[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lsd0001] branch master updated: crypto normative references
From: |
gnunet |
Subject: |
[lsd0001] branch master updated: crypto normative references |
Date: |
Fri, 04 Feb 2022 21:16:37 +0100 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository lsd0001.
The following commit(s) were added to refs/heads/master by this push:
new d829c78 crypto normative references
d829c78 is described below
commit d829c781e9de82774375956af7c82f266fb22850
Author: Martin Schanzenbach <schanzen@gnunet.org>
AuthorDate: Fri Feb 4 21:16:33 2022 +0100
crypto normative references
---
draft-schanzen-gns.xml | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index c79feb7..e78e264 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -1110,7 +1110,8 @@ S-Decrypt(zk,label,expiration,ciphertext):
For EDKEY zones the zone key material is derived using the
curve parameters of the twisted edwards representation
of Curve25519 <xref target="RFC7748" /> (a.k.a. Ed25519)
- with the Ed25519-SHA-512 scheme <xref target="ed25519" />.
+ with the Ed25519 scheme <xref target="ed25519" /> as specified in
+ <xref target="RFC8032" />.
Consequently, we use the following naming convention for our
cryptographic primitives for EDKEY zones:
</t>
@@ -1123,28 +1124,28 @@ S-Decrypt(zk,label,expiration,ciphertext):
<dt>a</dt>
<dd>
is is an integer derived from d using the SHA-512 hash function
- as defined in <xref target="ed25519" />.
+ as defined in <xref target="RFC8032" />.
</dd>
<dt>zk</dt>
<dd>
is the EdDSA public key corresponding to d. It is defined
as the curve point a*G where G is the
group generator of the elliptic curve
- as defined in <xref target="ed25519" />.
+ as defined in <xref target="RFC8032" />.
</dd>
<dt>p</dt>
<dd>
- is the prime of edwards25519 as defined in <xref target="RFC7748"
/>, i.e.
+ is the prime of edwards25519 as defined in <xref target="RFC8032"
/>, i.e.
2^255 - 19.
</dd>
<dt>G</dt>
<dd>
is the group generator (X(P),Y(P)) of edwards25519 as defined in
- <xref target="RFC7748" />.
+ <xref target="RFC8032" />.
</dd>
<dt>L</dt>
<dd>
- is the order of the prime-order subgroup of edwards25519 in <xref
target="RFC7748" />.
+ is the order of the prime-order subgroup of edwards25519 in <xref
target="RFC8032" />.
</dd>
<dt>KeyGen()</dt>
<dd>
@@ -1153,7 +1154,7 @@ S-Decrypt(zk,label,expiration,ciphertext):
group generator of the elliptic curve and a is an integer
derived from d using the SHA-512 hash function
as defined
- in Section 3.2. of <xref target="RFC8032" /> represents the
KeyGen()
+ in Section 5.1.5 of <xref target="RFC8032" /> represents the
KeyGen()
function.
</dd>
</dl>
@@ -1164,11 +1165,14 @@ S-Decrypt(zk,label,expiration,ciphertext):
</t>
<t>
The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>.
+ For brevity, instead of using d as a parameter to the derivation,
+ we define the ZKDF-Private() procedure on the derived integer a.
+ The calculation of a Ed25519 is defined in <xref target="RFC8032"
/>.
Given a label, the output of the ZKDF-Private function for zone
key blinding is calculated as follows for EDKEY zones:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-ZKDF-Private(d,label):
+ZKDF-Private(a,label):
zk := a * G
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
@@ -1223,14 +1227,14 @@ ZKDF-Public(zk,label):
</t>
<t>
The Sign(d,message) and Verify(zk,message,signature) procedures MUST
- be implemented as defined in <xref target="ed25519" />.
+ be implemented as defined in <xref target="RFC8032" />.
</t>
<t>
Signatures for EDKEY zones using the derived private key a'
- are not compliant with <xref target="ed25519" />.
+ are not compliant with <xref target="RFC8032" />.
As the corresponding private key to the derived private scalar a'
is not known, it is not possible to deterministically derive the
- signature part R according to <xref target="ed25519" />.
+ signature part R according to <xref target="RFC8032" />.
Instead, signatures MUST be generated as follows for any given
message and private zone key:
A nonce is calculated from the highest 32 bytes of the
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lsd0001] branch master updated: crypto normative references,
gnunet <=