IETF Logo Mail Archive

Re: [openpgp] Algorithm-specific data: problems with Simple Octet Strings, and possible alternatives

Ángel <angel@16bits.net> Fri, 26 March 2021 02:44 UTC

Return-Path: <angel@16bits.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03CAC3A15BD for <openpgp@ietfa.amsl.com>; Thu, 25 Mar 2021 19:44:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRUo7ORNxrn8 for <openpgp@ietfa.amsl.com>; Thu, 25 Mar 2021 19:44:03 -0700 (PDT)
Received: from mail.direccionemail.com (mail.direccionemail.com [199.195.249.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D75A3A15BC for <openpgp@ietf.org>; Thu, 25 Mar 2021 19:44:02 -0700 (PDT)
Message-ID: <f26e29d001224fc09e587b696416188a6fb6cc41.camel@16bits.net>
From: Ángel <angel@16bits.net>
To: openpgp@ietf.org
Date: Fri, 26 Mar 2021 03:44:00 +0100
In-Reply-To: <87eeg42gti.fsf@fifthhorseman.net>
References: <87eeg42gti.fsf@fifthhorseman.net>
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/TKB4ILsk6EzHMMTSbrE2b7slCHY>
Subject: Re: [openpgp] Algorithm-specific data: problems with Simple Octet Strings, and possible alternatives
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2021 02:44:05 -0000

Some thoughts, trying to write down the problem definition (of which I
may be missing something) and throwing out a few ideas, not necessarily
useful.



> ```text/x-diff
>     00000010  07
> -   00000011     02 03                                           ecdsa_public_len
> +   00000011     02 08                                           ecdsa_public_len
>     00000013           04 29 75 bb 53  55 49 31 80 ab 03 54 15   ecdsa_public
> ```

Tthe source of this difference is
 04h = 0000 0100b.

Thus, SOS would counts those 5 leading zero bits but MPI doesn't.


Currently a consumer could round the bit length to the next multiple of
8 and use that for jumping n octets, *except* if the encoded number
would begin with the high bit set.
E.g. number 128 is [00 08 00 80] not [00 08 80] (which would a negative
number, could that appear anywhere?)

Spurious leading zeroes (e.g. [00 09 00 00 00 01 FF]) are not allowed
now.

However, in SOS-land, an algorithm may want to use a block of octets
"00 00 00 01 FF". That could be prepended with a length of 40 (SOS
proposal) 09 (MPI bit counting)...

If we restrict ourselves to the modern ECC pubkeys (retconning this to
RSA would be very cool, but probably impossible) it currently uses,
for NIST curves:

 04 || x || y 

which is an UncompressedPointRepresentation (rfc8422#section-5.4.1):
an uncompressed(4) PointConversionForm followed by X & Y opaques.

and for Ed25519/Curve25519 it uses 
 40 || x


I'm thinking that perhaps the SOS could be defined as having *three*
prefix bytes. The upper 13 bits defining the length of the black box,
followed by a 3 bit parameter checksum and an algo parameter not
included in the SOS count. NIST Curves would be defined as X || Y and
receive a PointConversionForm of 4 as parameter.

Similarly for X25519.

That would allow defining the current pseudo-MPIs in a cleaner way
based on an algorithm-specific opaque string as SOS tried to.

Future algorithms could set a parameter such as 0x80 or 0xFF to produce
a nicer count, but considering the first byte as a separate (and
somewhat magic) value outside of the opaque string do allow a better
definition than the current MPI which are really something else, while
making existing implementations fit instead of requiring special casing
("Practically easiest" option).

However, that doesn't work for the signature, where there *is* zero-
removal/zero-recovery.


Best

v2.23.0 | Report a Bug | By Email