commit 1a254bc48bb4a72399dcaea2f19967d27c1b3fe9
parent 9906f623a7bbfe260d6ebb8146dbb043e0cb9c13
Author: Schanzenbach, Martin <mschanzenbach@posteo.de>
Date: Sun, 19 Apr 2020 11:57:27 +0200
text for new revocation mechanic
Diffstat:
1 file changed, 140 insertions(+), 130 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -1,19 +1,19 @@
<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent" [
-<!ENTITY RFC1034 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1034.xml">
-<!ENTITY RFC1035 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml">
-<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
-<!ENTITY RFC2782 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2782.xml">
-<!ENTITY RFC3629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3629.xml">
-<!ENTITY RFC3826 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3826.xml">
-<!ENTITY RFC5869 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5869.xml">
-<!ENTITY RFC5890 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5890.xml">
-<!ENTITY RFC5891 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5891.xml">
-<!ENTITY RFC6895 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6895.xml">
-<!ENTITY RFC6979 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6979.xml">
-<!ENTITY RFC7748 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7748.xml">
-<!ENTITY RFC8032 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8032.xml">
-<!ENTITY RFC8126 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8126.xml">
+<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
+<!ENTITY RFC1034 PUBLIC '' "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml">
+<!ENTITY RFC1035 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.1035.xml">
+<!ENTITY RFC2119 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.2119.xml">
+<!ENTITY RFC2782 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.2782.xml">
+<!ENTITY RFC3629 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.3629.xml">
+<!ENTITY RFC3826 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.3826.xml">
+<!ENTITY RFC5869 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.5869.xml">
+<!ENTITY RFC5890 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.5890.xml">
+<!ENTITY RFC5891 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.5891.xml">
+<!ENTITY RFC6895 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.6895.xml">
+<!ENTITY RFC6979 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.6979.xml">
+<!ENTITY RFC7748 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.7748.xml">
+<!ENTITY RFC8032 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.8032.xml">
+<!ENTITY RFC8126 PUBLIC '' "http://xml2rfc.ietf.org/rfc/bibxml/reference.RFC.8126.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="yes" ?>
@@ -1138,25 +1138,31 @@
ahead of time to support timely revocation.
</t>
<t>
- For all occurences below, "scrypt" is the scrypt Password-based Key
- Derivation Function as defined in <xref target="RFC7914" /> with the
- following parameters set:
+ For all occurences below, "Argon2d" is the Password-based Key
+ Derivation Function as defined in <xref target="Argon2" /> with the
+ following fixed parameters:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
S := "gnunet-revocation-proof-of-work" /* Salt */
- N := 2
- r := 8 /* Block size */
- p := 2 /* Parallelization parameter */
+ t := 3 /* Iterations */
+ m := 1024 /* Memory size, 1 MiB */
+ T := 64 /* Tag (=output) length in bytes */
+ p := 1 /* Parallelization parameter */
+ v := 0x13 /* Version */
+ y := 0 /* Type (Argon2d) */
+ X, K is unused
]]></artwork>
<t>
- The following the the basic data "REV" on which the proof-of work is
+ The following is the message string "P" on which the proof-of work is
calculated:
</t>
<figure anchor="figure_revocation">
<artwork name="" type="" align="left" alt=""><![CDATA[
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
- | NONCE |
+ | POW |
+ +-----------------------------------------------+
+ | TIMESTAMP |
+-----------------------------------------------+
| PUBLIC KEY |
| |
@@ -1165,77 +1171,62 @@
+-----+-----+-----+-----+-----+-----+-----+-----+
]]></artwork>
</figure>
+ <t>where:</t>
+ <dl>
+ <dt>POW</dt>
+ <dd>
+ A 64-bit solution to the proof of work.
+ </dd>
+ <dt>TIMESTAMP</dt>
+ <dd>
+ denotes the absolute 64-bit expiration date of the record.
+ In microseconds since midnight (0 hour), January 1, 1970 in network
+ byte order.
+ </dd>
+ <dt>PUBLIC KEY</dt>
+ <dd>
+ A 512-bit ECDSA deterministic signature compliant with
+ <xref target="RFC6979" /> over the public zone zk of the zone
+ which is revoked and corresponds to the key used in the proof-of-work.
+ The signature is created using the private zone key "d" (see
+ <xref target="zones" />).
+ </dd>
+ </dl>
<t>
- A single pass in the proof-of-work algorithm is defined as follows:
- </t>
- <ol>
- <li>Derive initial key material K from the REV data.</li>
- <li>Derive IV material from the key material K.</li>
- <li>Encrypt the REV data using K and IV.</li>
- <li>Derive the proof of work from the encrypted REV and check against
- the proof condition.</li>
- </ol>
- <t>
- The first step in the PoW is a call to scrypt with the REV data as
- password parameter to derive the initial key material K:
- </t>
- <figure>
- <artwork name="" type="" align="left" alt=""><![CDATA[
- K := scrypt (P := REV, dkLen := 32)
- ]]></artwork>
- </figure>
- <t>
- where dkLen denotes the intended output length in octets.
- The second step is to derive a 128 bit initialization vector using a
- Hash-based Key Derivation Function as defined in
- (<xref target="RFC5869"/>).
- Specifically, HMAC-SHA512 is used for the
- extraction phase and HMAC-SHA256 for the expansion phase.
- </t>
-
- <figure>
- <artwork name="" type="" align="left" alt=""><![CDATA[
- PRK := HKDF-Extract ("gnunet-proof-of-work-iv", K)
- IV := HKDF-Expand (PRK,
- "gnunet-revocation-proof-of-work",
- 128 / 8);
-
- ]]></artwork>
- </figure>
- <t>
- We use the resulting keying material "K" as a 256-bit TWOFISH
- <xref target="TWOFISH" /> key and use IV as the corresponding
- initialization vector:
+ Traditionally, proof-of-work schemes require to find a "POW" such that
+ at least D leading zeroes are found in the hash result.
+ D is then referred to as the "difficulty" of the proof-of-work.
+ In order to reduce the variance in time it takes to calculate the
+ proof-of-work, we require that a number "Z" different PoWs must be
+ found that on average have "D" leading zeroes.
</t>
-
- <figure>
- <artwork name="" type="" align="left" alt=""><![CDATA[
- EREV := TWOFISH(K, IV, REV)
- ]]></artwork>
- </figure>
<t>
- The above EREV data object is again derived using the scrypt algorithm.
- The proof of work is complete, if the following inequality holds for a
- given NONCE:
+ The resulting proofs may then published and disseminated. The concrete
+ dissemination and publication methods are out of scope of this
+ document. Given an average difficulty of "D", the proofs have an
+ expiration time of 365 days. With each additional bit difficulty, the
+ lifetime of the proof is prolonged for another 365 days.
+ Consequently, by calculating a more difficult PoW, the lifetime of the
+ proof can be increased on demand by the zone owner.
</t>
- <figure>
- <artwork name="" type="" align="left" alt=""><![CDATA[
- scrypt(P := EREV, dkLen := 64) < 2^(39)-1
- ]]>
- </artwork>
- </figure>
<t>
- where dkLen again denotes the intended output length in octets.
- The final revocation data object consists of a signature over the
- public of the zone which is revoked, the zone key itself and the just
- calculated proof-of-work.
- The resulting block is then published and disseminated. The concrete
- dissemination and publication methods are out of scope of this document.
+ Given that proof has been found, a revocation data object is defined
+ as follows:
</t>
<figure anchor="figure_revocationdata">
<artwork name="" type="" align="left" alt=""><![CDATA[
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
+ | TIMESTAMP |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | TTL |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | POW_0 |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | ... |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
+ | POW_Z-1 |
+ +-----------------------------------------------+
| SIGNATURE |
| |
| |
@@ -1245,17 +1236,32 @@
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
+ | SIZE (0x24) | PURPOSE (0x03) |
+ +-----+-----+-----+-----+-----+-----+-----+-----+
| PUBLIC KEY |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
- | NONCE |
- +-----------------------------------------------+
]]></artwork>
</figure>
<t>where:</t>
<dl>
+ <dt>TIMESTAMP</dt>
+ <dd>
+ denotes the absolute 64-bit expiration date of the revocation.
+ In microseconds since midnight (0 hour), January 1, 1970 in network
+ byte order.
+ </dd>
+ <dt>TTL</dt>
+ <dd>
+ denotes the relative 64-bit time to live of of the record in
+ microseconds also in network byte order.
+ </dd>
+ <dt>POW_i</dt>
+ <dd>
+ The POWs calculated as part of the proof-of-work.
+ </dd>
<dt>SIGNATURE</dt>
<dd>
A 512-bit ECDSA deterministic signature compliant with
@@ -1264,38 +1270,6 @@
The signature is created using the private zone key "d" (see
<xref target="zones" />).
</dd>
- <dt>PUBLIC KEY</dt>
- <dd>
- is the 256-bit public key "zk" of the zone which is being revoked and
- the key to be used to verify SIGNATURE. The
- wire format of this value is defined in <xref target="RFC8032" />,
- Section 5.1.5.
- </dd>
- <dt>NONCE</dt>
- <dd>
- The nonce calculated as part of the proof-of-work.
- </dd>
- </dl>
- <t>
- The signature over the public key covers a 32 bit pseuso header
- conceptually prefixed to the public key. The pseudo header includes
- the key length and signature purpose:
- </t>
- <figure anchor="figure_pkeywithpseudo">
- <artwork name="" type="" align="left" alt=""><![CDATA[
- 0 8 16 24 32 40 48 56
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | SIZE (0x24) | PURPOSE (0x03) |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | PUBLIC KEY |
- | |
- | |
- | |
- +-----+-----+-----+-----+-----+-----+-----+-----+
- ]]></artwork>
- </figure>
- <t>where:</t>
- <dl>
<dt>SIZE</dt>
<dd>
A 32-bit value containing the length of the signed data in bytes
@@ -1306,7 +1280,30 @@
A 32-bit signature purpose flag. This field MUST be 3 (in network
byte order).
</dd>
+ <dt>PUBLIC KEY</dt>
+ <dd>
+ is the 256-bit public key "zk" of the zone which is being revoked and
+ the key to be used to verify SIGNATURE. The
+ wire format of this value is defined in <xref target="RFC8032" />,
+ Section 5.1.5.
+ </dd>
</dl>
+ <section anchor="revocation_verification" numbered="true" toc="default">
+ <name>Verification</name>
+ <t>
+ In order to verify a revocation the following steps must be taken,
+ in order:
+ </t>
+ <ol>
+ <li>The current time MUST be between TIMESTAMP and
+ TIMESTAMP+TTL.</li>
+ <li>The signature MUST match the public key.</li>
+ <li>The average number of leading zeroes resulting from the provided
+ POW values D' MUST be greater than or equal to D.</li>
+ <li>The actual expiration time TIMESTAMP + (D'-D+1) * 365 days
+ is in the future.</li>
+ </ol>
+ </section>
</section>
<section anchor="governance" numbered="true" toc="default">
<name>Determining the Root Zone and Zone Governance</name>
@@ -1569,24 +1566,37 @@ The registry shall record for each entry:
<date year="1999" month="March"/>
</front>
</reference>
- <reference anchor="RFC7914" target="https://www.rfc-editor.org/info/rfc7914">
+ <reference anchor="Argon2" target="https://datatracker.ietf.org/doc/draft-irtf-cfrg-argon2/">
<front>
- <title>The scrypt Password-Based Key Derivation Function</title>
- <author initials="C." surname="Percival" fullname="C. Percival">
- <organization/>
- </author>
- <author initials="S." surname="Josefsson" fullname="S. Josefsson">
- <organization/>
- </author>
- <date year="2016" month="August"/>
+ <title>The memory-hard Argon2 password hash and proof-of-work function</title>
+ <author initials="A." surname="Biryukov" fullname="Alex Biryukov">
+ <organization>University of Luxembourg</organization>
+ </author>
+
+ <author initials="D." surname="Dinu" fullname="Daniel Dinu">
+ <organization>University of Luxembourg</organization>
+ </author>
+
+ <author initials="D." surname="Khovratovich"
+ fullname="Dmitry Khovratovich">
+ <organization>ABDK Consulting</organization>
+ </author>
+ <author initials="S." surname="Josefsson"
+ fullname="Simon Josefsson">
+ <organization>SJD AB</organization>
+ </author>
+ <date year="2020" month="March"/>
<abstract>
<t>
- This document specifies the password-based key derivation function scrypt. The function derives one or more secret keys from a secret string. It is based on memory-hard functions, which offer added protection against attacks using custom hardware. The document also provides an ASN.1 schema.
+ This document describes the Argon2 memory-hard function for
+ password hashing and proof-of-work applications. We provide an
+ implementer-oriented description with
+ test vectors. The purpose is to simplify adoption of Argon2 for
+ Internet protocols. This document is a product of the Crypto Forum Research Group (CFRG)
+ in the IRTF.
</t>
</abstract>
</front>
- <seriesInfo name="RFC" value="7914"/>
- <seriesInfo name="DOI" value="10.17487/RFC7914"/>
</reference>
<!-- <reference anchor="ISO20022">
<front>
