[Top] [All Lists]

Re: [openpgp] EdDSA/Ed25519 I-D for OpenPGP

2014-08-20 17:24:51
On Tue, Aug 19, 2014 at 4:04 PM, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
I just submitted an I-D for use of Ed25519 in OpenPGP:

This is terrific!

2.  Supported Curves

   Other curves may be used by using a specific OID for the curve and
   its EdDSA parameters.

See infra. You should list EdDSA parameters that need to be encoded
into the OID.

3.  Point Format

Are MPIs -- and the 0x40 prefix -- necessary? The curve OID already
determines the length the octet string.

Similarly for encoding the signature; it poses significant
interoperability concerns to deviate from the existing encoding used
by Ed25519 implementations.

   Although that algorithm allows arbitrary data as input, its use with
   OpenPGP requires that a digest of the message is used as input.  See
   section 5.2.4 of [RFC4880], "Computing Signatures" for details.
   Truncation of the resulting digest is never applied; the resulting
   digest value is used verbatim as input to the EdDSA algorithm.

This is confusing. EdDSA is defined to operate on messages of
arbitrary length; hashing the message is part of the EdDSA algorithm.

To quote:

  EdDSA has seven parameters:
    - an integer _b_ ≥ 10;
    - a cryptographic hash function _H_ producing **2b-bit output**;
    - a prime power _q_ congruent to 1 modulo 4;
    - a (_b_−1)-bit encoding of elements of the finite field _Fq_;
    - a non-square element _d_ of _Fq_;
    - a prime _L_ between 2^_b_−4 and 2^_b_−3 satisfying an extra
constraint [. . .];
    - [and a point _B_]

Ed25519-SHA2-512 is widely implemented. No other hash functions
currently specified for use with OpenPGP provide long enough output to
be used with Curve25519.

10.  Normative References

   [ED25519]  Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B.
              Yang, "High-speed high-security signatures", Journal of
              Cryptographic Engineering Volume 2, Issue 2, pp. 77-89,
              September 2011,

openpgp mailing list