commit 3324e16553dad65fc44ee96986051cfdd44cec88
parent 16506d94795de3a535dd6c11c8b378c4f3c58cfb
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Sat, 26 Mar 2022 09:55:49 +0100
simplify crypto remove ZKDF-Private
Diffstat:
1 file changed, 27 insertions(+), 70 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -1,4 +1,4 @@
-<?xml version='1.0' encoding='utf-8'?>
+<?xml version='1.0' encoding='utf-8'?
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent" [
<!ENTITY RFC1034 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1034.xml">
<!ENTITY RFC1035 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml">
@@ -281,8 +281,7 @@
</dd>
<dt>Zone Key Derivation Function</dt>
<dd>
- The zone key derivation function (ZKDF) blinds a key using a label.
- There are different functions for public and private keys, respectively.
+ The zone key derivation function (ZKDF) blinds a zone key using a label.
</dd>
<dt>Zone Owner</dt>
<dd>
@@ -453,15 +452,7 @@
is a function to generate a new private key d and
the corresponding public zone key zk.
</dd>
- <dt>ZKDF-Private(d,label) -> d'</dt>
- <dd>
- is a zone key derivation function which blinds a private key d
- using label, resulting in another private key which
- can be used to create cryptographic signatures.
- GNS only requires a signature to be created directly with
- d to sign a revocation message for the zone key zk.
- </dd>
- <dt>ZKDF-Public(zk,label) -> zk'</dt>
+ <dt>ZKDF(zk,label) -> zk'</dt>
<dd>
is a zone key derivation function which blinds a zone key zk
using a label. zk and zk' must be unlinkable. Furthermore,
@@ -502,7 +493,7 @@
<dt>SignDerived(d,label,message) -> signature</dt>
<dd>
is a function to sign a message (typically encrypted record data) that
- can be verified using the derived zone key zk' := ZKDF-Public(zk,label).
+ can be verified using the derived zone key zk' := ZKDF(zk,label).
In order to leverage performance-enhancing caching features of certain
underlying storages, in particular DHTs, a deterministic signature
scheme is recommended.
@@ -510,7 +501,7 @@
<dt>VerifyDerived(zk,label,message,signature) -> boolean</dt>
<dd>
is function to verify the signature using the derived zone key
- zk' := ZKDF-Public(zk,label).
+ zk' := ZKDF(zk,label).
The function returns a boolean value of "TRUE" if the signature is valid,
and otherwise "FALSE".
</dd>
@@ -1068,25 +1059,11 @@ zTLD[126..129].zTLD[63..125].zTLD[0..62]
The zone type and zone key of a PKEY are 4 + 32 bytes in length. This means that
a zTLD will always fit into a single label and does
not need any further conversion.
- </t>
- <t>
- Given a label, the output d' of the ZKDF-Private(d,label) function for zone
- key blinding is calculated as follows for PKEY zones:
- </t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
-ZKDF-Private(d,label):
- zk := d * G
- PRK_h := HKDF-Extract ("key-derivation", zk)
- h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
- d' := (h * d) mod L
- return d'
- ]]></artwork>
- <t>
- Equally, given a label, the output zk' of the ZKDF-Public(zk,label) function is
+ Given a label, the output zk' of the ZKDF(zk,label) function is
calculated as follows for PKEY zones:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-ZKDF-Public(zk,label):
+ZKDF(zk,label):
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
zk' := (h mod L) * zk
@@ -1113,7 +1090,10 @@ ZKDF-Public(zk,label):
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
SignDerived(d,label,message):
- d' := ZKDF-Private(d,label)
+ zk := d * G
+ PRK_h := HKDF-Extract ("key-derivation", zk)
+ h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
+ d' := (h * d) mod L
return Sign(d',message)
]]></artwork>
<t>
@@ -1121,7 +1101,7 @@ SignDerived(d,label,message):
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
VerifyDerived(zk,label,message,signature):
- zk' := ZKDF-Public(zk,label)
+ zk' := ZKDF(zk,label)
return Verify(zk',message,signature)
]]></artwork>
<t>
@@ -1265,37 +1245,11 @@ S-Decrypt(zk,label,expiration,ciphertext):
<t>
The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>.
The calculation of a is defined in Section 5.1.5 of <xref target="RFC8032" />.
- Given a label, the output of the ZKDF-Private function for zone
- key blinding is calculated as follows:
- </t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
-ZKDF-Private(d,label):
- /* EdDSA clamping */
- dh := SHA-512 (d)
- a := dh[0..31]
- a[0] &= 248
- a[31] &= 127
- a[31] |= 64
- /* Calculate zk corresponding to d */
- zk := a * G
-
- /* Calculate the blinding factor h */
- PRK_h := HKDF-Extract ("key-derivation", zk)
- h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
- /* Ensure that h == h mod L */
- h[31] &= 7
-
- a1 := a >> 3
- a2 := (h * a1) mod L
- d' := a2 << 3
- return d'
- ]]></artwork>
- <t>
- Equally, given a label, the output of the ZKDF-Public function is
+ Given a label, the output of the ZKDF function is
calculated as follows:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-ZKDF-Public(zk,label):
+ZKDF(zk,label):
/* Calculate the blinding factor */
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
@@ -1339,9 +1293,9 @@ ZKDF-Public(zk,label):
be implemented as defined in <xref target="RFC8032" />.
</t>
<t>
- Signatures for EDKEY zones using the derived private scalar d'
- are not compliant with <xref target="RFC8032" />.
- As the corresponding private key to the derived private scalar d'
+ Signatures for EDKEY zones use a derived private scalar d'
+ which is not compliant with <xref target="RFC8032" />.
+ As the corresponding private key to the derived private scalar
is not known, it is not possible to deterministically derive the
signature part R according to <xref target="RFC8032" />.
Instead, signatures <bcp14>MUST</bcp14> be generated as follows for any given
@@ -1368,9 +1322,13 @@ SignDerived(d,label,message):
/* Calculate blinding factor */
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
+ /* Ensure that h == h mod L */
+ h[31] &= 7
- d' := ZKDF-Private(d,label)
zk' := h * zk
+ a1 := a >> 3
+ a2 := (h * a1) mod L
+ d' := a2 << 3
nonce := SHA-256 (dh[32..63] || h)
r := SHA-512 (nonce || message)
R := r * G
@@ -1382,7 +1340,7 @@ SignDerived(d,label,message):
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
VerifyDerived(zk,label,message,signature):
- zk' := ZKDF-Public(zk,label)
+ zk' := ZKDF(zk,label)
(R,S) := signature
return S * G == R + SHA-512(R, zk', message) * zk'
]]></artwork>
@@ -1779,7 +1737,7 @@ GET(key) -> value
Given a label, the storage key q is derived as follows:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-q := SHA-512 (ZKDF-Public(zk, label))
+q := SHA-512 (ZKDF(zk, label))
]]></artwork>
<dl>
<dt>label</dt>
@@ -1851,7 +1809,7 @@ q := SHA-512 (ZKDF-Public(zk, label))
</dd>
<dt>ZONE KEY</dt>
<dd>
- is the blinded zone key "ZKDF-Public(zk, label)"
+ is the blinded zone key "ZKDF(zk, label)"
to be used to verify SIGNATURE.
The length and format of the public key depends on the ztype.
</dd>
@@ -1860,9 +1818,8 @@ q := SHA-512 (ZKDF-Public(zk, label))
The signature is computed over the EXPIRATION and BDATA fields
as detailed in <xref target="figure_rrsigwithpseudo"/>.
The length and format of the signature depends on the ztype.
- The signature is created using the Sign() function of
- the cryptosystem of the zone and the derived private key
- "ZKDF-Private(d, label)" (see <xref target="zones" />).
+ The signature is created using the SignDerived() function of
+ the cryptosystem of the zone (see <xref target="zones" />).
</dd>
<dt>EXPIRATION</dt>
<dd>
