commit 628ea7b275bbfcb6879fd66caa6050a8ed14d97c
parent 4f6f661daa6ca632c9fdcde5787c9b1aba691503
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
Date: Sat, 1 May 2021 22:54:09 +0200
edkey updates
Diffstat:
1 file changed, 30 insertions(+), 11 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -522,7 +522,8 @@ zk' := h mod L * zk
"PRK_h" is key material retrieved using an HKDF using the string
"key-derivation" as salt and the public zone key "zk" as initial
keying material.
- "h" is the 512-bit HKDF expansion result. The expansion info input is
+ "h" is the 512-bit HKDF expansion result and must be interpreted in
+ network byte order. The expansion info input is
a concatenation of the label and string "gns".
"label" is a UTF-8 string under which the resource records are
published.
@@ -679,6 +680,9 @@ h[31] &= 7
a1 := a / 8 /* 8 is the cofactor of Curve25519 */
a2 := h * a1 mod L
a' = a2 * 8 /* 8 is the cofactor of Curve25519 */
+a'[0] &= 248;
+a'[31] &= 127;
+a'[31] |= 64;
]]></artwork>
<t>
Equally, given a label, the output of the HDKD-Public function is
@@ -706,7 +710,8 @@ zk' := h * zk
keying material.
"h" is the 512-bit HKDF expansion result. The expansion info input is
a concatenation of the label and string "gns".
- The result of the HKDF must be clamped.
+ The result of the HKDF must be clamped and interpreted in network
+ byte order.
"a" is the 256-bit integer corresponding to the 256-bit private zone
key "d".
"label" is a UTF-8 string under which the resource records are
@@ -724,6 +729,8 @@ zk' := h * zk
message M and deterministic random-looking "r":
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
+sk := SHA512 (d)
+r := SHA512 (sk + 32, M)
R := r * G
S := r + SHA512(R, zk', M) * a' mod L
]]></artwork>
@@ -731,19 +738,19 @@ S := r + SHA512(R, zk', M) * a' mod L
A signature (R,S) is valid if the following holds:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-SB == R + SHA512(R, zk', M) * A'
+S * G == R + SHA512(R, zk', M) * zk'
]]></artwork>
<t>
- The S-Encrypt() and S-Decrypt() functions use ChaCha20
- as defined in <xref target="RFC7539" />
- (ChaCha20-Poly1305):
+ The S-Encrypt() and S-Decrypt() functions use XSalsa20
+ as defined in <xref target="XSalsa20" />
+ (XSalsa20-Poly1305):
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-RDATA := ChaCha20(K, IV, BDATA)
-BDATA := ChaCha20(K, IV, RDATA) = CIPHERTEXT | TAG
+RDATA := XSalsa20(K, IV, BDATA)
+BDATA := XSalsa20(K, IV, RDATA) = CIPHERTEXT | TAG
]]></artwork>
<t>
- The result of the ChaCha20 encryption function is the encrypted
+ The result of the XSalsa20 encryption function is the encrypted
ciphertext concatenated with the 128-bit authentication
tag "TAG".
Accordingly, the length of BDATA equals the length of the
@@ -785,12 +792,13 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
0 8 16 24 32
+-----+-----+-----+-----+
| NONCE |
+| |
+| |
+| |
+-----+-----+-----+-----+
| EXPIRATION |
| |
+-----+-----+-----+-----+
-| BLOCK COUNTER |
-+-----+-----+-----+-----+
]]></artwork>
</figure>
@@ -2365,6 +2373,17 @@ cae1789d
</front>
</reference>
+ <reference anchor="XSalsa20" target="https://cr.yp.to/snuffle/xsalsa-20110204.pdf">
+ <front>
+ <title>Extending the Salsa20 nonce</title>
+ <author initials="D." surname="Bernstein" fullname="Daniel Bernstein">
+ <organization>University of Illinois at Chicago</organization>
+ </author>
+ <date year="2011"/>
+ </front>
+ </reference>
+
+
<reference anchor="ed25519" target="http://link.springer.com/chapter/10.1007/978-3-642-23951-9_9">
<front>
<title>High-Speed High-Security Signatures</title>
