ECC change for SOS
Needs ReviewPublic

Authored by gniibe on Jun 5 2020, 5:48 AM.
This revision needs review, but there are no reviewers specified.

Details

Reviewers
None
Summary

For adding modern curve (X448 and Ed448), I'd like to introduce clarification of OpenPGP specification where replacing MPI to SOS for ECC.
Currently, key, signature, and encrypted packet is defined as MPI, but content is not always an integer.
So, new term "SOS" (strange octet string) will be hopefully introduced here.

SOS is compatible to MPI in OpenPGP packet format. That is, two network-order octets which gives information of NBITS, then octets.
While MPI has a semantics of big endian integer, SOS is not. To be compatible to MPI, NBITS are calculated by examining the first octet of octets.

This patch is the change for SOS for GnuPG g10 part. It requires libgcrypt 1.9. Needed change for gpg-agent is already in master.

Test Plan

At least, make check.
Possibly, adding more tests.

Diff Detail

Repository
rG GnuPG
Lint
Lint Skipped
Unit
Unit Tests Skipped
gniibe created this revision.Jun 5 2020, 5:48 AM
werner added a subscriber: werner.Jun 5 2020, 2:59 PM

What parts of Libgcrypt 1.9 are needed? Can we consider to backport them?

gniibe added a comment.Jun 8 2020, 4:31 AM

I think that the changes for ECC I've done matters:
o rC050e0b4accfa: pubkey: Support a method to get data as an opaque MPI.
o rC05a7d2f262bc: ecc: Support an opaque MPI handling in mpi_from_keyparam.
rC3d5a05767b84: ecc: Fix handling of point representation in EdDSA.
o rC8fce1027c253: ecc: Return an opaque MPI by _gcry_ecc_ec2os.
rC35c1faaea2b0: ecc: String constant fix.
rCad8927f40169: ecc: Simplify _gcry_ecc_compute_public.
o rCc5a7191c1bd1: ecc: Use opaque MPI for _gcry_ecc_mul_point.
rCbbe15758c893: ecc: Fix _gcry_ecc_mont_decodepoint for data by old implementation.
rC27e848666b4a: ecc: ECDH clean up for use of ec->nbits.
rC82441bbb8290: ecc: Fix key generation for ECDH.
rC6d93812aa312: ecc: Fix debug output.
rC6a30a9a2cc48: ecc: Simplify using mpi_ec_t directly.
rC975de3879691: ecc: Fix for NBITS support.
rCe921ad5b3ad0: ecc: Add NAME member to struct mpi_ec_ctx_s.
rC488704be6e04: ecc: Add key generation support to mpi_ec_get_elliptic_curve.
rC5415bc578080: ecc: Consolidate with _gcry_mpi_ec_internal_new.
rCc2aa333dd88b: ecc: Support flags and debug print in _gcry_mpi_ec_internal_new.
rCc7b97ac9bdf9: ecc: Add new function _gcry_mpi_ec_internal_new.
rC10b8cc280a53: ecc: Simplify ecc_encrypt_raw and ecc_decrypt_raw.
rC61a051828253: ecc: More fixes for cofactor with PUBKEY_FLAG_PARAM.
rCa258ae728de6: ecc: Simply use unsigned int for cofactor, not MPI.
rC579d5d6017d6: ecc: Simplify compute_keygrip.
rC95cc9b8f4483: ecc: Clean up key generation code.
o rCff0f1782560e: ecc: Handle ephemeral key as opaque octets.
rC80cf289905ac: ecc: Consolidate encoding a point for Montgomery curve.
rCba0b31f26366: ecc: More clean-up for Ed25519 and Curve25519.
rCd66a4856eb0c: ecc: Fix hard-coded value for 25519 to allow other modern curves.

In the list above, the changes marked by "o" are important for this patch, it uses opaque MPI for computation.
Backporting those "o" changes to 1.8 would be possible, but I'm not sure if it's worth to do that.

GnuPG master already requires libgcrypt 1.9 for gpg-pair-tool.

I am not sure, as of today, if this patch works well with libgcrypt 1.8. Let me check and confirm.

gniibe added a comment.Jun 8 2020, 4:43 AM

I was wrong. This patch itself doesn't require libgcrypt 1.9. It works with libgcrypt 1.8 well.

Pushed the patch to master.