30:19 +0900
Message-ID: <87y3x9yppw.fsf@fsij.org>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/-MWyjM0WuyPyCEpQ20uNUbVyjlY>
Subject: Re: [openpgp] patch for EdDSA key packet formats
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2017 11:30:33 -0000

Hello,

Taylor R Campbell <campbell+ietf-openpgp@mumble.net> wrote:
> The current text describing the EdDSA secret key packet format is
> wrong (it is not used as a scalar at all), and the text describing the
> public key packet format is confusing (can't find the notation Q
> anywhere, and it matches neither the EdDSA papers nor the CFRG EdDSA
> draft).

I agree these points.

But, I'm not sure the fixes in the patch are good enough.

In the patch:
> From: Taylor R Campbell <campbell+ietf-openpgp@mumble.net>
> Date: Wed, 11 Jan 2017 14:21:13 +0000
> Subject: [PATCH] Fix EdDSA secret key packet format with reference to CFRG
>  notation.
>
> What is stored is *not* a scalar; it is a b-bit secret input to a
> 2b-bit hash function that expands it into
>
> (a) the b-bit secret scalar a, giving the public key A = a B, where B
> is the standard base point; and
> (b) the b-bit nonce PRF key.
>
> While here, clarify EdDSA public key packet format with reference to
> CFRG notation too.

I agree these are correct and reference to CFRG notation is good.

Well, Simon's is now RFC8032: 
    https://datatracker.ietf.org/doc/rfc8032/

Here are my comments for the fixes.

> diff --git a/middle.mkd b/middle.mkd
> index 5182c7d..905bde1 100644
> --- a/middle.mkd
> +++ b/middle.mkd
> @@ -1936,8 +1936,9 @@ A version 4 packet contains:
>             - the octets representing a curve OID, defined in
>               section NN{FIXME};
>  
> -      - a MPI of an EC point representing a public key Q as described
> -        under EdDSA Point Format below.
> +      - a MPI, encoded as described under EdDSA Point Format, of an EC
> +        point A, in the notation of [](#I-D.irtf-cfrg-eddsa),
> +        Section 3.2 "Keys".

I think that the expression "an EC point A" would not be good.  In RFC
8032, Section 3.1 "Encoding" explains about ENC(), the little-endian
encoding, and Section 3.2 "Keys" says:

	The EdDSA public key is ENC(A).

... where A is an EC point.

We put the prefix 0x40 to ENC(A), it is not entirely same of
the notation of Section 3.2 "Keys".

Sorry, as I am not good in English, I don't have my own proposal.

>      Algorithm-Specific Fields for ECDH keys:
>  
> @@ -2034,8 +2035,8 @@ The packet contains:
>  
>      Algorithm-Specific Fields for EdDSA keys:
>  
> -      - MPI of an integer representing the secret key, which is a
> -        scalar of the public EC point.
> +      - an opaque octet string k, in the notation of
> +        [](#I-D.irtf-cfrg-eddsa), Section 3.2 "Keys".

Right.  It's not a scalar of the public EC point.  It is the one
which generates the scalar.

In my opinion, "MPI of an integer representing the secret key" is not
wrong.
--

v2.23.0 | Report a Bug | By Email