Re: [openpgp] ECC point encoding and "flag byte"
Florian Weimer <fw@deneb.enyo.de> Wed, 03 March 2021 22:29 UTC
Return-Path: <fw@deneb.enyo.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F8353A1C68; Wed, 3 Mar 2021 14:29:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8i5y8iSE47aB; Wed, 3 Mar 2021 14:29:30 -0800 (PST)
Received: from albireo.enyo.de (albireo.enyo.de [37.24.231.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DBC43A1C67; Wed, 3 Mar 2021 14:29:27 -0800 (PST)
Received: from [172.17.203.2] (port=36387 helo=deneb.enyo.de) by albireo.enyo.de ([172.17.140.2]) with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1lHZzf-0006dm-1X; Wed, 03 Mar 2021 22:29:23 +0000
Received: from fw by deneb.enyo.de with local (Exim 4.92) (envelope-from <fw@deneb.enyo.de>) id 1lHZze-0000Sp-TH; Wed, 03 Mar 2021 23:29:22 +0100
From: Florian Weimer <fw@deneb.enyo.de>
To: Wiktor Kwapisiewicz <wiktor=40metacode.biz@dmarc.ietf.org>
Cc: NIIBE Yutaka <gniibe@fsij.org>, Werner Koch <wk@gnupg.org>, openpgp@ietf.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
References: <87h7lyccns.fsf@fifthhorseman.net> <87czwj8d3b.fsf@wheatstone.g10code.de> <87v9a829z7.fsf@iwagami.gniibe.org> <ee1f255c-beb2-e149-9910-bf004b739bf1@metacode.biz>
Date: Wed, 03 Mar 2021 23:29:22 +0100
In-Reply-To: <ee1f255c-beb2-e149-9910-bf004b739bf1@metacode.biz> (Wiktor Kwapisiewicz's message of "Wed, 3 Mar 2021 10:19:07 +0100")
Message-ID: <8735xban25.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/cyodLapwin6NAKb7E_0S7v71Mec>
Subject: Re: [openpgp] ECC point encoding and "flag byte"
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2021 22:29:33 -0000
* Wiktor Kwapisiewicz: > [0]: https://tools.ietf.org/html/rfc4880#section-3.2 > > It doesn't say that [00 01 00 01] is invalid, just that the length > should not include leading zeros: [00 02 01]. > > (Unless I'm reading something wrong: please correct me if that's the fact). > > For the record I thought that the "byte length" (not MPI bit length) > would be more appropriate because for all purposes the emitted stream > will always contain full bytes anyway but I do understand you want to > keep the backwards compatibility. Even though maybe new curves can use > this new byte-length SOS. > > Calculating bits correctly seems to be more complex than necessary with > potential for confusion: I've reported it to GnuPG [1] and Sequoia [2]. > > [1]: https://lists.gnupg.org/pipermail/gnupg-devel/2021-March/034735.html > > [2]: https://gitlab.com/sequoia-pgp/sequoia/-/issues/682 This isn't really specific to ECC. RSA has a similar issue. I've asked about this before, but it seems the message got lost at the time. From: Florian Weimer <fw@deneb.enyo.de> To: ietf-openpgp@imc.org Subject: Implementations do not seem to use RFC 3447 PKCS#1 encoding Date: Thu, 02 Apr 2020 22:56:26 +0200 Message-ID: <87a73tk3np.fsf@mid.deneb.enyo.de> It seems that some implementations drop leading zeros from MPIs, violating the octet string length requirements in RFC 3447, which are also repeated in section 13.1 of RFC 4880. This is likely the result of a rule in section 3.2 of RFC 4880 that leading zeros in MPIs should not be encoded. It's not possible to follow both rules at the same time. Has this come up before?
- [openpgp] ECC point encoding and "flag byte" Daniel Kahn Gillmor
- Re: [openpgp] ECC point encoding and "flag byte" Andrey Jivsov
- Re: [openpgp] ECC point encoding and "flag byte" Werner Koch
- Re: [openpgp] ECC point encoding and "flag byte" NIIBE Yutaka
- Re: [openpgp] ECC point encoding and "flag byte" NIIBE Yutaka
- Re: [openpgp] ECC point encoding and "flag byte" Wiktor Kwapisiewicz
- Re: [openpgp] ECC point encoding and "flag byte" Florian Weimer
- Re: [openpgp] ECC point encoding and "flag byte" Ángel
- Re: [openpgp] ECC point encoding and "flag byte" Werner Koch
- Re: [openpgp] ECC point encoding and "flag byte" Ángel