[lsd0001] branch master updated: edkey updates

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lsd0001] branch master updated: edkey updates

From:	gnunet
Subject:	[lsd0001] branch master updated: edkey updates
Date:	Sat, 01 May 2021 22:56:21 +0200

This is an automated email from the git hooks/post-receive script.

martin-schanzenbach pushed a commit to branch master
in repository lsd0001.

The following commit(s) were added to refs/heads/master by this push:
     new 628ea7b  edkey updates
628ea7b is described below

commit 628ea7b275bbfcb6879fd66caa6050a8ed14d97c
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
AuthorDate: Sat May 1 22:54:09 2021 +0200

    edkey updates
---
 draft-schanzen-gns.xml | 41 ++++++++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 11 deletions(-)

diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index 4dd6e52..e1cbe6a 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -522,7 +522,8 @@ zk' := h mod L * zk
          "PRK_h" is key material retrieved using an HKDF using the string
          "key-derivation" as salt and the public zone key "zk" as initial
          keying material.
-         "h" is the 512-bit HKDF expansion result. The expansion info input is
+         "h" is the 512-bit HKDF expansion result and must be interpreted in
+         network byte order. The expansion info input is
          a concatenation of the label and string "gns".
          "label" is a UTF-8 string under which the resource records are
          published.
@@ -679,6 +680,9 @@ h[31] &= 7
 a1 := a / 8 /* 8 is the cofactor of Curve25519 */
 a2 := h * a1 mod L
 a' = a2 * 8 /* 8 is the cofactor of Curve25519 */
+a'[0] &= 248;
+a'[31] &= 127;
+a'[31] |= 64;
            ]]></artwork>
          <t>
            Equally, given a label, the output of the HDKD-Public function is
@@ -706,7 +710,8 @@ zk' := h * zk
            keying material.
            "h" is the 512-bit HKDF expansion result. The expansion info input 
is
            a concatenation of the label and string "gns".
-           The result of the HKDF must be clamped.
+           The result of the HKDF must be clamped and interpreted in network
+           byte order.
            "a" is the 256-bit integer corresponding to the 256-bit private zone
            key "d".
            "label" is a UTF-8 string under which the resource records are
@@ -724,6 +729,8 @@ zk' := h * zk
            message M and deterministic random-looking "r":
          </t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
+sk := SHA512 (d)
+r := SHA512 (sk + 32, M)
 R := r * G
 S := r + SHA512(R, zk', M) * a' mod L
            ]]></artwork>
@@ -731,19 +738,19 @@ S := r + SHA512(R, zk', M) * a' mod L
            A signature (R,S) is valid if the following holds:
          </t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
-SB == R + SHA512(R, zk', M) * A'
+S * G == R + SHA512(R, zk', M) * zk'
            ]]></artwork>
          <t>
-           The S-Encrypt() and S-Decrypt() functions use ChaCha20
-           as defined in <xref target="RFC7539" />
-           (ChaCha20-Poly1305):
+           The S-Encrypt() and S-Decrypt() functions use XSalsa20
+           as defined in <xref target="XSalsa20" />
+           (XSalsa20-Poly1305):
          </t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
-RDATA := ChaCha20(K, IV, BDATA)
-BDATA := ChaCha20(K, IV, RDATA) = CIPHERTEXT | TAG
+RDATA := XSalsa20(K, IV, BDATA)
+BDATA := XSalsa20(K, IV, RDATA) = CIPHERTEXT | TAG
            ]]></artwork>
          <t>
-           The result of the ChaCha20 encryption function is the encrypted
+           The result of the XSalsa20 encryption function is the encrypted
            ciphertext concatenated with the 128-bit authentication
            tag "TAG".
            Accordingly, the length of BDATA equals the length of the
@@ -785,11 +792,12 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
 0     8     16    24    32
 +-----+-----+-----+-----+
 |         NONCE         |
+|                       |
+|                       |
+|                       |
 +-----+-----+-----+-----+
 |       EXPIRATION      |
 |                       |
-+-----+-----+-----+-----+
-|      BLOCK COUNTER    |
 +-----+-----+-----+-----+
            ]]></artwork>
        </figure>
@@ -2365,6 +2373,17 @@ cae1789d
          </front>
        </reference>
 
+       <reference anchor="XSalsa20" 
target="https://cr.yp.to/snuffle/xsalsa-20110204.pdf";>
+         <front>
+           <title>Extending the Salsa20 nonce</title>
+          <author initials="D." surname="Bernstein" fullname="Daniel 
Bernstein">
+            <organization>University of Illinois at Chicago</organization>
+          </author>
+           <date year="2011"/>
+         </front>
+       </reference>
+
+
       <reference anchor="ed25519" 
target="http://link.springer.com/chapter/10.1007/978-3-642-23951-9_9";>
          <front>
            <title>High-Speed High-Security Signatures</title>

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.

[Prev in Thread]

Current Thread

[Next in Thread]

[lsd0001] branch master updated: edkey updates, gnunet <=

Prev by Date: [taler-merchant] branch master updated: add missing XLIB linkage for coverage
Next by Date: [libextractor] branch master updated: revive ELF plugin
Previous by thread: [taler-merchant] branch master updated: add missing XLIB linkage for coverage
Next by thread: [libextractor] branch master updated: revive ELF plugin
Index(es):
- Date
- Thread