commit 4e4fb3536aeda118ed2c5b8632d36bc4ae0b7be0
parent f2ae686f743375da77f8bea8884262b6977bb8ba
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 9 Feb 2022 14:02:47 +0100
comments in pseudocode
Diffstat:
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -1167,14 +1167,20 @@ S-Decrypt(zk,label,expiration,ciphertext):
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
ZKDF-Private(d,label):
+ /* Calculate zk from d */
a := SHA-512 (d)
+ /* EdDSA clamping */
a[0] &= 248
a[31] &= 127
a[31] |= 64
zk := a * G
+
+ /* Calculate the blinding factor */
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
+ /* Ensure that h == h mod L */
h[31] &= 7
+
a1 := a >> 3
a2 := (h * a1) mod L
d' := a2 << 3
@@ -1186,9 +1192,12 @@ ZKDF-Private(d,label):
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
ZKDF-Public(zk,label):
+ /* Calculate the blinding factor */
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
+ /* Ensure that h == h mod L */
h[31] &= 7
+
zk' := h * zk
return zk'
]]></artwork>
@@ -1244,8 +1253,9 @@ ZKDF-Public(zk,label):
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
SignDerived(d,label,message):
- /* Calculate public key */
+ /* Calculate zk from d */
a := SHA-512 (d)
+ /* EdDSA clamping */
a[0] &= 248
a[31] &= 127
a[31] |= 64
