Re: [openpgp] Algorithm-specific data: problems with Simple Octet Strings, and possible alternatives
Ángel <angel@16bits.net> Fri, 26 March 2021 02:44 UTC
Return-Path: <angel@16bits.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03CAC3A15BD for <openpgp@ietfa.amsl.com>; Thu, 25 Mar 2021 19:44:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRUo7ORNxrn8 for <openpgp@ietfa.amsl.com>; Thu, 25 Mar 2021 19:44:03 -0700 (PDT)
Received: from mail.direccionemail.com (mail.direccionemail.com [199.195.249.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D75A3A15BC for <openpgp@ietf.org>; Thu, 25 Mar 2021 19:44:02 -0700 (PDT)
Message-ID: <f26e29d001224fc09e587b696416188a6fb6cc41.camel@16bits.net>
From: Ángel <angel@16bits.net>
To: openpgp@ietf.org
Date: Fri, 26 Mar 2021 03:44:00 +0100
In-Reply-To: <87eeg42gti.fsf@fifthhorseman.net>
References: <87eeg42gti.fsf@fifthhorseman.net>
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/TKB4ILsk6EzHMMTSbrE2b7slCHY>
Subject: Re: [openpgp] Algorithm-specific data: problems with Simple Octet Strings, and possible alternatives
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2021 02:44:05 -0000
Some thoughts, trying to write down the problem definition (of which I may be missing something) and throwing out a few ideas, not necessarily useful. > ```text/x-diff > 00000010 07 > - 00000011 02 03 ecdsa_public_len > + 00000011 02 08 ecdsa_public_len > 00000013 04 29 75 bb 53 55 49 31 80 ab 03 54 15 ecdsa_public > ``` Tthe source of this difference is 04h = 0000 0100b. Thus, SOS would counts those 5 leading zero bits but MPI doesn't. Currently a consumer could round the bit length to the next multiple of 8 and use that for jumping n octets, *except* if the encoded number would begin with the high bit set. E.g. number 128 is [00 08 00 80] not [00 08 80] (which would a negative number, could that appear anywhere?) Spurious leading zeroes (e.g. [00 09 00 00 00 01 FF]) are not allowed now. However, in SOS-land, an algorithm may want to use a block of octets "00 00 00 01 FF". That could be prepended with a length of 40 (SOS proposal) 09 (MPI bit counting)... If we restrict ourselves to the modern ECC pubkeys (retconning this to RSA would be very cool, but probably impossible) it currently uses, for NIST curves: 04 || x || y which is an UncompressedPointRepresentation (rfc8422#section-5.4.1): an uncompressed(4) PointConversionForm followed by X & Y opaques. and for Ed25519/Curve25519 it uses 40 || x I'm thinking that perhaps the SOS could be defined as having *three* prefix bytes. The upper 13 bits defining the length of the black box, followed by a 3 bit parameter checksum and an algo parameter not included in the SOS count. NIST Curves would be defined as X || Y and receive a PointConversionForm of 4 as parameter. Similarly for X25519. That would allow defining the current pseudo-MPIs in a cleaner way based on an algorithm-specific opaque string as SOS tried to. Future algorithms could set a parameter such as 0x80 or 0xFF to produce a nicer count, but considering the first byte as a separate (and somewhat magic) value outside of the opaque string do allow a better definition than the current MPI which are really something else, while making existing implementations fit instead of requiring special casing ("Practically easiest" option). However, that doesn't work for the signature, where there *is* zero- removal/zero-recovery. Best
- [openpgp] Algorithm-specific data: problems with … Daniel Kahn Gillmor
- Re: [openpgp] Algorithm-specific data: problems w… Daniel Kahn Gillmor
- Re: [openpgp] Algorithm-specific data: problems w… Ángel
- Re: [openpgp] Algorithm-specific data: problems w… NIIBE Yutaka
- Re: [openpgp] Algorithm-specific data: problems w… Daniel Kahn Gillmor
- Re: [openpgp] Algorithm-specific data: problems w… Niibe Yutaka
- Re: [openpgp] Algorithm-specific data: problems w… Florian Weimer
- Re: [openpgp] Algorithm-specific data: problems w… Ángel
- Re: [openpgp] Algorithm-specific data: problems w… Wiktor Kwapisiewicz
- Re: [openpgp] Algorithm-specific data: problems w… NIIBE Yutaka