[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lsd0001] branch master updated: more explanations on EDKEY signatures
From: |
gnunet |
Subject: |
[lsd0001] branch master updated: more explanations on EDKEY signatures |
Date: |
Tue, 04 May 2021 11:34:08 +0200 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository lsd0001.
The following commit(s) were added to refs/heads/master by this push:
new c13c8a7 more explanations on EDKEY signatures
c13c8a7 is described below
commit c13c8a7a8edb0220a83d7151072e8a307e672e23
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
AuthorDate: Tue May 4 11:31:54 2021 +0200
more explanations on EDKEY signatures
---
draft-schanzen-gns.xml | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index 75e8260..6b759f1 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -722,14 +722,24 @@ zk' := h * zk
<t>
Signatures for EDKEY zones using the derived private key "a'"
are NOT compliant with <xref target="ed25519" />.
+ As the corresponding private key to the derived private scalar "a'"
+ is not known, it is not possible to deterministically derive the
+ signature part "R" according to <xref target="ed25519" />.
Instead, signatures MUST be generated as follows for any given
- message M and deterministic random-looking "r":
+ message M:
+ A nonce is calculated from the highest 32 octets of the
+ expansion of the private key "d" and the blinding factor "h".
+ The "nonce" is then hashed with the message "M" to "r".
+ This way, we include the full derivation path in the calculation
+ the "R" value of the signature, ensuring that it is never resused
+ for two different derivation paths or messages.
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-sk := SHA512 (d)
-r := SHA512 (sk + 32, M)
+dh := SHA512 (d)
+nonce := SHA256 (dh[32..63] | h)
+r := SHA512 (nonce | M)
R := r * G
-S := r + SHA512(R, zk', M) * a' mod L
+S := r + SHA512(R | zk' | M) * a' mod L
]]></artwork>
<t>
A signature (R,S) is valid if the following holds:
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lsd0001] branch master updated: more explanations on EDKEY signatures,
gnunet <=