IETF Logo Mail Archive

Re: [pkix] How to select the ASN.1 structure of EC-SDSA (Schnorr signature with ECC)?

Michael StJohns <msj@nthpermutation.com> Tue, 23 August 2022 19:11 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC09BC14CE36 for <pkix@ietfa.amsl.com>; Tue, 23 Aug 2022 12:11:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAu-aTjOKSIB for <pkix@ietfa.amsl.com>; Tue, 23 Aug 2022 12:11:14 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0C90C14CE2C for <pkix@ietf.org>; Tue, 23 Aug 2022 12:11:14 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id j17so11128457qtp.12 for <pkix@ietf.org>; Tue, 23 Aug 2022 12:11:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc; bh=3fnxooQZP7WhbMrFTpHwcY/ri19YO4MFxKzbSASWTcE=; b=1rZqiF+Sg/k66bswtQZAGf/1RwT83OckkLCPTxtWxbkSNefC1GMNBgX/5/y34ZN1hM wU5V3LcH1zwqf29pPdVVY5O066jzLZ+9c7r1TNAV02yddXyHqWm5FEAZU3/JGAQ2Ux/S /6NsRKOYUJGCHMIKzlhnzv65JvZslUyjEIU4u08RyCkTRNXa21U+ymVsNMA2glOTL0E3 0IIlDCY6Y19shOfKpfv3XhMEcV0vLHXkOWD5LSu6+gDKBsSir48mtU3/9eTQO2tW/7mn 7IdEY1p2a0TULccweKeFMzhXYhcubw0rZy+JqWAEmxUOFu2WmBGQpQYFRm+ruQlq9cux tIMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc; bh=3fnxooQZP7WhbMrFTpHwcY/ri19YO4MFxKzbSASWTcE=; b=xomS6q+puxk8GFya+M9LN3A1clQ8SFej7DAkmPSv9qFlqBcYTzQJF14ZufBlLAt1nw bluQeXYo2g2z91UwCq3Hj1j1CEqZ8Nm+9AJWtlkHMhvYYNOUht1/l+NBOW5TNjroY3Ki ZWru7eeHeLmfpjCQOtXLiYpJN8/Lf8e6sXpcneYPTQ3Tc5INZHdgRs7ttCsu429xwwLC USB3M/ObCl+y45X4SUvpTvyxNYEU4MaPQ/MirtIQQRu+jwiw88REXbNjQw6V+ooymO6A Es/qpH0l8g/9RNZYCVKuPaLQBRplK795flmx8eJhX4nm2xePDrJzvr1bB/InLqS2YKLc 8nmQ==
X-Gm-Message-State: ACgBeo2qiHMFiVtkJnA0pGGxjfDCP/z6kdK3Vr0tVaE/VOkI1jpQE+4T zk59VzsxlZxzdeET0GTm7n37E47sJk7rsKHOYUo=
X-Google-Smtp-Source: AA6agR7tVhVCInKAlOtW8sxey4EDwpzEKFtfbkVgXGywtTowPngyPeqCoECKKSbCAHe9eK/Ti3Aa/A==
X-Received: by 2002:ac8:5c12:0:b0:343:6c0e:df90 with SMTP id i18-20020ac85c12000000b003436c0edf90mr20760738qti.4.1661281873102; Tue, 23 Aug 2022 12:11:13 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id v16-20020a05620a0f1000b006bbd2c4cccfsm11841307qkl.53.2022.08.23.12.11.11 for <pkix@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 23 Aug 2022 12:11:12 -0700 (PDT)
Message-ID: <e01fe585-add6-5875-f056-52c46c002995@nthpermutation.com>
Date: Tue, 23 Aug 2022 15:11:08 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0
Content-Language: en-US
To: pkix@ietf.org
References: <334707a8-7a3a-3d1d-2085-6b31b626f059@informatik.hu-berlin.de> <c8a0bbdb-0c76-cc4d-a153-e87632bec77d@nthpermutation.com> <752ea7c8-2607-8d26-71f6-c296a95ad1ca@informatik.hu-berlin.de>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <752ea7c8-2607-8d26-71f6-c296a95ad1ca@informatik.hu-berlin.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/8DfH7Gq-qrWWuLQ_B64q93qfTJM>
Subject: Re: [pkix] How to select the ASN.1 structure of EC-SDSA (Schnorr signature with ECC)?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2022 19:11:18 -0000

On 8/23/2022 6:19 AM, Ernst G Giessmann wrote:
> Am 2022-08-22 um 22:27 schrieb Michael StJohns:
>> On 8/22/2022 3:04 PM, Ernst G Giessmann wrote:
>> AFAICT, not explicitly, but the German version of the spec
>> https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03111/BSI-TR-03111_V-2-1_pdf.pdf?__blob=publicationFile&v=1
>> suggests that the r field of a ECSDSA signature is still an integer,
>> converted from the R value using the OS2I primitive on formation, and
>> the I2OS primitive for verification.    That works for both the simple
>> r||s and ASN1 encodings.
>>
>> Mike
> Mike,
> thanks for the reference, but I'm not very sure that this is the right
> approach. In contrast to EC-DSA the r field in EC-SDSA is clearly a
> constant length hash value, and therefore the appropriate encoding seems
> to be the constant length bit or octet string representation. An integer
> encoding must ignore leading zero bits and has to consider the first bit
> as a sign.
>
> Other places where hash values show up in ASN1 are the KeyIdentifier in
> X.509, the KeyHash in OCSP and the digest value encoding in PKCS#1 v1.5.
> All are encoded as octet strings.
>
> /Ernst
>
> OT: In case of EC-FSDSA (full Schnorr) the r field is the elliptic curve
> point P (aka pre-signature). Should it also be encoded as an integer? ;-).
>
>

The point is that there are multiple encodings for a EC signature - e.g. 
ASN1, simple (aka hardware), and I think JSON?  Smart cards too.   In 
the simple (e.g. hardware originated) case for ECSDSA, you would use the 
I2OS primitive to express the s value as a 32 byte octet string and post 
pend that to the 32 byte r hash string.  In the asn1 case, you just end 
up reversing that - OS2I for the R value and stick it into a standard 
X9.62 ASN1 Sequence of Integer formation.

That has a great advantage in that no one has to write a new parser for 
signatures.  ECSDSA on the wire (keys, signatures, etc) looks the same 
as ECDSA.  It's only when you get into the implementation details of r 
as a hash value and s as an integer for ECSDSA vs r as an integer and s 
as an integer for ECDSA do you really care.  I deal with that all the 
time with various hardware implementations that produce to-be-encoded R 
and S values all as octet strings.

If you're going to do structure twiddling and I really hope you don't, 
then the obvious way of doing this is to  do it as OCTET STRING (r || 
I2OS(s)) rather than a sequence of different values. Why force the 
parser to work that hard?  You could even skip the inner encoding and go 
straight to BITSTRING(0 extra, r || I2OS(s)).

Unless you have grave misgivings about this (and an explanation of why 
this is a problem), then leave the encodings alone.  It triggers more 
work than you can imagine downstream.

Mike

v2.23.0 | Report a Bug | By Email