Re: [openpgp] EdDSA problem and possible change about ECC
NIIBE Yutaka <gniibe@fsij.org> Tue, 03 December 2019 02:39 UTC
Return-Path: <gniibe@fsij.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 477201200EC for <openpgp@ietfa.amsl.com>; Mon, 2 Dec 2019 18:39:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fsij.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIYA6-DYLQ-Y for <openpgp@ietfa.amsl.com>; Mon, 2 Dec 2019 18:39:47 -0800 (PST)
Received: from akagi.fsij.org (akagi.fsij.org [IPv6:2001:4b98:dc0:41:216:3eff:fe1a:6542]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38893120052 for <openpgp@ietf.org>; Mon, 2 Dec 2019 18:39:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fsij.org; s=main; h=Content-Type:MIME-Version:Message-ID:Date:References:In-Reply-To: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CRt2HdsUmxYr9KjGDOTPV+mpF7RJetL9aVbw6IWpl/g=; b=mBqOkKsIEkXBsHEThhx7DDLlnU 3LXHv730lc6S2oKak6ytpG8w8pGgwFfKQXgh6zlciKg8kNnltBBg2kTZG/N1b6nsHlQY7fHmfJfO+ jj16caTXZDGSLsVzk1vsmTXxW5puN9a4tKj5qpo9k9yYrgdRxVodHx0VC46zJWOFJm5DKcslaHnNn vzlX9Qw33PzN0/ycHRsw8PpK55KnmbGBxFM/YvRfUV1PdnlJ1yMUG4AigfAPDH51bqwiZy/i+ccjJ 7RnFuvb3K/x38bpXQb/keFA3LMb8jGJiPZukgTIxhQJEHWOUBN1mY/0zVxj92XvmWqeJHsar69CsI ayOmmZCw==;
Received: from 140.200.232.153.ap.dti.ne.jp ([153.232.200.140] helo=iwagami.gniibe.org) by akagi.fsij.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <gniibe@fsij.org>) id 1iby6I-000651-UG; Tue, 03 Dec 2019 03:39:44 +0100
Received: by iwagami.gniibe.org (sSMTP sendmail emulation); Tue, 03 Dec 2019 11:39:38 +0900
From: NIIBE Yutaka <gniibe@fsij.org>
To: IETF OpenPGP <openpgp@ietf.org>
In-Reply-To: <87tv7pwdcb.fsf@jumper.gniibe.org>
References: <87a79kmhd1.fsf@iwagami.gniibe.org> <1572452632.29750.0@smtp.gmail.com> <87tv7pwdcb.fsf@jumper.gniibe.org>
Date: Tue, 03 Dec 2019 11:39:38 +0900
Message-ID: <87k17eb09h.fsf@iwagami.gniibe.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/FMlhSoh5E4jB2o42IybfjYJYI0s>
Subject: Re: [openpgp] EdDSA problem and possible change about ECC
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2019 02:39:49 -0000
Hello, Attached are example EdDSA public and secret key with malformed MPI. In secret part and siganature (R and S), it starts by zero octet and it says it's 256-bit. With modified GnuPG (which can show malformed MPI representation), gpg -v --list-packet shows: ========================== # off=0 ctb=94 tag=5 hlen=2 plen=88 :secret key packet: version 4, algo 22, created 1541067011, expires 0 pkey[0]: 092B06010401DA470F01 ed25519 (1.3.6.1.4.1.11591.15.1) pkey[1]: 4000001F8BEA42B3C74C50AA3589B1AA065F196857DB97A75E4A54953F093E6772 skey[2]: 0000000000000000000000000000000000000000000000000000000000000024 checksum: 07b6 keyid: 603315C930792940 # off=90 ctb=b4 tag=13 hlen=2 plen=35 :user ID packet: "ECC Test Key <ecc-test@example.org>" # off=127 ctb=88 tag=2 hlen=2 plen=148 :signature packet: algo 22, keyid 603315C930792940 version 4, created 1541115112, md5len 0, sigclass 0x13 digest algo 8, begin of digest c0 f0 hashed subpkt 33 len 21 (issuer fpr v4 F2C1264E292A298AEB4BC348603315C930792940) hashed subpkt 2 len 4 (sig created 2018-11-01) hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 11 len 4 (pref-sym-algos: 9 8 7 2) hashed subpkt 34 len 2 (pref-aead-algos: 2 1) hashed subpkt 21 len 5 (pref-hash-algos: 10 9 8 11 2) hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1) hashed subpkt 30 len 1 (features: 07) hashed subpkt 23 len 1 (keyserver preferences: 80) subpkt 16 len 8 (issuer key ID 603315C930792940) data: 00A594ACA396212AD2800C8ED426449ECABC4B561000E12B96D8EFE3BDBED153 data: 00112F614291A5C8E5548B6CACEBABA1DB95394DAC15461C21EC9AB037A77D07 ========================== In my opinion, those data (secret part, signature) are better to be defined as non-MPI. Once, I thought that it is also good for the public part (the point representation in pkey[1]) to be defined as non-MPI. However, this part is used for fingerprint computation, so, I realized that changing the definition is not easy. --
- [openpgp] EdDSA problem and possible change about… NIIBE Yutaka
- Re: [openpgp] EdDSA problem and possible change a… Justus Winter
- Re: [openpgp] EdDSA problem and possible change a… Niibe Yutaka
- Re: [openpgp] EdDSA problem and possible change a… NIIBE Yutaka