gnunet-svn
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lsd0001] branch master updated: crypto normative references

From: gnunet
Subject: [lsd0001] branch master updated: crypto normative references
Date: Fri, 04 Feb 2022 21:16:37 +0100 
This is an automated email from the git hooks/post-receive script.

martin-schanzenbach pushed a commit to branch master
in repository lsd0001.

The following commit(s) were added to refs/heads/master by this push:
     new d829c78  crypto normative references
d829c78 is described below

commit d829c781e9de82774375956af7c82f266fb22850
Author: Martin Schanzenbach <schanzen@gnunet.org>
AuthorDate: Fri Feb 4 21:16:33 2022 +0100

    crypto normative references
---
 draft-schanzen-gns.xml | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index c79feb7..e78e264 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -1110,7 +1110,8 @@ S-Decrypt(zk,label,expiration,ciphertext):
            For EDKEY zones the zone key material is derived using the
            curve parameters of the twisted edwards representation
            of Curve25519 <xref target="RFC7748" /> (a.k.a. Ed25519)
-           with the Ed25519-SHA-512 scheme <xref target="ed25519" />.
+           with the Ed25519 scheme <xref target="ed25519" /> as specified in
+           <xref target="RFC8032" />.
            Consequently, we use the following naming convention for our
            cryptographic primitives for EDKEY zones:
          </t>
@@ -1123,28 +1124,28 @@ S-Decrypt(zk,label,expiration,ciphertext):
            <dt>a</dt>
            <dd>
              is is an integer derived from d using the SHA-512 hash function
-             as defined in <xref target="ed25519" />.
+             as defined in <xref target="RFC8032" />.
            </dd>
            <dt>zk</dt>
            <dd>
              is the EdDSA public key corresponding to d. It is defined
              as the curve point a*G where G is the
              group generator of the elliptic curve
-             as defined in <xref target="ed25519" />.
+             as defined in <xref target="RFC8032" />.
            </dd>
            <dt>p</dt>
            <dd>
-             is the prime of edwards25519 as defined in <xref target="RFC7748" 
/>, i.e.
+             is the prime of edwards25519 as defined in <xref target="RFC8032" 
/>, i.e.
              2^255 - 19.
            </dd>
            <dt>G</dt>
            <dd>
              is the group generator (X(P),Y(P)) of edwards25519 as defined in
-            <xref target="RFC7748" />.
+              <xref target="RFC8032" />.
            </dd>
            <dt>L</dt>
            <dd>
-             is the order of the prime-order subgroup of edwards25519 in <xref 
target="RFC7748" />.
+             is the order of the prime-order subgroup of edwards25519 in <xref 
target="RFC8032" />.
            </dd>
            <dt>KeyGen()</dt>
            <dd>
@@ -1153,7 +1154,7 @@ S-Decrypt(zk,label,expiration,ciphertext):
              group generator of the elliptic curve and a is an integer
              derived from d using the SHA-512 hash function
              as defined
-             in Section 3.2. of <xref target="RFC8032" /> represents the 
KeyGen()
+             in Section 5.1.5 of <xref target="RFC8032" /> represents the 
KeyGen()
              function.
             </dd>
          </dl>
@@ -1164,11 +1165,14 @@ S-Decrypt(zk,label,expiration,ciphertext):
          </t>
          <t>
            The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>.
+           For brevity, instead of using d as a parameter to the derivation,
+           we define the ZKDF-Private() procedure on the derived integer a.
+           The calculation of a Ed25519 is defined in <xref target="RFC8032" 
/>.
            Given a label, the output of the ZKDF-Private function for zone
            key blinding is calculated as follows for EDKEY zones:
          </t>
          <artwork name="" type="" align="left" alt=""><![CDATA[
-ZKDF-Private(d,label):
+ZKDF-Private(a,label):
   zk := a * G
   PRK_h := HKDF-Extract ("key-derivation", zk)
   h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
@@ -1223,14 +1227,14 @@ ZKDF-Public(zk,label):
          </t>
          <t>
            The Sign(d,message) and Verify(zk,message,signature) procedures MUST
-           be implemented as defined in <xref target="ed25519" />.
+           be implemented as defined in <xref target="RFC8032" />.
          </t>
          <t>
            Signatures for EDKEY zones using the derived private key a'
-           are not compliant with <xref target="ed25519" />.
+           are not compliant with <xref target="RFC8032" />.
            As the corresponding private key to the derived private scalar a'
            is not known, it is not possible to deterministically derive the
-           signature part R according to <xref target="ed25519" />.
+           signature part R according to <xref target="RFC8032" />.
            Instead, signatures MUST be generated as follows for any given
            message and private zone key:
            A nonce is calculated from the highest 32 bytes of the

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]