IETF Logo Mail Archive

Re: [pkix] Edwards/DJB curves - New PKI(X) work?

Michael StJohns <mstjohns@comcast.net> Mon, 18 August 2014 18:02 UTC

Return-Path: <mstjohns@comcast.net>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3D8A1A070D for <pkix@ietfa.amsl.com>; Mon, 18 Aug 2014 11:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.171
X-Spam-Level:
X-Spam-Status: No, score=-2.171 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MISSING_MID=0.497, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-7EFWz3VkMx for <pkix@ietfa.amsl.com>; Mon, 18 Aug 2014 11:02:54 -0700 (PDT)
Received: from qmta07.westchester.pa.mail.comcast.net (qmta07.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:64]) by ietfa.amsl.com (Postfix) with ESMTP id ADC171A03D8 for <pkix@ietf.org>; Mon, 18 Aug 2014 11:02:54 -0700 (PDT)
Received: from omta01.westchester.pa.mail.comcast.net ([76.96.62.11]) by qmta07.westchester.pa.mail.comcast.net with comcast id gHsC1o0020EZKEL57J2u07; Mon, 18 Aug 2014 18:02:54 +0000
Received: from Mike-T530ssd.comcast.net ([68.34.113.195]) by omta01.westchester.pa.mail.comcast.net with comcast id gJ2t1o00U4D0RQL3MJ2taJ; Mon, 18 Aug 2014 18:02:54 +0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 18 Aug 2014 14:02:54 -0400
To: Johannes Merkle <johannes.merkle@secunet.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, pkix@ietf.org
From: Michael StJohns <mstjohns@comcast.net>
In-Reply-To: <53F1BF84.6010504@secunet.com>
References: <53EC3F1F.6090706@gmail.com> <53EC9E72.8030701@bbn.com> <53EC9F34.7090403@gmail.com> <53ECCCE4.2060603@secunet.com> <53ECDE4F.6020009@gmail.com> <53EDB8F3.3020400@secunet.com> <20140817032441.012621A0066@a.mx.secunet.com> <53F1BF84.6010504@secunet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1408384974; bh=gKuydt7TAH++H9HkHFm70xisDwxGcIu1hOEHPDD5Jnw=; h=Received:Received:Date:To:From:Subject:Mime-Version:Content-Type; b=T02pCMZMj69o9OepZO1bpazbHqGOC6TZyJDqPjuLX44CPJr1KvzMk0PH384Ulh6/U LVpyq4mzTjQ6UjYXN40elHrZlOE+099VEAamLV6UANE5cRJzgPbjNpGF4BwrSlDwil dePJkHidpaijKCvCkHg6F8mPVT7qEga08487dzEUKi8WaAXou7bS5Y772tVf8goFZ/ gKhbF1HDR2Fn/5IUeOqNqYg4ZvxptJm1nscrqs0Dg+QicUOMM4vdjdfBVKZsM4alBc 4Ez3aEcU3DSs9fY5ikwvdTeZKHoGhgEvUdYKP8tTlYyy3o93qDqndLvcvf79s2hVvj 0GfbVKxkRaAGQ==
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/EOvzXKJpJqa5UGshf1FlIKTx3QA
Subject: Re: [pkix] Edwards/DJB curves - New PKI(X) work?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Aug 2014 18:02:55 -0000
X-Message-ID:
Message-ID: <20140818180257.18698.6413.ARCHIVE@ietfa.amsl.com>

At 04:55 AM 8/18/2014, Johannes Merkle wrote:




>> For PKIX at least for signatures you need:
>>
>> 1) An ASN1 public key representation (and the appropriate OID).  Since there's only one DJB curve(?is that correct or
>are two needed for signature and ecdh?), you could get away with just a new OID for AlgorithmIdentifier.algorithm.
>> 2) The format of the bitstring that represents a signature
>> 3) One or more signature algorithms (e.g. SHA256withX, SomeOtherHashWithX, etc) and their OIDs.
>>
>
>I disagree with 2) though: In all Schnorr-like signatures, the signature consists of two integers, not (EC) group
>elements. Thus, the EC point semantic has no influence on the signature encoding. It only has impact on the signature
>generation and verification algorithms (e.g. defined in ANSI X9.62 and FIPS 186-4), but these are out of the scope of PKIX.


Sort of.  The representation for PKIX EC signatures using X9.63/FIPS186-3/SECG1 is 

BIT STRING encapsulating {
    SEQUENCE {
           INTEGER r,
         INTEGER s
     }
}

 - I assume that's what you mean for Schnorr signatures?

In DJB's ED25519, the signature is actually a single integer, and tucked away in his paper is the notation that the representation of that integer is little endian.

So you could use either of 

BIT STRING encapsulatiing {
    INTEGER s
}

or 
BIT STRING encapsulating {
    OCTET STRING SIZE (32) s   ; little endian representation of a 255 bit integer
}

or even

BIT STRING SIZE(255)

or 

BIT STRING


At this point I would assume new key type OID's, *maybe*  new curve OIDs if the curve  isn't implied by the key type, and new signature type OIDs and representations. 

Mike

v2.23.0 | Report a Bug | By Email