OpenPGP card specification enhancement for ECDSA support

Andrey Jivsov openpgp at brainhub.org
Fri Mar 1 20:02:18 CET 2013 

Hi NIIBE.

Please consider using the compact representation of an ECC point: 
http://tools.ietf.org/html/draft-jivsov-ecc-compact with the OpenPGP card.

I plan to submit a relevant proposal to use the compact representation 
in OpenPGP.

The benefit of the compact representation is that you will have to 
transmit less than half of bytes of the point over in the host-to-card 
protocol.

For this compact representation of the ECC point to work one needs to 
slightly adjust the key generation. It's always possible to do so with 
the proposed method, even with any existing method that generates keys 
on the card (one uses "black box" approach in this case).

The ideal scenario is when the key generation is already generating 
compliant keys. Thus, I suggest to change the key generation on the card 
to always return the compliant keys.

IMO we should all generate compliant OpenPGP keys in the entire OpenPGP 
ecosystem (and beyond as well, as keys are sometimes migrated between 
PKI and OpenPGP). Well, at least compliant keys are within our reach at 
OpenPGP.

( I will say that it's unfortunate that RFC 6637 was specified to use 
SEC format 04 | x | y. The reason is that at the time I didn't know 
about all the benefits that a *single* format such as 
http://tools.ietf.org/html/draft-jivsov-ecc-compact would bring. I plan 
to remedy this with another draft. So, it's a heads up. Please consider 
not using the SEC format. )

Thank you.

On 02/28/2013 10:22 PM, NIIBE Yutaka wrote:
> Hello,
>
> This message is CC-ed to GnuPG-Devel List.
>
> I am currently extending GnuPG so that it will support OpenPGP card
> with ECDSA feature in future.
>
> So far, following two things are modifications to the current OpenPGP
> card specification.
>
> Could you please give me comments?
>
>
> (1) 4.3.3.6 Algorithm Attributes
>
> ECDSA:
>
> Byte  Length    Value
> 01    01        Algorithm ID  (RFC6637) 13 = ECDSA
> 02-   Variable  OID (RFC6637)
>                    2A 86 48 CE 3D 03 01 07   NIST curve P-256
>                    2B 81 04 00 22            NIST curve P-384
>                    2B 81 04 00 23            NIST curve P-521
>
> I think that use of OID here would be best, since OID is used to
> identify the curve in OpenPGP ECC (RFC 6637).
>
>
> (2) 7.2.11 GENERATE ASYMMETRIC KEY PAIR
>
> Set of public key data objects for ECDSA
>
> 	81 xx Public key
>
>                In the format of uncompressed point:
>
>                   04 || x || y
>
>                where x and y are coordinate of the point P = (x, y).
> 	      Big-endian, zero-padded.
>                (c.f. Section 6. Conversion Primitives in RFC 6637)
>
> I think that curve specification (For example, Generator, Order, etc.)
> is defined by OID in the Algorithm Attributes, it's enough to return
> the public key, EC point, and it's natural to use standard encoding
> of uncompressed point.
>

More information about the Gnupg-devel mailing list