Re: [openpgp] EdDSA problem and possible change about ECC
Niibe Yutaka <gniibe@fsij.org> Thu, 31 October 2019 08:04 UTC
Return-Path: <gniibe@fsij.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 497B3120834 for <openpgp@ietfa.amsl.com>; Thu, 31 Oct 2019 01:04:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fsij.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O8UQzPYC8huc for <openpgp@ietfa.amsl.com>; Thu, 31 Oct 2019 01:04:13 -0700 (PDT)
Received: from akagi.fsij.org (akagi.fsij.org [IPv6:2001:4b98:dc0:41:216:3eff:fe1a:6542]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1A17120824 for <openpgp@ietf.org>; Thu, 31 Oct 2019 01:04:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fsij.org; s=main; h=Content-Type:MIME-Version:Message-ID:Date:In-reply-to:Subject:Cc: To:From:References:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=EHc+Ejvah18o7cU2mwJSuXNcNAv0OFSMG6u52UlkRl0=; b=pJ+m3BMFX1bIcfF46Fq4Bw8pW+ OpIp/c6LG/yrkHaZlhk32BIVaELowM+3wGBtBu5WskKixCUtvJCC2R1M4h0IR9hNnfcwXciT6xfSt eoNpGHwPSCG8p9Ek5ggyunN8/LITDOEJbeAOEl5NQ7zIlbP0ags429wlqEBAX5oGSwKIq4ESH/qVd mYkVXkkI8oj/IWvgJmARLGQJgaX7XMrNwyn6/Mo080jHcxgT8d5lp7/3QtuZtKYxM35xCFcFYftRN MiBfJAxzuzi4+9obYbEAJSV0eSJoKl5+h20wcB2mnd3WN1WsTBWF+Gy41k8DWnnLH5vwFRzs6xlbY 3wZk2DAw==;
Received: from z212192.dynamic.ppp.asahi-net.or.jp ([110.4.212.192] helo=localhost) by akagi.fsij.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <gniibe@fsij.org>) id 1iQ5RB-0001hR-4e; Thu, 31 Oct 2019 09:04:09 +0100
References: <87a79kmhd1.fsf@iwagami.gniibe.org> <1572452632.29750.0@smtp.gmail.com>
User-agent: mu4e 1.0; emacs 26.1
From: Niibe Yutaka <gniibe@fsij.org>
To: Justus Winter <justuswinter@gmail.com>
Cc: IETF OpenPGP <openpgp@ietf.org>
In-reply-to: <1572452632.29750.0@smtp.gmail.com>
Autocrypt: addr=gniibe@fsij.org; prefer-encrypt=mutual; keydata= mDMEVcrxeBYJKwYBBAHaRw8BAQdAnMfaPVY4ldwFJr18e9ADT+T0M9U9GC4K800CrtT2QXe0Hk5J SUJFIFl1dGFrYSA8Z25paWJlQGZzaWoub3JnPoh8BBMWCAAkAhsDBQsJCAcCBhUICQoLAgQWAgMB Ah4BAheABQJVzIzWAhkBAAoJEOJnsFI2TwKNJUIA/0oRcUoOhkVi/rdewnuALVWcnTuUvPexVQh+ CfHgvEP1AQDQX/cPFSaydSNTzsxPBYoa/pgfF8dFKVVlnJIwy07PBbg4BFXK8XgSCisGAQQBl1UB BQEBB0BDF4eWFoYKSDGvt26As8ASzh75ZkjRqs70cxQiJAp7QAMBCAeIYQQYFggACQUCVcrxeAIb DAAKCRDiZ7BSNk8CjfVqAP9NFD+rTePZAVyWmOfzko7Y2yTGLwlqMTEuVVnEHoI6jAD9Ezv6ojRl z/47hOw32N2L2zDiE/dxT5CCm3ZVxST8GgK4MwRVyvK+FgkrBgEEAdpHDwEBB0DsZ495muN9/vr8 IJ7sVPe4n3w6jER3bIKv7tkHWPQXTIhhBBgWCAAJBQJVyvK+AhsgAAoJEOJnsFI2TwKNNhsA/2GW iUDVSAoM1SDUFLutSsM4/kJMlIhtVWy2u0svQxN5AP0VHPGkBv84mnlqxHAQa4y3lWku2ZgR5aN+ vuR5JjyUCw==
Date: Thu, 31 Oct 2019 17:04:04 +0900
Message-ID: <87tv7pwdcb.fsf@jumper.gniibe.org>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ujXuDdZXd4LMgyYyLELUFqhmx4c>
Subject: Re: [openpgp] EdDSA problem and possible change about ECC
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 08:04:16 -0000
Justus Winter wrote: > I wrote a test to see how various OpenPGP implementations react to MPIs > that are not in canonical form (i.e. malformed MPIs) for S, or > 0x40-padded R, and only GnuPG and PGPy accept zero-padded S: > > https://tests.sequoia-pgp.org/#EdDSA_signature_encodings Thanks a lot for your information. It's very helpful. > Therefore, I'm afraid that changing what implementations emit now will > introduce incompatibilities with existing implementations. I see. So... I'm going to take conservative approach for SOS when changing GnuPG; Introduce SOS for new curve only, at first. After new curve will become common (together with SOS handling hopefully) among implementations, then, apply SOS to Ed25519 if possible/useful. FWIW: I changed libgcrypt master for similar leading-zeros problem. For GnuPG, there are many places (than I initially expected); It's not only in gpg frontend but also in data format in the protocl between gpg-agent, and in gpg-agent. When I locate all places, I change those places to support non-zero-removed full-size octet string (keeping leading zeros intact), and then, I'll generate an example OpenPGP EdDSA key with self-signature (key with leading zeros _and_ signature with leading zeros). I'd say, "save our leading zeros". :-) --
- [openpgp] EdDSA problem and possible change about… NIIBE Yutaka
- Re: [openpgp] EdDSA problem and possible change a… Justus Winter
- Re: [openpgp] EdDSA problem and possible change a… Niibe Yutaka
- Re: [openpgp] EdDSA problem and possible change a… NIIBE Yutaka