commit 55941796ffaabc0cca7a88efcbce2c5636bfa761
parent 8e68428ce4e3c41131a8c168505a9b78ea91e6ad
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Thu, 17 Mar 2022 12:49:57 +0100
fixes in crypto
Diffstat:
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -1271,14 +1271,15 @@ S-Decrypt(zk,label,expiration,ciphertext):
<artwork name="" type="" align="left" alt=""><![CDATA[
ZKDF-Private(d,label):
/* EdDSA clamping */
- a := SHA-512 (d)
+ dh := SHA-512 (d)
+ a := dh[0..31]
a[0] &= 248
a[31] &= 127
a[31] |= 64
- /* Calculate zk from d */
+ /* Calculate zk corresponding to d */
zk := a * G
- /* Calculate the blinding factor */
+ /* Calculate the blinding factor h */
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
/* Ensure that h == h mod L */
@@ -1354,12 +1355,14 @@ ZKDF-Public(zk,label):
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
SignDerived(d,label,message):
+ /* Key expansion */
+ dh := SHA-512 (d)
/* EdDSA clamping */
- a := SHA-512 (d)
+ a := dh[0..31]
a[0] &= 248
a[31] &= 127
a[31] |= 64
- /* Calculate zk from d */
+ /* Calculate zk corresponding to d */
zk := a * G
/* Calculate blinding factor */
@@ -1367,7 +1370,7 @@ SignDerived(d,label,message):
h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
d' := ZKDF-Private(d,label)
- dh := SHA-512 (d)
+ zk' := h * zk
nonce := SHA-256 (dh[32..63] || h)
r := SHA-512 (nonce || message)
R := r * G
