commit c13c8a7a8edb0220a83d7151072e8a307e672e23
parent 48f5e92ddabe57567029c69bc8c891e40e046bbd
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
Date: Tue, 4 May 2021 11:31:54 +0200
more explanations on EDKEY signatures
Diffstat:
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -722,14 +722,24 @@ zk' := h * zk
<t>
Signatures for EDKEY zones using the derived private key "a'"
are NOT compliant with <xref target="ed25519" />.
+ As the corresponding private key to the derived private scalar "a'"
+ is not known, it is not possible to deterministically derive the
+ signature part "R" according to <xref target="ed25519" />.
Instead, signatures MUST be generated as follows for any given
- message M and deterministic random-looking "r":
+ message M:
+ A nonce is calculated from the highest 32 octets of the
+ expansion of the private key "d" and the blinding factor "h".
+ The "nonce" is then hashed with the message "M" to "r".
+ This way, we include the full derivation path in the calculation
+ the "R" value of the signature, ensuring that it is never resused
+ for two different derivation paths or messages.
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-sk := SHA512 (d)
-r := SHA512 (sk + 32, M)
+dh := SHA512 (d)
+nonce := SHA256 (dh[32..63] | h)
+r := SHA512 (nonce | M)
R := r * G
-S := r + SHA512(R, zk', M) * a' mod L
+S := r + SHA512(R | zk' | M) * a' mod L
]]></artwork>
<t>
A signature (R,S) is valid if the following holds:
