Hello,
Last year, I proposed a change of introducing "Simply, Octet String"
(SOS), so that we can add modern ECC Curves, which native encoding is
(usually) little endian.
Then, I modified libgcrypt (master) to accommodate accordingly, and
testing GnuPG with my branch:
https://dev.gnupg.org/source/gnupg/history/gniibe%252Fsos/
Firstly, before the introduction of SOS, let me point out the problem
(again), with a possible fix.
EdDSA signature has two fields: R and S. R is an EC point, and S is an
integer. An EC point can be expressed by its y coordinate and sign,
"compressed" (meaning omitting x coordinate).
In the native format of Ed25519 or Ed448, an EC point is encoded in
fixed size little endian, and an integer is also encoded in fixed size
little endian.
In OpenPGP, both fields are represented (ab)using MPI format, which
assumes big endian integer. When composing MPI, a value is
re-interpreted, which is considered bad. We have real problem here,
because handling MPI mandates removing leading zeros. For R, we use the
special prefix 0x40 to avoid removal of leading zeros. For S, it is the
responsibility of implementations to recover removed zeros at the front.
And... Here is the change of mine for the specification.
diff --git a/rfc4880bis.md b/rfc4880bis.md
index fbad178..710dd05 100644
--- a/rfc4880bis.md
+++ b/rfc4880bis.md
@@ -1263,13 +1263,13 @@ The body of a V4 or V5 Signature packet contains:
Algorithm-Specific Fields for EdDSA signatures:
- * MPI of EdDSA compressed value r.
+ * MPI of an EC point r.
- * MPI of EdDSA compressed value s.
+ * EdDSA value s, in MPI, in the little endian representation.
-The compressed version of R and S for use with EdDSA is described in
-[](#RFC8032). A version 3 signature MUST NOT be created
-and MUST NOT be used with EdDSA.
+The format of R and S for use with EdDSA is described in [](#RFC8032).
+A version 3 signature MUST NOT be created and MUST NOT be used with
+EdDSA.
The concatenation of the data being signed and the signature data from
the version number through the hashed subpacket data (inclusive) is
--
2.20.1
The first change is that: In EdDSA, R is an EC point (not an integer
like ECDSA). The (compressed) format of an EC point in EdDSA is
described at another part in the document.
The second change is that: In EdDSA, S is an integer. An expression
"compressed" is not relevant here. It is little endian in the native
semantics, but is put in MPI. Well, the description of mine here is
still too short and ambiguous, which is needed fix later.
--
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp