commit a1d2f683368a330d320451a16ed69874ad62cbd5
parent d470174bc326281c3020252af273181cc58cbf9a
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
Date: Tue, 6 Oct 2020 13:11:54 +0200
fix construction EDKEY more thx jeff
Diffstat:
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -665,10 +665,10 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
zk := a * G
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
-a' := h * a mod L
-a'[0] &= 248;
-a'[31] &= 127;
-a'[31] |= 64;
+h[31] &= 7
+a1 := a / 8 /* 8 is the cofactor of Curve25519 */
+a2 := h * a1 mod L
+a' = a2 * 8 /* 8 is the cofactor of Curve25519 */
]]></artwork>
<t>
Equally, given a label, the output of the HDKD-Public function is
@@ -677,11 +677,8 @@ a'[31] |= 64;
<artwork name="" type="" align="left" alt=""><![CDATA[
PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
-a' = h mod L
-a'[0] &= 248;
-a'[31] &= 127;
-a'[31] |= 64;
-zk' := a' * zk
+h[31] &= 7 // Implies h mod L == h
+zk’ := h * zk
]]></artwork>
<t>
The EDKEY cryptosystem uses a
