NIIBE Yutaka
2017-02-14 11:30:19 UTC
Hello,
But, I'm not sure the fixes in the patch are good enough.
Well, Simon's is now RFC8032:
https://datatracker.ietf.org/doc/rfc8032/
Here are my comments for the fixes.
8032, Section 3.1 "Encoding" explains about ENC(), the little-endian
encoding, and Section 3.2 "Keys" says:
The EdDSA public key is ENC(A).
... where A is an EC point.
We put the prefix 0x40 to ENC(A), it is not entirely same of
the notation of Section 3.2 "Keys".
Sorry, as I am not good in English, I don't have my own proposal.
which generates the scalar.
In my opinion, "MPI of an integer representing the secret key" is not
wrong.
--
The current text describing the EdDSA secret key packet format is
wrong (it is not used as a scalar at all), and the text describing the
public key packet format is confusing (can't find the notation Q
anywhere, and it matches neither the EdDSA papers nor the CFRG EdDSA
draft).
I agree these points.wrong (it is not used as a scalar at all), and the text describing the
public key packet format is confusing (can't find the notation Q
anywhere, and it matches neither the EdDSA papers nor the CFRG EdDSA
draft).
But, I'm not sure the fixes in the patch are good enough.
Date: Wed, 11 Jan 2017 14:21:13 +0000
Subject: [PATCH] Fix EdDSA secret key packet format with reference to CFRG
notation.
What is stored is *not* a scalar; it is a b-bit secret input to a
2b-bit hash function that expands it into
(a) the b-bit secret scalar a, giving the public key A = a B, where B
is the standard base point; and
(b) the b-bit nonce PRF key.
While here, clarify EdDSA public key packet format with reference to
CFRG notation too.
I agree these are correct and reference to CFRG notation is good.Subject: [PATCH] Fix EdDSA secret key packet format with reference to CFRG
notation.
What is stored is *not* a scalar; it is a b-bit secret input to a
2b-bit hash function that expands it into
(a) the b-bit secret scalar a, giving the public key A = a B, where B
is the standard base point; and
(b) the b-bit nonce PRF key.
While here, clarify EdDSA public key packet format with reference to
CFRG notation too.
Well, Simon's is now RFC8032:
https://datatracker.ietf.org/doc/rfc8032/
Here are my comments for the fixes.
diff --git a/middle.mkd b/middle.mkd
index 5182c7d..905bde1 100644
--- a/middle.mkd
+++ b/middle.mkd
- the octets representing a curve OID, defined in
section NN{FIXME};
- - a MPI of an EC point representing a public key Q as described
- under EdDSA Point Format below.
+ - a MPI, encoded as described under EdDSA Point Format, of an EC
+ point A, in the notation of [](#I-D.irtf-cfrg-eddsa),
+ Section 3.2 "Keys".
I think that the expression "an EC point A" would not be good. In RFCindex 5182c7d..905bde1 100644
--- a/middle.mkd
+++ b/middle.mkd
- the octets representing a curve OID, defined in
section NN{FIXME};
- - a MPI of an EC point representing a public key Q as described
- under EdDSA Point Format below.
+ - a MPI, encoded as described under EdDSA Point Format, of an EC
+ point A, in the notation of [](#I-D.irtf-cfrg-eddsa),
+ Section 3.2 "Keys".
8032, Section 3.1 "Encoding" explains about ENC(), the little-endian
encoding, and Section 3.2 "Keys" says:
The EdDSA public key is ENC(A).
... where A is an EC point.
We put the prefix 0x40 to ENC(A), it is not entirely same of
the notation of Section 3.2 "Keys".
Sorry, as I am not good in English, I don't have my own proposal.
- - MPI of an integer representing the secret key, which is a
- scalar of the public EC point.
+ - an opaque octet string k, in the notation of
+ [](#I-D.irtf-cfrg-eddsa), Section 3.2 "Keys".
Right. It's not a scalar of the public EC point. It is the one- scalar of the public EC point.
+ - an opaque octet string k, in the notation of
+ [](#I-D.irtf-cfrg-eddsa), Section 3.2 "Keys".
which generates the scalar.
In my opinion, "MPI of an integer representing the secret key" is not
wrong.
--