[lsd0001] branch master updated: more explanations on EDKEY signatures

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lsd0001] branch master updated: more explanations on EDKEY signatures

From:	gnunet
Subject:	[lsd0001] branch master updated: more explanations on EDKEY signatures
Date:	Tue, 04 May 2021 11:34:08 +0200

This is an automated email from the git hooks/post-receive script.

martin-schanzenbach pushed a commit to branch master
in repository lsd0001.

The following commit(s) were added to refs/heads/master by this push:
     new c13c8a7  more explanations on EDKEY signatures
c13c8a7 is described below

commit c13c8a7a8edb0220a83d7151072e8a307e672e23
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
AuthorDate: Tue May 4 11:31:54 2021 +0200

    more explanations on EDKEY signatures
---
 draft-schanzen-gns.xml | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index 75e8260..6b759f1 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -722,14 +722,24 @@ zk' := h * zk
          <t>
            Signatures for EDKEY zones using the derived private key "a'"
            are NOT compliant with <xref target="ed25519" />.
+           As the corresponding private key to the derived private scalar "a'"
+           is not known, it is not possible to deterministically derive the
+           signature part "R" according to <xref target="ed25519" />.
            Instead, signatures MUST be generated as follows for any given
-           message M and deterministic random-looking "r":
+           message M:
+           A nonce is calculated from the highest 32 octets of the
+           expansion of the private key "d" and the blinding factor "h".
+           The "nonce" is then hashed with the message "M" to "r".
+           This way, we include the full derivation path in the calculation
+           the "R" value of the signature, ensuring that it is never resused
+           for two different derivation paths or messages.
          </t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
-sk := SHA512 (d)
-r := SHA512 (sk + 32, M)
+dh := SHA512 (d)
+nonce := SHA256 (dh[32..63] | h)
+r := SHA512 (nonce | M)
 R := r * G
-S := r + SHA512(R, zk', M) * a' mod L
+S := r + SHA512(R | zk' | M) * a' mod L
            ]]></artwork>
          <t>
            A signature (R,S) is valid if the following holds:

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.

[Prev in Thread]

Current Thread

[Next in Thread]

[lsd0001] branch master updated: more explanations on EDKEY signatures, gnunet <=

Prev by Date: [taler-bank] branch master updated: fix language buttons
Next by Date: [taler-marketing] branch master updated: draft
Previous by thread: [taler-bank] branch master updated: fix language buttons
Next by thread: [taler-marketing] branch master updated: draft
Index(es):
- Date
- Thread