[openpgp] EdDSA problem and possible change about ECC
NIIBE Yutaka <gniibe@fsij.org> Tue, 29 October 2019 02:10 UTC
Return-Path: <gniibe@fsij.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D13912008D for <openpgp@ietfa.amsl.com>; Mon, 28 Oct 2019 19:10:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fsij.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 34Fh2qT29g_1 for <openpgp@ietfa.amsl.com>; Mon, 28 Oct 2019 19:10:44 -0700 (PDT)
Received: from akagi.fsij.org (akagi.fsij.org [IPv6:2001:4b98:dc0:41:216:3eff:fe1a:6542]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7620B120047 for <openpgp@ietf.org>; Mon, 28 Oct 2019 19:10:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fsij.org; s=main; h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:Sender: Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=83CpUDyWn07uXJxANaGmbjK+7LWSCtgprmuZYpzhZtk=; b=Yxz+vBhlJi6pB+KFiA5FfXcTQa NYXwUOc4DQCjHb8WLyVV/gEHF+PvN5KjIttCDMzP00CP6WUbtKLDtCaJyR3iQ4/3ERqZ7MERFk6yM ES+zFvBHHz5wB25Bp6psVwhrRNaasjOZmcjJR8G4TTrph/RgQ2ufuQEAaqoFDlSImJeH2cv8WCneb QTLLMRi55THKLo1esL3mB2zIAFN9jq3OKP/nwHRLaGijKvl0O9nE6VZtbwpAUVTuSkIUdk7EOCHb3 3eTSozJkTAwmOhDC9SbpdE/ZCDUXAh553RJFDBkEQN2Bt5/lXrg8IETJYCRULKgcSE3j8CRLnotO3 I17TjJlg==;
Received: from 140.200.232.153.ap.dti.ne.jp ([153.232.200.140] helo=iwagami.gniibe.org) by akagi.fsij.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <gniibe@fsij.org>) id 1iPGxz-0008Tv-Ay; Tue, 29 Oct 2019 03:10:40 +0100
Received: by iwagami.gniibe.org (sSMTP sendmail emulation); Tue, 29 Oct 2019 11:10:34 +0900
From: NIIBE Yutaka <gniibe@fsij.org>
To: IETF OpenPGP <openpgp@ietf.org>
Date: Tue, 29 Oct 2019 11:10:34 +0900
Message-ID: <87a79kmhd1.fsf@iwagami.gniibe.org>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/JJ62rSfjC-6INU8ZOrJLYfU5R-0>
Subject: [openpgp] EdDSA problem and possible change about ECC
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 02:10:46 -0000
Hello,
I'm currently considering to add ECDH X448 to OpenPGP.
While I examined GnuPG and libgcrypt for that, I realized that there are
some discrepancy/inconsistency and possible interoperability issues
among OpenPGP implementations.
Thus, I share my observations and I'd like to propose changes of OpenPGP
specification. I'd like to listen from different OpenPGP
implementations.
The issue is about EdDSA (and possibly for ECDH X448 in future).
Current implementation of GnuPG 2.2 has/does:
(1) discrepancy/inconsistency
* In EdDSA key, it uses the prefix 0x40 for an EC point representation.
* In EdDSA signature, for R, it uses no prefix for an EC point
representation.
Note that:
GnuPG accepts EdDSA key with no prefix in an EC point.
GnuPG does _not_ accept EdDSA signature which R has the prefix
0x40.
(2) Removal of zeros in MPI handling in EdDSA
While the native EdDSA octet string for secret is defined as
fixed-size, it is defined as an MPI (big-endian) in OpenPGP.
While the native EdDSA EC point representation is defined as
fixed-size little-endian, it is defined as an MPI in OpenPGP.
While the native EdDSA integer representation is defined as fixed-size
little-endian, it is defined as an MPI (big-endian) in OpenPGP.
Because of this,
* In EdDSA secret key, the zeros (least significant bytes) in native
representation of the secret are removed to compose an MPI.
* In EdDSA signature, the zeros (least significant bytes) in native
representation of an EC point R are removed to compose an MPI.
* In EdDSA signature, the zeros (least significant bytes) in native
representation of an integer S are removed to compose an MPI.
(3) Recovery of zeros in MPI handling in EdDSA
To compensate the problem (2), it does special handling to recover
zeros when it receives an EdDSA secret/signature in OpenPGP format.
While we should keep support of zero-removed EdDSA secret/signature, I
think that it's good to modify GnuPG so that it won't generate possibly
problematic EdDSA secret/signature any more.
And it's good to clarify the specification, so that EdDSA
secret/signature with no-zero removal (zeros as-is) can be valid. I'm
afraid that no-zero removal EdDSA secret/signature is invalid by the
current draft of rfc4880bis, as ill-formed MPI.
So.... here is my suggestion to OpenPGP specification.
Since my language skill for specification is poor, I don't intend to fix
the text by my words, but I would like to point out the place where we
need to fix.
In the following patch, I introduced "SOS" for "simply, octet string".
I know it's not good term, it should be replaced by more relevant term
soon. Please help for good term choice.
The reason for SOS is that I think that it is not good for curves which
have native format in fixed-size little-endian to use MPI to represent
its EC point and its integer. The structure of SOS is exactly same
as MPI, so that existing implementation can avoid larger changes (no
change, hopefully).
When we will able to define an EC point representation as SOS, we won't
need to use the prefix 0x40, and we won't need to claim it as an
extension of the encoding given in SEC1. While we need to support
existing Ed25519 keys with the prefix 0x40, in future, for Ed448 keys
and X448 keys (including ephemeral keys in ECDH), we can use no prefix
cleanly.
==========================
diff --git a/middle.mkd b/middle.mkd
index ca73704..3e3b548 100644
--- a/middle.mkd
+++ b/middle.mkd
@@ -211,6 +211,15 @@ Unused bits of an MPI MUST be zero.
Also note that when an MPI is encrypted, the length refers to the
plaintext MPI. It may be ill-formed in its ciphertext.
+## Simply, Octet String
+
+Simply-Octet-String (also called SOSs) are opaque octet strings.
+
+A SOS consists of two pieces: a two-octet scalar that is the length of
+the SOS in bits followed by a string of octets.
+
+It should accepts SOS with unused bits in the first octet.
+
## Key IDs
A Key ID is an eight-octet scalar that identifies a
@@ -636,7 +645,8 @@ The body of this packet consists of:
Algorithm-Specific Fields for ECDH encryption:
- - MPI of an EC point representing an ephemeral public key.
+ - SOS of an EC point representing an ephemeral public key. It
+ may comes with the prefix octet of 0x40.
- a one-octet size, followed by a symmetric key encoded using the
method described in [](#ec-dh-algorithm-ecdh).
@@ -979,13 +989,13 @@ The body of a V4 or V5 Signature packet contains:
Algorithm-Specific Fields for EdDSA signatures:
- * MPI of EdDSA compressed value r.
+ * SOS of an EC point r.
- * MPI of EdDSA compressed value s.
+ * SOS of an integer representing EdDSA value s.
-The compressed version of R and S for use with EdDSA is described in
-[](#RFC8032). A version 3 signature MUST NOT be created
-and MUST NOT be used with EdDSA.
+The format of R and S for use with EdDSA is described in [](#RFC8032).
+A version 3 signature MUST NOT be created and MUST NOT be used with
+EdDSA.
The concatenation of the data being signed and the signature data from
the version number through the hashed subpacket data (inclusive) is
@@ -2301,7 +2311,7 @@ The public key is this series of values:
- the octets representing a curve OID, defined in
[](#ecc-curve-oid);
- * a MPI of an EC point representing a public key.
+ * MPI of an EC point representing a public key.
The secret key is this single multiprecision integer:
@@ -2322,13 +2332,12 @@ The public key is this series of values:
- the octets representing a curve OID, defined in
[](#ecc-curve-oid);
- * a MPI of an EC point representing a public key Q as described
- under EdDSA Point Format below.
+ * SOS of an EC point representing a public key Q. It may comes with
+ the prefix octet of 0x40.
The secret key is this single multiprecision integer:
- * MPI of an integer representing the secret key, which is a
- scalar of the public EC point.
+ * SOS representing the secret key.
### Algorithm-Specific Part for ECDH Keys
@@ -2344,7 +2353,8 @@ The public key is this series of values:
- the octets representing a curve OID, defined in
[](#ecc-curve-oid);
- * a MPI of an EC point representing a public key;
+ * SOS of an EC point representing a public key. It may comes with
+ the prefix 0x40.
* a variable-length field containing KDF parameters,
formatted as follows:
@@ -2365,8 +2375,8 @@ fields that define an ECDSA key, plus the KDF parameters field.
The secret key is this single multiprecision integer:
- * MPI of an integer representing the secret key, which is a
- scalar of the public EC point.
+ * SOS representing the secret key, which is a scalar of the public
+ EC point.
## Compressed Data Packet (Tag 8)
@@ -4035,10 +4045,10 @@ in detail how this sequence of bytes is formed.
## ECDSA and ECDH Conversion Primitives
This document defines the uncompressed point format for ECDSA and ECDH
-and a custom compression format for certain curves. The point is
-encoded in the Multiprecision Integer (MPI) format.
+and a custom compression formats for certain curves. The point is
+encoded in SOS format.
-For an uncompressed point the content of the MPI is:
+For an uncompressed point the content of the SOS is:
B = 04 || x || y
@@ -4048,17 +4058,18 @@ size. The adjusted underlying field size is the underlying field size
that is rounded up to the nearest 8-bit boundary. This encoding is
compatible with the definition given in [](#SEC1).
-For a custom compressed point the content of the MPI is:
+For a custom compressed point the content of the SOS is:
B = 40 || x
where x is the x coordinate of the point P encoded to the rules
-defined for the specified curve. This format is used for ECDH keys
-based on curves expressed in Montgomery form.
+defined for the specified curve. The prefix octet 0x40 is optional.
+This format is used for ECDH keys based on curves expressed in
+Montgomery form.
-Therefore, the exact size of the MPI payload is 515 bits for "Curve
-P-256", 771 for "Curve P-384", 1059 for "Curve P-521", and 263 for
-Curve25519.
+Therefore, the exact bit size of the SOS payload is 515 bits for
+"Curve P-256", 771 for "Curve P-384", 1059 for "Curve P-521", and 263
+for "Curve25519". For "X448", it's 448 bits with no prefix.
Even though the zero point, also called the point at infinity, may
occur as a result of arithmetic operations on points of an elliptic
@@ -4077,17 +4088,20 @@ given recipient of a given message.
## EdDSA Point Format
-The EdDSA algorithm defines a specific point compression format. To
-indicate the use of this compression format and to make sure that the
-key can be represented in the Multiprecision Integer (MPI) format the
-octet string specifying the point is prefixed with the octet 0x40.
-This encoding is an extension of the encoding given in [](#SEC1) which
-uses 0x04 to indicate an uncompressed point.
+The EdDSA algorithm defines a specific point compression format. In
+order to the key can be interpreted in the Multiprecision Integer
+(MPI) format, the octet string specifying the point may be prefixed
+with the optional octet 0x40. This encoding is an extension of the
+encoding given in [](#SEC1) which uses 0x04 to indicate an
+uncompressed point.
For example, the length of a public key for the curve Ed25519 is 263
bit: 7 bit to represent the 0x40 prefix octet and 32 octets for the
native value of the public key.
+The length of a public key for the curve Ed448 is 448 bit: no prefix
+octet and 56 octets for the native value of the public key.
+
## Key Derivation Function
@@ -4230,7 +4244,7 @@ normative sources of the definition.
Compute Z = KDF( S, Z_len, Param );
Compute C = AESKeyWrap( Z, m ) as per [RFC3394]
VB = convert point V to the octet string
- Output (MPI(VB) || len(C) || C).
+ Output (SOS(VB) || len(C) || C).
The decryption is the inverse of the method given. Note that the
recipient obtains the shared secret by calculating
--
- [openpgp] EdDSA problem and possible change about… NIIBE Yutaka
- Re: [openpgp] EdDSA problem and possible change a… Justus Winter
- Re: [openpgp] EdDSA problem and possible change a… Niibe Yutaka
- Re: [openpgp] EdDSA problem and possible change a… NIIBE Yutaka