Re: [pkix] How to select the ASN.1 structure of EC-SDSA (Schnorr signature with ECC)?
Ernst G Giessmann <giessman@informatik.hu-berlin.de> Tue, 23 August 2022 10:19 UTC
Return-Path: <giessman@informatik.hu-berlin.de>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9FBDC1526E3 for <pkix@ietfa.amsl.com>; Tue, 23 Aug 2022 03:19:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.308
X-Spam-Level:
X-Spam-Status: No, score=-4.308 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=informatik.hu-berlin.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QngRQ6kEZU7E for <pkix@ietfa.amsl.com>; Tue, 23 Aug 2022 03:19:15 -0700 (PDT)
Received: from mailout1.informatik.hu-berlin.de (mailout1.informatik.hu-berlin.de [141.20.20.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DE38C14CF1D for <pkix@ietf.org>; Tue, 23 Aug 2022 03:19:13 -0700 (PDT)
Received: from mailbox.informatik.hu-berlin.de (mailbox [141.20.20.63]) by mail.informatik.hu-berlin.de (8.15.1/8.15.1/INF-2.0-MA-SOLARIS-2.10-25) with ESMTPS id 27NAJAwn017348 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <pkix@ietf.org>; Tue, 23 Aug 2022 12:19:10 +0200 (MEST)
Received: from [192.168.2.73] (p5085bd0f.dip0.t-ipconnect.de [80.133.189.15]) (authenticated bits=0) by mailbox.informatik.hu-berlin.de (8.15.1/8.15.1/INF-2.0-MA-SOLARIS-2.10-AUTH-26-465-587) with ESMTPSA id 27NAJ8Si017256 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO) for <pkix@ietf.org>; Tue, 23 Aug 2022 12:19:09 +0200 (MEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=informatik.hu-berlin.de; s=mailbox; t=1661249950; bh=BKnTlv+VhtM/YMyF+3oM4o3CV/txgu5190malQ5pzR4=; h=Date:To:References:From:Subject:In-Reply-To; b=JCW/eO3pmGcOgrTXCwCcEYfcSDAlERhs5P/ljCKmjQdpbX6SZ/AbFJeXU9qG8FR96 c9oqxfJjjjNF58uiMSMTD5H7fv17ePPQhk15fLtIf6JZT8BM2qIs6kY+wuQ5ueNFeK +8exhwRU/1yOGruSj8zh18zLoVqOV+arF9X7/Ezk=
Message-ID: <752ea7c8-2607-8d26-71f6-c296a95ad1ca@informatik.hu-berlin.de>
Date: Tue, 23 Aug 2022 12:19:08 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0
To: pkix@ietf.org
References: <334707a8-7a3a-3d1d-2085-6b31b626f059@informatik.hu-berlin.de> <c8a0bbdb-0c76-cc4d-a153-e87632bec77d@nthpermutation.com>
From: Ernst G Giessmann <giessman@informatik.hu-berlin.de>
In-Reply-To: <c8a0bbdb-0c76-cc4d-a153-e87632bec77d@nthpermutation.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.103.5 at mailbox
X-Virus-Status: Clean
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.1 (mail.informatik.hu-berlin.de [141.20.20.50]); Tue, 23 Aug 2022 12:19:10 +0200 (MEST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/YcYJsddCZH0xQSmjeGFzij6SQnk>
Subject: Re: [pkix] How to select the ASN.1 structure of EC-SDSA (Schnorr signature with ECC)?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2022 10:19:19 -0000
Am 2022-08-22 um 22:27 schrieb Michael StJohns: > On 8/22/2022 3:04 PM, Ernst G Giessmann wrote: >> Hi folks, >> TLDR; >> is anywhere in PKIX the ASN1 format of the EC based Schnorr digital >> signature algorithm EC-SDSA >> (aka https://oid-rep.orange-labs.fr/get/1.0.14888.3.0.13) >> defined? >> > AFAICT, not explicitly, but the German version of the spec > https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03111/BSI-TR-03111_V-2-1_pdf.pdf?__blob=publicationFile&v=1 > suggests that the r field of a ECSDSA signature is still an integer, > converted from the R value using the OS2I primitive on formation, and > the I2OS primitive for verification. That works for both the simple > r||s and ASN1 encodings. > > Mike Mike, thanks for the reference, but I'm not very sure that this is the right approach. In contrast to EC-DSA the r field in EC-SDSA is clearly a constant length hash value, and therefore the appropriate encoding seems to be the constant length bit or octet string representation. An integer encoding must ignore leading zero bits and has to consider the first bit as a sign. Other places where hash values show up in ASN1 are the KeyIdentifier in X.509, the KeyHash in OCSP and the digest value encoding in PKCS#1 v1.5. All are encoded as octet strings. /Ernst OT: In case of EC-FSDSA (full Schnorr) the r field is the elliptic curve point P (aka pre-signature). Should it also be encoded as an integer? ;-). >> This signature algo has the advantage, that it provides the full >> strength of the hash function used, regardless of the strength (bit >> length) of the underlying curve. >> >> Just to recall, it is defined as follows: >> >> Input: >> base point G of an elliptic curve >> privat key X (integer) >> public key [X]∙G (point on the curve) >> message to be signed M (octet string) >> >> Signing: >> (FE2BS is the straight-forward field element to bit string conversion, >> and BS2I the conversion of a base 2 representation to an integer) >> select a random integer K >> compute the pre-signature P = [K]∙G (point on the curve) >> witness R is computed as the hash of the x-coordinate PX of >> point P concatenated with the message M: >> R = h(FE2BS(PX) || M). >> the second part S of the signature (R,S) is computed as >> S = K + BS2I(R)X >> >> Verification: >> recompute the pre-signature >> P' = S∙G – BS2I(R)∙Y >> recompute the witness >> R' = h(FE2BS(P'X) || M) >> accept if R = R' >> >> In contrast to EC-DSA, where the elements R and S of the signature are >> both integers, we got here the full length (no truncation as for >> EC-DSA) hash value as a bit string R and an integer S. >> >> So I guess that the ASN.1 structure for EC-SDSA should be defined as >> >> ECSDSA-Sig-Value ::= SEQUENCE { >> r BIT STRING, >> s INTEGER } >> >> Is that correct? >> >> Thanks for any suggestions >> /Ernst. >> >> _______________________________________________ >> pkix mailing list >> pkix@ietf.org >> https://www.ietf.org/mailman/listinfo/pkix > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix >
- [pkix] How to select the ASN.1 structure of EC-SD… Ernst G Giessmann
- Re: [pkix] How to select the ASN.1 structure of E… Michael StJohns
- Re: [pkix] How to select the ASN.1 structure of E… Ernst G Giessmann
- Re: [pkix] How to select the ASN.1 structure of E… Russ Housley
- Re: [pkix] How to select the ASN.1 structure of E… Michael StJohns
- [pkix] Closing: How to select the ASN.1 structure… Ernst G Giessmann
- Re: [pkix] Closing: How to select the ASN.1 struc… Michael StJohns