Re: [openpgp] EdDSA problem and possible change about ECC
Justus Winter <justuswinter@gmail.com> Wed, 30 October 2019 16:23 UTC
Return-Path: <justuswinter@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 008A812080D for <openpgp@ietfa.amsl.com>; Wed, 30 Oct 2019 09:23:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GE6NYSQb7zKT for <openpgp@ietfa.amsl.com>; Wed, 30 Oct 2019 09:23:55 -0700 (PDT)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 242A412006A for <openpgp@ietf.org>; Wed, 30 Oct 2019 09:23:55 -0700 (PDT)
Received: by mail-wm1-x329.google.com with SMTP id 22so2850545wms.3 for <openpgp@ietf.org>; Wed, 30 Oct 2019 09:23:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:subject:to:cc:message-id:in-reply-to:references :mime-version; bh=qku/9FEHqsEM8wUFeNDJ/92HCv8jp2jrVO9BCl8Qkq4=; b=PJsZnlqrIMlEAig04v4Yy7wbGHPM02d5gEVHC7sHv9w4S37qppRTglGalFMV+snFVA R6YMQvUQhtGcYjQ7SMi8ASrC+lFXrobKJlLjregc3T9xoMYllVeGUvIkXWcp8ko9u4tE GwpujZlA2ZmESa1Z1UmfE+5Rj+UHEAmEjWBVXiTvPsyH8YIPPuOaeuG+J6HdWAFnxFgi shO57zKNQJL1Lm3PUW9rdGY3fRndRoLMQOFaO9GPnTSPwlmkONsfz3dVKwzvaCbr5U4Z qRbQhBohtvhuyWI152F2ewu0iuUeC+66s+JCtaGcywkNzh7M0wLTsBo7fqOolg5MOuGf nsuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:subject:to:cc:message-id:in-reply-to :references:mime-version; bh=qku/9FEHqsEM8wUFeNDJ/92HCv8jp2jrVO9BCl8Qkq4=; b=azHRpY+Etjc9NPcEbqEHbRC5mnKsuH5kHegFeQK3x7A/Xo8+6EQTGpcjUmvivU2Bwz mEjkef1eUy8Xt90xwr0QlbcMOmy0mf5PMbw4F3CbWErkoLjAFDTBVwFinV+f76fvZHvj M9ThE536ALd2/sylFP714Np7twRPd00OSgqBIywv9y0mLed6YEybuzFYXh+7VYggP0xX dyYTkUcQHskw6NOKptrj+GatwwX/0UtiK26S3FC6HY9BV2Wvp1tTcnKwoKqlvnrOuy/c Z9iDvCkxWy661x7svFWV6M7Qp66C0LfeRp7RYAYr7EukWmNRcZqey+WzVml/1moYxuec dGYA==
X-Gm-Message-State: APjAAAUx3Bimpw3VAYTYTfluRUyv+nYcBB0zi6hyYy163BkttX7vYD6f Z1tW0rsT4+07nH1RatpjI4OpiSrq
X-Google-Smtp-Source: APXvYqz/0busZFkKZDpKAJAMrCZj9wLarqJ52vsyR0yPQgiiBFVKix6XFac/Hux5Y23hMziB5HoQ0Q==
X-Received: by 2002:a1c:64d4:: with SMTP id y203mr283285wmb.27.1572452633684; Wed, 30 Oct 2019 09:23:53 -0700 (PDT)
Received: from [192.168.1.163] (port-92-193-84-170.dynamic.qsc.de. [92.193.84.170]) by smtp.gmail.com with ESMTPSA id t1sm825658wrn.81.2019.10.30.09.23.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Oct 2019 09:23:53 -0700 (PDT)
Date: Wed, 30 Oct 2019 17:23:52 +0100
From: Justus Winter <justuswinter@gmail.com>
To: NIIBE Yutaka <gniibe@fsij.org>
Cc: IETF OpenPGP <openpgp@ietf.org>
Message-Id: <1572452632.29750.0@smtp.gmail.com>
In-Reply-To: <87a79kmhd1.fsf@iwagami.gniibe.org>
References: <87a79kmhd1.fsf@iwagami.gniibe.org>
X-Mailer: geary/0.12.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/WvskteMS_Rz0CYGrc5z-VgjCA6U>
Subject: Re: [openpgp] EdDSA problem and possible change about ECC
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2019 16:23:57 -0000
Hello, On Tue, Oct 29, 2019 at 3:10 AM, NIIBE Yutaka <gniibe@fsij.org> wrote: > While I examined GnuPG and libgcrypt for that, I realized that there > are > some discrepancy/inconsistency and possible interoperability issues > among OpenPGP implementations. Interoperability between implementations with regarad to EdDSA seems to be good: https://tests.sequoia-pgp.org/#Detached_Sign-Verify_roundtrip_with_key__Alice_ Though I agree that OpenPGP's MPI encoding has been a source of bugs. I just discovered this exact issue in dkgpg this week: https://savannah.nongnu.org/bugs/index.php?57135 > (2) Removal of zeros in MPI handling in EdDSA > > While the native EdDSA octet string for secret is defined as > fixed-size, it is defined as an MPI (big-endian) in OpenPGP. > > While the native EdDSA EC point representation is defined as > fixed-size little-endian, it is defined as an MPI in OpenPGP. > > While the native EdDSA integer representation is defined as > fixed-size > little-endian, it is defined as an MPI (big-endian) in OpenPGP. > > Because of this, > > * In EdDSA secret key, the zeros (least significant bytes) in native > representation of the secret are removed to compose an MPI. > > * In EdDSA signature, the zeros (least significant bytes) in native > representation of an EC point R are removed to compose an MPI. > > * In EdDSA signature, the zeros (least significant bytes) in native > representation of an integer S are removed to compose an MPI. > > (3) Recovery of zeros in MPI handling in EdDSA > > To compensate the problem (2), it does special handling to recover > zeros when it receives an EdDSA secret/signature in OpenPGP format. I agree with your analysis. > While we should keep support of zero-removed EdDSA secret/signature, I > think that it's good to modify GnuPG so that it won't generate > possibly > problematic EdDSA secret/signature any more. I wrote a test to see how various OpenPGP implementations react to MPIs that are not in canonical form (i.e. malformed MPIs) for S, or 0x40-padded R, and only GnuPG and PGPy accept zero-padded S: https://tests.sequoia-pgp.org/#EdDSA_signature_encodings Therefore, I'm afraid that changing what implementations emit now will introduce incompatibilities with existing implementations. Cheers, Justus
- [openpgp] EdDSA problem and possible change about… NIIBE Yutaka
- Re: [openpgp] EdDSA problem and possible change a… Justus Winter
- Re: [openpgp] EdDSA problem and possible change a… Niibe Yutaka
- Re: [openpgp] EdDSA problem and possible change a… NIIBE Yutaka