commit 9a394bafd50705ebfb70c7b38920d9a188afedbf
parent 45520f94f5e379d54519b37cb1fd3f7835ceafe3
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
Date: Sat, 19 Sep 2020 15:38:25 +0200
add modified tor approach for Ed25519-SHA512
Diffstat:
1 file changed, 153 insertions(+), 1 deletion(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -342,7 +342,129 @@ zk' := h mod L * zk
</section>
<section anchor="zone_type_edkey" numbered="true" toc="default">
<name>EDKEY Zone</name>
- <t>TODO: Do the same as the above with a Schnorr variant</t>
+ <t>
+ For EDKEY zones the zone key material is derived using the
+ curve parameters of the twisted edwards representation
+ of Curve25519 <xref target="RFC7748" /> (a.k.a. edwards25519)
+ with the Ed25519-SHA-512 scheme (<xref target="ed25519" />).
+ Consequently , we use the following naming convention for our
+ cryptographic primitives for EDKEY zones:
+ </t>
+ <dl>
+ <dt>d</dt>
+ <dd>
+ is a 256-bit EdDSA private zone key.
+ </dd>
+ <dt>zk</dt>
+ <dd>
+ is the EdDSA public zone key corresponding to d. It is defined in
+ <xref target="ed25519" /> as the curve point a*B where B is the
+ group generator of the elliptic curve and a is an integer
+ derived from d using a hashfunction.
+ The public key is used to uniquely identify a GNS zone and is
+ referred to as the "zone key".
+ </dd>
+ <dt>ztype</dt>
+ <dd>
+ is registered with the value "1" in GANA.
+ </dd>
+ <dt>p</dt>
+ <dd>
+ is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e.
+ 2^255 - 19.
+ </dd>
+ <dt>B</dt>
+ <dd>
+ is the group generator (X(P),Y(P)) of edwards25519 as defined in
+ <xref target="RFC7748" />.
+ </dd>
+ <dt>L</dt>
+ <dd>
+ is the prime-order subgroup of edwards25519 in <xref target="RFC7748" />.
+ </dd>
+ </dl>
+ <t>
+ Given a label, the output of the HDKD-Private function for zone
+ key blinding is calculated as follows for EDKEY zones:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+zk := a * B
+PRK_h := HKDF-Extract ("key-derivation", zk)
+h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+h[0] &= 248;
+h[31] &= 127;
+h[31] |= 64;
+a' := h * a mod L
+ ]]></artwork>
+ <t>
+ Equally, given a label, the output of the HDKD-Public function is
+ calculated as follows for PKEY zones:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+PRK_h := HKDF-Extract ("key-derivation", zk)
+h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+h[0] &= 248;
+h[31] &= 127;
+h[31] |= 64;
+zk' := h mod L * zk
+ ]]></artwork>
+ <t>
+ We use a hash-based key derivation function (HKDF) as defined in
+ <xref target="RFC5869" />. We use HMAC-SHA512 for the extraction
+ phase and HMAC-SHA256 for the expansion phase.
+ </t>
+ <dl>
+ <dt>PRK_h</dt>
+ <dd>
+ is key material retrieved using an HKDF using the string
+ "key-derivation" as salt and the public zone key "zk" as initial
+ keying material.
+ </dd>
+ <dt>h</dt>
+ <dd>
+ is the 512-bit HKDF expansion result. The expansion info input is a
+ concatenation of the label and string "gns".
+ The result of the HKDF must be clamped.
+ </dd>
+ <dt>a</dt>
+ <dd>
+ is the 256-bit integer correspinding to the 256-bit private zone
+ key d as defined in <xref target="zone_type_edkey" />.
+ </dd>
+ <dt>label</dt>
+ <dd>is a UTF-8 string under which the resource records are published.
+ </dd>
+ <dt>L</dt>
+ <dd>
+ is the prime-order subgroup as defined in <xref target="zone_type_pkey" />.
+ </dd>
+ </dl>
+ <t>
+ We point out that the multiplication of "zk" with "h" is a point multiplication,
+ while the multiplication of "a" with "h" is a scalar multiplication.
+ </t>
+ <t>
+ Signatures for EDKEY zones using the derived private key a'
+ are NOT compliant with <xref target="ed25519" />.
+ Instead, signatures MUST be generated as follows for any given
+ message M:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+R := rB
+S := r+SHA512(R,zk',M)*a*h mod L
+ ]]></artwork>
+ <t>
+ A signature (R,S) is valid if the following holds:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+SB == R + SHA512(R,zk',M)A' )
+ ]]></artwork>
+ <t>
+ The "zid" of an EDKEY is 32 + 4 bytes in length. This means that
+ a Base32-encoded "zTLD" will always fit into a single label and does
+ not need any further conversion.
+ </t>
+
</section>
</section>
</section>
@@ -2078,6 +2200,36 @@ ee83f0cc79c4c5ea
</abstract>
</front>
</reference>
+ <reference anchor="ed25519" target="http://link.springer.com/chapter/10.1007/978-3-642-23951-9_9">
+ <front>
+ <title>High-Speed High-Security Signatures</title>
+ <author initials="D." surname="Bernstein" fullname="Daniel Bernstein">
+ <organization>University of Illinois at Chicago</organization>
+ </author>
+
+ <author initials="N." surname="Duif"
+ fullname="Niels Duif">
+ <organization>Technische Universiteit Eindhoven</organization>
+
+ </author>
+ <author initials="T." surname="Lange"
+ fullname="Tanja Lange">
+ <organization>Technische Universiteit Eindhoven</organization>
+
+ </author>
+ <author initials="P." surname="Schwabe"
+ fullname="Peter Schwabe">
+ <organization>National Taiwan University</organization>
+
+ </author>
+ <author initials="B." surname="Yang"
+ fullname="Bo-Yin Yang">
+ <organization>Academia Sinica</organization>
+
+ </author>
+ <date year="2011"/>
+ </front>
+ </reference>
<!-- <reference anchor="ISO20022">
<front>
