Re: [openpgp] Curve25519/ECDH

Clint Adams <clint@debian.org> Sun, 27 August 2017 22:29 UTC

Return-Path: <clint@debian.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79EA51321C9 for <openpgp@ietfa.amsl.com>; Sun, 27 Aug 2017 15:29:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iwCwRcCs1wYZ for <openpgp@ietfa.amsl.com>; Sun, 27 Aug 2017 15:29:48 -0700 (PDT)
Received: from thumb.scru.org (thumb.scru.org [IPv6:2600:3c00::f03c:91ff:fe96:c8b9]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4D78132192 for <openpgp@ietf.org>; Sun, 27 Aug 2017 15:29:48 -0700 (PDT)
Received: by thumb.scru.org (Postfix, from userid 1000) id 9BB006255F; Sun, 27 Aug 2017 22:29:46 +0000 (UTC)
Date: Sun, 27 Aug 2017 22:29:46 +0000
From: Clint Adams <clint@debian.org>
To: openpgp@ietf.org
Message-ID: <20170827222946.xnrkx4sdtitefwoc@scru.org>
References: <20170811201011.2fynredjcllcgz2f@scru.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20170811201011.2fynredjcllcgz2f@scru.org>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/bTEhCsMmGyWnqDJUNrkw8_nokQ0>
Subject: Re: [openpgp] Curve25519/ECDH
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Aug 2017 22:29:50 -0000

On Fri, Aug 11, 2017 at 08:10:11PM +0000, Clint Adams wrote:
> After speaking with NIIBE-san this morning, I think there could be some
> more clarity with regard to how Curve25519 keys are meant to be
> public-key algorithm 18.
> 
> To that end I've submitted https://gitlab.com/openpgp-wg/rfc4880bis/merge_requests/5

Per request, into the list archive:


While Ed25519 gets its own packet tag, Curve25519 keys are treated
the same as ECDH (by design and by the GnuPG implementation).
---
 middle.mkd | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/middle.mkd b/middle.mkd
index ec864c4..2615cf4 100644
--- a/middle.mkd
+++ b/middle.mkd
@@ -3735,8 +3735,8 @@ found in [](#KOBLITZ).
 This document references five named prime field curves, defined in
 [](#FIPS186) as "Curve P-256", "Curve P-384", and "Curve P-521"; and
 defined in [](#RFC5639) as "brainpoolP256r1", and "brainpoolP512r1".
-Further curve "Ed25519", defined in [](#I-D.irtf-cfrg-eddsa) is
-referenced for use with the EdDSA algorithm.
+Further curve "Curve25519", defined in [](#RFC7748) is referenced
+for use with Ed25519 (EdDSA signing) and X25519 (encryption).
 
 The named curves are referenced as a sequence of bytes in this
 document, called throughout, curve OID.  [](#ecc-curve-oid) describes
@@ -3756,7 +3756,8 @@ size.  The adjusted underlying field size is the underlying field size
 that is rounded up to the nearest 8-bit boundary.
 
 Therefore, the exact size of the MPI payload is 515 bits for "Curve
-P-256", 771 for "Curve P-384", and 1059 for "Curve P-521".
+P-256", 771 for "Curve P-384", 1059 for "Curve P-521", and ???{FIXME}
+for Curve25519.
 
 Even though the zero point, also called the point at infinity, may
 occur as a result of arithmetic operations on points of an elliptic
@@ -3867,7 +3868,8 @@ definition of the OtherInfo bitstring [](#SP800-56A):
     fingerprint are used.
 
 The size of the KDF parameters sequence, defined above, is either 54
-for the NIST curve P-256 or 51 for the curves P-384 and P-521.
+for the NIST curve P-256, 51 for the curves P-384 and P-521, or
+???{FIXME} for Curve25519.
 
 The key wrapping method is described in [](#RFC3394).  KDF produces a
 symmetric key that is used as a key-encryption key (KEK) as specified
-- 
2.14.1