IETF Logo Mail Archive

Re: [openpgp] Algorithm-specific data: problems with Simple Octet Strings, and possible alternatives

Niibe Yutaka <gniibe@fsij.org> Mon, 29 March 2021 07:52 UTC

Return-Path: <gniibe@fsij.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50AB43A341E for <openpgp@ietfa.amsl.com>; Mon, 29 Mar 2021 00:52:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fsij.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJiNXvhnPEnJ for <openpgp@ietfa.amsl.com>; Mon, 29 Mar 2021 00:52:38 -0700 (PDT)
Received: from akagi.fsij.org (akagi.fsij.org [217.70.189.144]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C3A33A341D for <openpgp@ietf.org>; Mon, 29 Mar 2021 00:52:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fsij.org; s=main; h=Content-Type:MIME-Version:Message-ID:Date:In-reply-to:Subject:Cc: To:From:References:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DuhURwJlJgN0AKrcWRcdaA+djeRs/ySHGxo70zAGh+M=; b=VCFPPOMzfbn/uF3z/cFp43qVsG pxq/AvihzRWVctzh+S2uULO7z7r50ZXhGRmGBeLSlE+68nTRGRJdUgV12e4YB9K9BKwdJrrozW146 u317VGF9ceXluoscUNkGvoz2MjXre5gV/gps54AW9tvGWxOaK0iy9MaIXSxDz+pByleI7nr4Y0JCS xSuYqxpf6zTWb9KZQcaugrarxMGd/W8cSGK+M6fOfCTtIybX1LO4LJSVtjdXH8/PZDoaoqk9lVJVV 1iiSecjJIkizncLvlnj0m/eLuwTurgzdqd6M7paxAZqRKwtTmQKm3BuPOPpRBAtv4jmdmgHKwO/RW LQkLx3fw==;
Received: from i201193.dynamic.ppp.asahi-net.or.jp ([61.125.201.193] helo=localhost) by akagi.fsij.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <gniibe@fsij.org>) id 1lQmhH-0008An-Bg; Mon, 29 Mar 2021 09:52:28 +0200
References: <87eeg42gti.fsf@fifthhorseman.net> <87im5ebfgf.fsf@iwagami.gniibe.org>
User-agent: mu4e 1.0; emacs 27.1
From: Niibe Yutaka <gniibe@fsij.org>
To: openpgp@ietf.org
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
In-reply-to: <87im5ebfgf.fsf@iwagami.gniibe.org>
Autocrypt: addr=gniibe@fsij.org; prefer-encrypt=mutual; keydata= mDMEVcrxeBYJKwYBBAHaRw8BAQdAnMfaPVY4ldwFJr18e9ADT+T0M9U9GC4K800CrtT2QXe0Hk5J SUJFIFl1dGFrYSA8Z25paWJlQGZzaWoub3JnPoh8BBMWCAAkAhsDBQsJCAcCBhUICQoLAgQWAgMB Ah4BAheABQJVzIzWAhkBAAoJEOJnsFI2TwKNJUIA/0oRcUoOhkVi/rdewnuALVWcnTuUvPexVQh+ CfHgvEP1AQDQX/cPFSaydSNTzsxPBYoa/pgfF8dFKVVlnJIwy07PBbg4BFXK8XgSCisGAQQBl1UB BQEBB0BDF4eWFoYKSDGvt26As8ASzh75ZkjRqs70cxQiJAp7QAMBCAeIYQQYFggACQUCVcrxeAIb DAAKCRDiZ7BSNk8CjfVqAP9NFD+rTePZAVyWmOfzko7Y2yTGLwlqMTEuVVnEHoI6jAD9Ezv6ojRl z/47hOw32N2L2zDiE/dxT5CCm3ZVxST8GgK4MwRVyvK+FgkrBgEEAdpHDwEBB0DsZ495muN9/vr8 IJ7sVPe4n3w6jER3bIKv7tkHWPQXTIhhBBgWCAAJBQJVyvK+AhsgAAoJEOJnsFI2TwKNNhsA/2GW iUDVSAoM1SDUFLutSsM4/kJMlIhtVWy2u0svQxN5AP0VHPGkBv84mnlqxHAQa4y3lWku2ZgR5aN+ vuR5JjyUCw==
Date: Mon, 29 Mar 2021 16:52:23 +0900
Message-ID: <87r1jypfbc.fsf@jumper.gniibe.org>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/DG3RrKvRzepwBmXu8qZfQpO6OoQ>
Subject: Re: [openpgp] Algorithm-specific data: problems with Simple Octet Strings, and possible alternatives
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2021 07:52:43 -0000

NIIBE Yutaka wrote:
> Sorry, I was not able to describe SOS accurately, in detail.

So, I write this.  It is also available at:
https://www.gniibe.org/memo/standard/openpgp/sos-in-openpgp.html

==========================

SOS is a suggestion to OpenPGP implementations to address the zero
removal/recovery problem.  I know that implementations already handle
it by adding zero recovary for Ed25519.  For new curves, it's good if
we won't need to support zero recovary again.


SOS in practice
===============

Referring the definition of SOS (in the previous article), it is defined as:

    An SOS consists of two pieces: a two-octet scalar that is the length
    of the SOS in bits followed by an opaque string of octets.

The important point here is: There are multiple interpretations of
"the length of the SOS in bits".

This means that canonicalizing SOS representation is not defined by
the SOS handling itself.


Reading SOS representation
--------------------------

When parsing octet sequence in SOS representation, an implementation
expects a two-octet scaler and then an opaque string of octets with
the following length in octets:

    ("the length of the SOS in bits" + 7) / 8

Then, it does **not** check representation in bits.

Thus, when reading, the SOS [00 02 01] is considered formed correctly.
So are [00 08 01], and [00 08 00].


Writing SOS representation
--------------------------

When writing an octet string into SOS representation, an
implementation does following steps:

* 1: Examine the first octet in the octet string.

* 2: NBITS = 8 * length_of_string_in_octets

  * 2-1: If the first octet is zero, then no change of NBITS.

  * 2-2: If it's not zero, examine the bit-representation of it, to
         tweak NBITS = NBITS - number_of_leading_0_bits.

* 3: Output the scalar to represent NBITS, then the octet string.

Note that it does **never** remove anything from an octet string.


Impact to OpenPGP implementations
=================================

If it will be agreed, implementations will have to support non-zero
removal representations in Ed25519 signature and secret.


My conclusion (Manga practice requires conclusion, but I don't insist)
=======================================================================

SOS asks a clarification of Ed25519 signature and secret, and adding
support of non-zero removal to implementations.

In return, it will be easier to add support of new curves in a cleaner
way, with no need to support zero-recovery.

Note that it's not best for new curves, when assigning algo number to
specification is possible.  Use of SOS means that adding a two-octet
scalar to represent an octet string (in each use), which might not be
needed if the length information is determined by the context easily.



Post Script
===========

I don't like zero-removal or any removal by some internal processing.

I remember that for the song `S.O.S`_ (around 1977 in Japan), the intro
of the track was removed during its broadcast.

.. _S.O.S: https://en.wikipedia.org/wiki/S.O.S._(Pink_Lady_song)
--

v2.23.0 | Report a Bug | By Email