ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Catch 22 in ECC support of OpenPGP?

2014-01-31 06:56:33
from [Werner Koch] [Permanent Link] 
On Fri, 31 Jan 2014 11:04, jon(_at_)callas(_dot_)org said:


If you look at <http://www.oid-info.com/faq.htm>, particularly question 10, 
there are easy ways to get one. There are suggestions that include how to get 
an OID from IANA, and also how to use a UUID as an OID.


Sure.  We already use one from the GNU arc in Libgcrypt:

  1.3.6.1.4.1.11591.15 ellipticCurve
    1.3.6.1.4.1.11591.15.1 Ed25519

This is a different OID than Peter Gutman's for Curve25519.


As you've noted, in RFC 6637, Andrey codes an EC point into an MPI,
which I think is clever, and works fine. Why not just do it?


I explained it below.  RFC-6637 requires the use of SEC encoding which
is nice because you will never have the problems with leading zeroes.
However, EdDSA uses a different compression format without any
identifier (which makes up nice 32 bytes).  A leading zero may however
happen.  RFC-4880 does not allow that and thus one would need to check
whether to left pad a read MPI before using it with Ed25519 code.  As I
said, not a real problem but it would be possible to save 2 lines of
code if we could use a raw octet string.


I'd say just do something that will work. Get an OID, we agree on an 
algorithm ID, and then Bob's your uncle and Alice is your auntie.


An OID is given above.

   The following public key algorithm ID is added to expand Section
   9.1 of [RFC4880], "Public-Key Algorithms":

          ID        Description of Algorithm
          --        --------------------------
          22        EdDSA signature algorithm [EdDSA]

   [EdDSA] 23pp. (PDF) Daniel J. Bernstein, Niels Duif, Tanja Lange,
   Peter Schwabe, Bo-Yin Yang. High-speed high-security
   signatures. Journal of Cryptographic Engineering 2 (2012),
   77–89. Document ID: a1a62a2f76d23f65d622484ddd09caf8. URL:
   http://cr.yp.to/papers.html#ed25519. Date: 2011.09.26.

I have not yet seen the specs for Curve41417 and thus I do not know
whether it also defines EdDSA for signatures.  EdDSA according to the
paper requires the use of SHA512 but it also tells that other hash
algorithms are possible.  Hopefully Watson Ladd's I-D can eventually be
used as a reference.



Salam-Shalom,

   Werner


p.s.

Shouldn't we continue this discussing at the IETF OpenPGP mailing list?


You mean this isn't?


I forwarded the entire message text ;-)

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Catch 22 in ECC support of OpenPGP?, Jon Callas
Previous by Thread:  Re: [openpgp] Catch 22 in ECC support of OpenPGP?, Jon Callas
Indexes:  [Date] [Thread] [Top] [All Lists]