IETF Logo Mail Archive

Re: [pkix] Edwards/DJB curves - New PKI(X) work?

Erwann Abalea <eabalea@gmail.com> Tue, 19 August 2014 10:46 UTC

Return-Path: <eabalea@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CB2E1A889E for <pkix@ietfa.amsl.com>; Tue, 19 Aug 2014 03:46:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHjf68X_D2Rf for <pkix@ietfa.amsl.com>; Tue, 19 Aug 2014 03:46:37 -0700 (PDT)
Received: from mail-vc0-x229.google.com (mail-vc0-x229.google.com [IPv6:2607:f8b0:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D0BB1A889F for <pkix@ietf.org>; Tue, 19 Aug 2014 03:46:37 -0700 (PDT)
Received: by mail-vc0-f169.google.com with SMTP id le20so7315973vcb.0 for <pkix@ietf.org>; Tue, 19 Aug 2014 03:46:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=N2g8UXa1T+OQDXBxQR15duplTuit3OIFdVRvdjT3JUk=; b=UmCzdxwSeqZcosgUk9Dil8A3wORBl+P3Rlyae/9tHQnQ3EP8VKRWpHypnIP7PZLYFv yIPHp+yL+jfGT4/zM5gsf2Pjew0BkNTqnlaKcvv+bj6kkwXe7gqy1I9h8bLA7xxiw5kl Ixg/JZNKHgux3RrzcqOGw/4AWsI+B5NT3GS7gNDCI4MVde5Z55Rc1Xp8dO4i+s8rCStF /n24uSAX4rCxZD1a5FU8uJRPvXjEKFpoBNbgp7PLQkn6P/pFma+pwiPC7yE/VZeNlnT+ HTehzudCRobijBSgo83LO9yUBehiBN/NHUeXfk/K+bDQsPrGCZkhuZRGCCL+V8FMLH/H 55WA==
MIME-Version: 1.0
X-Received: by 10.220.110.77 with SMTP id m13mr755219vcp.35.1408445196702; Tue, 19 Aug 2014 03:46:36 -0700 (PDT)
Received: by 10.52.117.180 with HTTP; Tue, 19 Aug 2014 03:46:36 -0700 (PDT)
In-Reply-To: <20140818180257.2680D1A0711@ietfa.amsl.com>
References: <53EC3F1F.6090706@gmail.com> <53EC9E72.8030701@bbn.com> <53EC9F34.7090403@gmail.com> <53ECCCE4.2060603@secunet.com> <53ECDE4F.6020009@gmail.com> <53EDB8F3.3020400@secunet.com> <20140817032441.012621A0066@a.mx.secunet.com> <53F1BF84.6010504@secunet.com> <20140818180257.2680D1A0711@ietfa.amsl.com>
Date: Tue, 19 Aug 2014 12:46:36 +0200
Message-ID: <CA+i=0E4uKoLogYUTd8CuqOXtva0tekeZq5x4_3M=-bs-V73hAg@mail.gmail.com>
From: Erwann Abalea <eabalea@gmail.com>
To: Michael StJohns <mstjohns@comcast.net>
Content-Type: multipart/alternative; boundary="047d7b3a9060a29d850500f933a3"
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/VaDG1-h_qIKXdiMCs6ZqqFdQOD8
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Edwards/DJB curves - New PKI(X) work?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 10:46:39 -0000

2014-08-18 20:02 GMT+02:00 Michael StJohns <mstjohns@comcast.net>:

> At 04:55 AM 8/18/2014, Johannes Merkle wrote:
>
> >> For PKIX at least for signatures you need:
> >>
> >> 1) An ASN1 public key representation (and the appropriate OID).  Since
> there's only one DJB curve(?is that correct or
> >are two needed for signature and ecdh?), you could get away with just a
> new OID for AlgorithmIdentifier.algorithm.
> >> 2) The format of the bitstring that represents a signature
> >> 3) One or more signature algorithms (e.g. SHA256withX,
> SomeOtherHashWithX, etc) and their OIDs.
> >>
> >
> >I disagree with 2) though: In all Schnorr-like signatures, the signature
> consists of two integers, not (EC) group
> >elements. Thus, the EC point semantic has no influence on the signature
> encoding. It only has impact on the signature
> >generation and verification algorithms (e.g. defined in ANSI X9.62 and
> FIPS 186-4), but these are out of the scope of PKIX.
>
>
> Sort of.  The representation for PKIX EC signatures using
> X9.63/FIPS186-3/SECG1 is
>
> BIT STRING encapsulating {
>     SEQUENCE {
>            INTEGER r,
>          INTEGER s
>      }
> }
>
>  - I assume that's what you mean for Schnorr signatures?
>
> In DJB's ED25519, the signature is actually a single integer, and tucked
> away in his paper is the notation that the representation of that integer
> is little endian.
>

Even in Ed25519 the signature consists of two 256bits integers. Little/big
endian representation doesn't care here.
R is a compressed version of a point (concatenation of y and lsb of x).
S is the standard S.

-- 
Erwann.

v2.23.0 | Report a Bug | By Email