commit 46c94ba9528b070d4ec84af3b95fdbda55d9172d
parent e97637bdfe5f592456605ab0b07817edbd0d39c8
Author: Schanzenbach, Martin <mschanzenbach@posteo.de>
Date: Mon, 17 Feb 2020 17:37:18 +0100
alternative; text
Diffstat:
3 files changed, 234 insertions(+), 119 deletions(-)
diff --git a/draft-schanzen-gns.html b/draft-schanzen-gns.html
@@ -2385,11 +2385,24 @@ table {
The revocation message including the proof-of-work MAY be calculated
ahead of time to support timely revocation.<a href="#section-7-2" class="pilcrow">¶</a></p>
<p id="section-7-3">
+ For all occurences below, "scrypt" is the scrypt Password-based Key
+ Derivation Function as defined in <span>[<a href="#RFC7914" class="xref">RFC7914</a>]</span> with the
+ following parameters set:<a href="#section-7-3" class="pilcrow">¶</a></p>
+<div class="artwork art-text alignLeft" id="section-7-4">
+<pre>
+ S := "gnunet-revocation-proof-of-work" /* Salt */
+ N := 2
+ r := 8 /* Block size */
+ p := 2 /* Parallelization parameter */
+ dkLen := 64 /* Intended output length in octets */
+ </pre><a href="#section-7-4" class="pilcrow">¶</a>
+</div>
+<p id="section-7-5">
The following the the basic data "REV" on which the proof-of work is
- calculated:<a href="#section-7-3" class="pilcrow">¶</a></p>
+ calculated:<a href="#section-7-5" class="pilcrow">¶</a></p>
<div id="figure_revocation">
<figure id="figure-15">
- <div class="artwork art-text alignLeft" id="section-7-4.1">
+ <div class="artwork art-text alignLeft" id="section-7-6.1">
<pre>
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
@@ -2404,28 +2417,39 @@ table {
</div>
<figcaption><a href="#figure-15" class="selfRef">Figure 15</a></figcaption></figure>
</div>
-<p id="section-7-5">
- A single pass in the proof-of-work algorithm is defined as follows:<a href="#section-7-5" class="pilcrow">¶</a></p>
-<ol start="1" type="1" class="normal" id="section-7-6">
- <li id="section-7-6.1">Derive initial key material K from the REV data.<a href="#section-7-6.1" class="pilcrow">¶</a>
+<p id="section-7-7">
+ A single pass in the proof-of-work algorithm is defined as follows:<a href="#section-7-7" class="pilcrow">¶</a></p>
+<ol start="1" type="1" class="normal" id="section-7-8">
+ <li id="section-7-8.1">Derive initial key material K from the REV data.<a href="#section-7-8.1" class="pilcrow">¶</a>
</li>
-<li id="section-7-6.2">Derive IV material from the key material K.<a href="#section-7-6.2" class="pilcrow">¶</a>
+<li id="section-7-8.2">Derive IV material from the key material K.<a href="#section-7-8.2" class="pilcrow">¶</a>
</li>
-<li id="section-7-6.3">Encrypt the REV data using K and IV.<a href="#section-7-6.3" class="pilcrow">¶</a>
+<li id="section-7-8.3">Encrypt the REV data using K and IV.<a href="#section-7-8.3" class="pilcrow">¶</a>
</li>
-<li id="section-7-6.4">Derive the proof of work from the encrypted REV.<a href="#section-7-6.4" class="pilcrow">¶</a>
+<li id="section-7-8.4">Derive the proof of work from the encrypted REV and check against
+ the proof condition.<a href="#section-7-8.4" class="pilcrow">¶</a>
</li>
</ol>
+<p id="section-7-9">
+ The first step in the PoW is a call to scrypt with the REV data as
+ password parameter to derive the initial key material K:<a href="#section-7-9" class="pilcrow">¶</a></p>
<figure id="figure-16">
- <div class="artwork art-text alignLeft" id="section-7-7.1">
+ <div class="artwork art-text alignLeft" id="section-7-10.1">
<pre>
K := scrypt (P := REV)
</pre>
</div>
<figcaption><a href="#figure-16" class="selfRef">Figure 16</a></figcaption></figure>
+<p id="section-7-11">
+ The second step is to derive an initialization vector using a
+ Hash-based Key Derivation Function as defined in
+ (<span>[<a href="#RFC5869" class="xref">RFC5869</a>]</span>).
+ Specifically, HMAC-SHA512 is used for the
+ extraction phase and HMAC-SHA256 for the expansion phase.<a href="#section-7-11" class="pilcrow">¶</a></p>
<figure id="figure-17">
- <div class="artwork art-text alignLeft" id="section-7-8.1">
+ <div class="artwork art-text alignLeft" id="section-7-12.1">
<pre>
+ STATUS QUO:
PRK_aes := HKDF-Extract ("gnunet-proof-of-work-ivAES!",
K[0,31])
PRK_two := HKDF-Extract ("gnunet-proof-of-work-ivFISH",
@@ -2436,39 +2460,42 @@ table {
IV_two := HKDF-Expand (PRK_two,
"gnunet-revocation-proof-of-work,
128 / 8)
+ ALTERNATIVE:
+ PRK := HKDF-Extract ("gnunet-proof-of-work-iv", K)
+ IV := HKDF-Expand (PRK, "gnunet-revocation-proof-of-work", 128 / 8);
+
</pre>
</div>
<figcaption><a href="#figure-17" class="selfRef">Figure 17</a></figcaption></figure>
+<p id="section-7-13">
+ We divide the resulting keying material "K" into a 256-bit AES
+ <span>[<a href="#RFC3826" class="xref">RFC3826</a>]</span> key and a 256-bit TWOFISH
+ <span>[<a href="#TWOFISH" class="xref">TWOFISH</a>]</span> key and use IV as corresponding
+ initialization vectors:<a href="#section-7-13" class="pilcrow">¶</a></p>
<figure id="figure-18">
- <div class="artwork art-text alignLeft" id="section-7-9.1">
+ <div class="artwork art-text alignLeft" id="section-7-14.1">
<pre>
+ STATUS QUO:
EREV := TWOFISH(K[0:31], IV_two,
AES(K[32:63], IV_aes, REV))
+ ALTERNATIVE:
+ EREV := TWOFISH(K[0:31], IV[16:31],
+ AES(K[32:63], IV[0:15], REV))
+
</pre>
</div>
<figcaption><a href="#figure-18" class="selfRef">Figure 18</a></figcaption></figure>
-<p id="section-7-10">
- The above EREV data object is calculated with different values for the
- "NONCE" in "REV" until the following inequality holds:<a href="#section-7-10" class="pilcrow">¶</a></p>
+<p id="section-7-15">
+ The above EREV data object is again derived using the scrypt algorithm.
+ The proof of work is complete, if the following inequality holds:<a href="#section-7-15" class="pilcrow">¶</a></p>
<figure id="figure-19">
- <div class="artwork art-text alignLeft" id="section-7-11.1">
+ <div class="artwork art-text alignLeft" id="section-7-16.1">
<pre>
scrypt(P := EREV) < 2^(39)-1
+
</pre>
</div>
<figcaption><a href="#figure-19" class="selfRef">Figure 19</a></figcaption></figure>
-<p id="section-7-12">
- For all occurences above, "scrypt" is the scrypt algorithm as defined in
- <span>[<a href="#RFC7914" class="xref">RFC7914</a>]</span> with the following parameters set:<a href="#section-7-12" class="pilcrow">¶</a></p>
-<div class="artwork art-text alignLeft" id="section-7-13">
-<pre>
- S := "gnunet-revocation-proof-of-work" /* Salt */
- N := 2
- r := 8 /* Block size */
- p := 2 /* Parallelization parameter */
- dkLen := 64 /* Intended output length in octets */
- </pre><a href="#section-7-13" class="pilcrow">¶</a>
-</div>
</section>
</div>
<div id="governance">
diff --git a/draft-schanzen-gns.txt b/draft-schanzen-gns.txt
@@ -85,11 +85,11 @@ Table of Contents
6.2.5. VPN . . . . . . . . . . . . . . . . . . . . . . . . . 18
6.2.6. NICK . . . . . . . . . . . . . . . . . . . . . . . . 19
7. Zone Revocation . . . . . . . . . . . . . . . . . . . . . . . 19
- 8. Determining the Root Zone and Zone Governance . . . . . . . . 21
- 9. Security Considerations . . . . . . . . . . . . . . . . . . . 22
+ 8. Determining the Root Zone and Zone Governance . . . . . . . . 22
+ 9. Security Considerations . . . . . . . . . . . . . . . . . . . 23
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
- 11. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 23
- 12. Normative References . . . . . . . . . . . . . . . . . . . . 25
+ 11. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 24
+ 12. Normative References . . . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27
1. Introduction
@@ -1073,6 +1073,16 @@ Internet-Draft The GNU Name System November 2019
work. The revocation message including the proof-of-work MAY be
calculated ahead of time to support timely revocation.
+ For all occurences below, "scrypt" is the scrypt Password-based Key
+ Derivation Function as defined in [RFC7914] with the following
+ parameters set:
+
+ S := "gnunet-revocation-proof-of-work" /* Salt */
+ N := 2
+ r := 8 /* Block size */
+ p := 2 /* Parallelization parameter */
+ dkLen := 64 /* Intended output length in octets */
+
The following the the basic data "REV" on which the proof-of work is
calculated:
@@ -1096,12 +1106,30 @@ Internet-Draft The GNU Name System November 2019
3. Encrypt the REV data using K and IV.
- 4. Derive the proof of work from the encrypted REV.
+ 4. Derive the proof of work from the encrypted REV and check against
+ the proof condition.
+
+ The first step in the PoW is a call to scrypt with the REV data as
+ password parameter to derive the initial key material K:
K := scrypt (P := REV)
+
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 20]
+�
+Internet-Draft The GNU Name System November 2019
+
+
Figure 16
+ The second step is to derive an initialization vector using a Hash-
+ based Key Derivation Function as defined in ([RFC5869]).
+ Specifically, HMAC-SHA512 is used for the extraction phase and HMAC-
+ SHA256 for the expansion phase.
+
+ STATUS QUO:
PRK_aes := HKDF-Extract ("gnunet-proof-of-work-ivAES!",
K[0,31])
PRK_two := HKDF-Extract ("gnunet-proof-of-work-ivFISH",
@@ -1112,36 +1140,43 @@ Internet-Draft The GNU Name System November 2019
IV_two := HKDF-Expand (PRK_two,
"gnunet-revocation-proof-of-work,
128 / 8)
-
- Figure 17
+ ALTERNATIVE:
+ PRK := HKDF-Extract ("gnunet-proof-of-work-iv", K)
+ IV := HKDF-Expand (PRK, "gnunet-revocation-proof-of-work", 128 / 8);
+ Figure 17
-Schanzenbach, et al. Expires 13 May 2020 [Page 20]
-�
-Internet-Draft The GNU Name System November 2019
-
+ We divide the resulting keying material "K" into a 256-bit AES
+ [RFC3826] key and a 256-bit TWOFISH [TWOFISH] key and use IV as
+ corresponding initialization vectors:
+ STATUS QUO:
EREV := TWOFISH(K[0:31], IV_two,
AES(K[32:63], IV_aes, REV))
+ ALTERNATIVE:
+ EREV := TWOFISH(K[0:31], IV[16:31],
+ AES(K[32:63], IV[0:15], REV))
+
Figure 18
- The above EREV data object is calculated with different values for
- the "NONCE" in "REV" until the following inequality holds:
+ The above EREV data object is again derived using the scrypt
+ algorithm. The proof of work is complete, if the following
+ inequality holds:
scrypt(P := EREV) < 2^(39)-1
+
Figure 19
- For all occurences above, "scrypt" is the scrypt algorithm as defined
- in [RFC7914] with the following parameters set:
- S := "gnunet-revocation-proof-of-work" /* Salt */
- N := 2
- r := 8 /* Block size */
- p := 2 /* Parallelization parameter */
- dkLen := 64 /* Intended output length in octets */
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 21]
+�
+Internet-Draft The GNU Name System November 2019
+
8. Determining the Root Zone and Zone Governance
@@ -1169,15 +1204,6 @@ Internet-Draft The GNU Name System November 2019
GNS clients SHOULD first try to interpret the top-level domain of a
GNS name as a zone key. For example. if the top-level domain is a
-
-
-
-
-Schanzenbach, et al. Expires 13 May 2020 [Page 21]
-�
-Internet-Draft The GNU Name System November 2019
-
-
Base32-encoded public zone key "zk", the root zone of the resolution
process is implicitly given by the name:
@@ -1200,6 +1226,14 @@ Internet-Draft The GNU Name System November 2019
=> Entry zone: zk1
=> Name to resolve from entry zone: www.example
+
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 22]
+�
+Internet-Draft The GNU Name System November 2019
+
+
Finally, additional "suffix to zone" mappings MAY be configured.
Suffix to zone key mappings SHOULD be configurable through a local
configuration file or database by the user or system administrator.
@@ -1223,17 +1257,6 @@ Internet-Draft The GNU Name System November 2019
TODO
-
-
-
-
-
-
-Schanzenbach, et al. Expires 13 May 2020 [Page 22]
-�
-Internet-Draft The GNU Name System November 2019
-
-
10. IANA Considerations
IANA is requested to create an "GNU Name System Record Type"
@@ -1254,6 +1277,19 @@ Internet-Draft The GNU Name System November 2019
Served", as described in [RFC8126]. IANA is requested to populate
this registry as follows:
+
+
+
+
+
+
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 23]
+�
+Internet-Draft The GNU Name System November 2019
+
+
Number | Type | Contact | References
---------+-----------------+---------+---------
65536 | PKEY | N/A | [This.I-D]
@@ -1282,14 +1318,6 @@ Internet-Draft The GNU Name System November 2019
zk (public zone key) :=
dff911496d025d7e
0885c03d19153e99
-
-
-
-Schanzenbach, et al. Expires 13 May 2020 [Page 23]
-�
-Internet-Draft The GNU Name System November 2019
-
-
4f213f23ea719eca
17fc32dc410e082e
@@ -1310,6 +1338,14 @@ Internet-Draft The GNU Name System November 2019
0017c802f7d32e18
q (query key) :=
+
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 24]
+�
+Internet-Draft The GNU Name System November 2019
+
+
6fce4deddc5ad681
f4e29a3310767e3b
8b38bc1b276ce2ba
@@ -1339,13 +1375,6 @@ Internet-Draft The GNU Name System November 2019
071be189a9d236f9
b4a3654bb8c281d4
-
-
-Schanzenbach, et al. Expires 13 May 2020 [Page 24]
-�
-Internet-Draft The GNU Name System November 2019
-
-
RDATA :=
0000000100059412 RR COUNT | EXPIRA-
09ddea0f00000014 -TION | DATA SIZE (20)
@@ -1365,6 +1394,14 @@ Internet-Draft The GNU Name System November 2019
afc99ba9c5a3bb54
07e731a34680ee33
ae0de7bfeda7d2b7
+
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 25]
+�
+Internet-Draft The GNU Name System November 2019
+
+
8c6b854a008b1b54
10df4f39f5ba9f46____________
8cb514a56c0eaae0 zk_h
@@ -1393,15 +1430,6 @@ Internet-Draft The GNU Name System November 2019
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>.
-
-
-
-
-Schanzenbach, et al. Expires 13 May 2020 [Page 25]
-�
-Internet-Draft The GNU Name System November 2019
-
-
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
DOI 10.17487/RFC2782, February 2000,
@@ -1422,6 +1450,14 @@ Internet-Draft The GNU Name System November 2019
DOI 10.17487/RFC3826, June 2004,
<https://www.rfc-editor.org/info/rfc3826>.
+
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 26]
+�
+Internet-Draft The GNU Name System November 2019
+
+
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5869,
DOI 10.17487/RFC5869, May 2010,
@@ -1450,14 +1486,6 @@ Internet-Draft The GNU Name System November 2019
for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>.
-
-
-
-Schanzenbach, et al. Expires 13 May 2020 [Page 26]
-�
-Internet-Draft The GNU Name System November 2019
-
-
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017,
@@ -1477,6 +1505,15 @@ Internet-Draft The GNU Name System November 2019
Authors' Addresses
+
+
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 27]
+�
+Internet-Draft The GNU Name System November 2019
+
+
Martin Schanzenbach
GNUnet e.V.
Boltzmannstrasse 3
@@ -1509,4 +1546,23 @@ Authors' Addresses
-Schanzenbach, et al. Expires 13 May 2020 [Page 27]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Schanzenbach, et al. Expires 13 May 2020 [Page 28]
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -1135,6 +1135,18 @@
ahead of time to support timely revocation.
</t>
<t>
+ For all occurences below, "scrypt" is the scrypt Password-based Key
+ Derivation Function as defined in <xref target="RFC7914" /> with the
+ following parameters set:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+ S := "gnunet-revocation-proof-of-work" /* Salt */
+ N := 2
+ r := 8 /* Block size */
+ p := 2 /* Parallelization parameter */
+ dkLen := 64 /* Intended output length in octets */
+ ]]></artwork>
+ <t>
The following the the basic data "REV" on which the proof-of work is
calculated:
</t>
@@ -1158,15 +1170,29 @@
<li>Derive initial key material K from the REV data.</li>
<li>Derive IV material from the key material K.</li>
<li>Encrypt the REV data using K and IV.</li>
- <li>Derive the proof of work from the encrypted REV.</li>
+ <li>Derive the proof of work from the encrypted REV and check against
+ the proof condition.</li>
</ol>
+ <t>
+ The first step in the PoW is a call to scrypt with the REV data as
+ password parameter to derive the initial key material K:
+ </t>
<figure>
<artwork name="" type="" align="left" alt=""><![CDATA[
K := scrypt (P := REV)
]]></artwork>
</figure>
+ <t>
+ The second step is to derive an initialization vector using a
+ Hash-based Key Derivation Function as defined in
+ (<xref target="RFC5869"/>).
+ Specifically, HMAC-SHA512 is used for the
+ extraction phase and HMAC-SHA256 for the expansion phase.
+ </t>
+
<figure>
<artwork name="" type="" align="left" alt=""><![CDATA[
+ STATUS QUO:
PRK_aes := HKDF-Extract ("gnunet-proof-of-work-ivAES!",
K[0,31])
PRK_two := HKDF-Extract ("gnunet-proof-of-work-ivFISH",
@@ -1177,36 +1203,42 @@
IV_two := HKDF-Expand (PRK_two,
"gnunet-revocation-proof-of-work,
128 / 8)
+ ALTERNATIVE:
+ PRK := HKDF-Extract ("gnunet-proof-of-work-iv", K)
+ IV := HKDF-Expand (PRK, "gnunet-revocation-proof-of-work", 128 / 8);
+
]]></artwork>
</figure>
+ <t>
+ We divide the resulting keying material "K" into a 256-bit AES
+ <xref target="RFC3826" /> key and a 256-bit TWOFISH
+ <xref target="TWOFISH" /> key and use IV as corresponding
+ initialization vectors:
+ </t>
+
<figure>
<artwork name="" type="" align="left" alt=""><![CDATA[
+ STATUS QUO:
EREV := TWOFISH(K[0:31], IV_two,
AES(K[32:63], IV_aes, REV))
+ ALTERNATIVE:
+ EREV := TWOFISH(K[0:31], IV[16:31],
+ AES(K[32:63], IV[0:15], REV))
+
]]></artwork>
</figure>
<t>
- The above EREV data object is calculated with different values for the
- "NONCE" in "REV" until the following inequality holds:
+ The above EREV data object is again derived using the scrypt algorithm.
+ The proof of work is complete, if the following inequality holds:
</t>
<figure>
- <artwork name="" type="" align="left" alt=""><![CDATA[
+ <artwork name="" type="" align="left" alt=""><![CDATA[
scrypt(P := EREV) < 2^(39)-1
- ]]></artwork>
- </figure>
- <t>
- For all occurences above, "scrypt" is the scrypt algorithm as defined in
- <xref target="RFC7914" /> with the following parameters set:
- </t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
- S := "gnunet-revocation-proof-of-work" /* Salt */
- N := 2
- r := 8 /* Block size */
- p := 2 /* Parallelization parameter */
- dkLen := 64 /* Intended output length in octets */
- ]]></artwork>
- </section>
+ ]]>
+ </artwork>
+ </figure>
+ </section>
<section anchor="governance" numbered="true" toc="default">
<name>Determining the Root Zone and Zone Governance</name>
<t>
