commit c972b4c4f0d6fcbd2c3dd4aef66543da7b5d5c6e
parent 41437cd20299d6c7c6b90841e143e338bd8b5440
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Fri, 4 Feb 2022 20:33:49 +0100
better procedure definitions
Diffstat:
1 file changed, 89 insertions(+), 81 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -977,19 +977,23 @@ zTLD := zkl[126..129].zkl[63..125].zkl[0..62]
key blinding is calculated as follows for PKEY zones:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-zk := d * G
-PRK_h := HKDF-Extract ("key-derivation", zk)
-h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
-d' := (h * d) mod L
+ZKDF-Private(d,label):
+ zk := d * G
+ PRK_h := HKDF-Extract ("key-derivation", zk)
+ h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+ d' := (h * d) mod L
+ return d'
]]></artwork>
<t>
Equally, given a label, the output zk' of the ZKDF-Public(zk,label) function is
calculated as follows for PKEY zones:
</t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
-PRK_h := HKDF-Extract ("key-derivation", zk)
-h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
-zk' := (h mod L) * zk
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+ZKDF-Public(zk,label)
+ PRK_h := HKDF-Extract ("key-derivation", zk)
+ h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+ zk' := (h mod L) * zk
+ return zk'
]]></artwork>
<t>
The PKEY cryptosystem uses a hash-based key derivation function (HKDF) as defined in
@@ -1010,28 +1014,41 @@ zk' := (h mod L) * zk
The Sign() and Verify() functions
for PKEY zones are implemented using 512-bit ECDSA deterministic
signatures as specified in <xref target="RFC6979" />.
+ The same functions can be used for derived keys.
</t>
<t>
The S-Encrypt() and S-Decrypt() functions use AES in counter mode
as defined in <xref target="MODES" /> (CTR-AES-256):
</t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
-CIPHERTEXT := CTR-AES256(K, IV, DATA)
-DATA := CTR-AES256(K, IV, CIPHERTEXT)
- ]]></artwork>
+ <figure anchor="figure_senc_pkey">
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+S-Encrypt(zk,label,expiration,plaintext):
+ PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
+ PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
+ K := HKDF-Expand (PRK_k, label, 256 / 8)
+ NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
+ IV := NONCE | expiration | 0x0000000000000001
+ return CTR-AES256(K, IV, plaintext)
+ ]]></artwork>
+ </figure>
+ <t>The PKEY S-Encrypt Procedure.</t>
+ <figure anchor="figure_sdec_pkey">
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+S-Decrypt(zk,label,expiration,ciphertext):
+ PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
+ PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
+ K := HKDF-Expand (PRK_k, label, 256 / 8)
+ NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
+ IV := NONCE | expiration | 0x0000000000000001
+ return CTR-AES256(K, IV, ciphertext)
+ ]]></artwork>
+ </figure>
+ <t>The PKEY S-Decrypt Procedure.</t>
<t>
The key K and counter IV are derived from
- the record label and the zone key zk as follows:
- </t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
-PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
-PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
-K := HKDF-Expand (PRK_k, label, 256 / 8);
-NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
-]]></artwork>
- <t>
- HKDF is a hash-based key derivation function as defined in
- <xref target="RFC5869" />. Specifically, SHA-512 <xref target="RFC6234"/> is used for the
+ the record label and the zone key zk using a hash-based key
+ derivation function (HDKF) as defined in <xref target="RFC5869" />.
+ SHA-512 <xref target="RFC6234"/> is used for the
extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase.
The output keying material is 32 bytes (256 bits) for the symmetric
key and 4 bytes (32 bits) for the nonce.
@@ -1062,31 +1079,6 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
]]></artwork>
</figure>
<t>The Block Counter Wire Format.</t>
- <figure anchor="figure_senc_pkey">
- <artwork name="" type="" align="left" alt=""><![CDATA[
-S-Encrypt(zk,label,expiration,message):
- PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
- PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
- K := HKDF-Expand (PRK_k, label, 256 / 8);
- NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
- IV := NONCE | expiration | 0x0000000000000001
- return CTR-AES256(K, IV, DATA)
- ]]></artwork>
- </figure>
- <t>The PKEY S-Encrypt Procedure.</t>
- <figure anchor="figure_sdec_pkey">
- <artwork name="" type="" align="left" alt=""><![CDATA[
-S-Decrypt(zk,label,expiration,ciphertext):
- PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
- PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
- K := HKDF-Expand (PRK_k, label, 256 / 8);
- NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
- IV := NONCE | expiration | 0x0000000000000001
- return CTR-AES256(K, IV, ciphertext)
- ]]></artwork>
- </figure>
- <t>The PKEY S-Decrypt Procedure.</t>
- <!-- FIXME: Explicit precedures would be nicer Appendix?-->
</section>
<section anchor="gnsrecords_edkey" numbered="true" toc="default">
<name>EDKEY</name>
@@ -1176,23 +1168,27 @@ S-Decrypt(zk,label,expiration,ciphertext):
key blinding is calculated as follows for EDKEY zones:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-zk := a * G
-PRK_h := HKDF-Extract ("key-derivation", zk)
-h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
-h[31] &= 7
-a1 := a >> 3
-a2 := (h * a1) mod L
-a' = a2 << 3
+ZKDF-Private(d,label):
+ zk := a * G
+ PRK_h := HKDF-Extract ("key-derivation", zk)
+ h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+ h[31] &= 7
+ a1 := a >> 3
+ a2 := (h * a1) mod L
+ a' = a2 << 3
+ return a'
]]></artwork>
<t>
Equally, given a label, the output of the ZKDF-Public function is
calculated as follows for PKEY zones:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-PRK_h := HKDF-Extract ("key-derivation", zk)
-h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
-h[31] &= 7 // Implies h mod L == h
-zk' := h * zk
+ZKDF-Public(zk,label):
+ PRK_h := HKDF-Extract ("key-derivation", zk)
+ h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+ h[31] &= 7 // Implies h mod L == h
+ zk' := h * zk
+ return zk'
]]></artwork>
<t>
We note that implementers SHOULD employ a constant time scalar
@@ -1226,36 +1222,44 @@ zk' := h * zk
co-factor are integer operations.
</t>
<t>
+ The Sign(d,message) and Verify(zk,message,signature) procedures MUST
+ be implemented as defined in <xref target="ed25519" />.
+ </t>
+ <t>
Signatures for EDKEY zones using the derived private key a'
are not compliant with <xref target="ed25519" />.
As the corresponding private key to the derived private scalar a'
is not known, it is not possible to deterministically derive the
signature part R according to <xref target="ed25519" />.
Instead, signatures MUST be generated as follows for any given
- message M:
+ message and private zone key:
A nonce is calculated from the highest 32 bytes of the
expansion of the private key d and the blinding factor h.
- The nonce is then hashed with the message M to r.
+ The nonce is then hashed with the message to r.
This way, we include the full derivation path in the calculation
of the R value of the signature, ensuring that it is never reused
for two different derivation paths or messages.
</t>
<!-- Blinded key signatures need a different method signature
FIXME Should we use a'
- nonce := SHA-256 (a')?
+ nonce := SHA-256 (a')? Changed for now. Unclear if ok.
-->
<artwork name="" type="" align="left" alt=""><![CDATA[
-dh := SHA-512 (d)
-nonce := SHA-256 (dh[32..63] | h)
-r := SHA-512 (nonce | M)
-R := r * G
-S := r + SHA-512(R | zk' | M) * a' mod L
+Sign(d,message):
+ dh := SHA-512 (d)
+ nonce := SHA-256 (dh[32..63] | h)
+ r := SHA-512 (nonce | message)
+ R := r * G
+ S := r + SHA-512(R | zk' | message) * a' mod L
+ return (R,S)
]]></artwork>
<t>
A signature (R,S) is valid if the following holds:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-S * G == R + SHA-512(R, zk', M) * zk'
+Verify(zk',message,signature):
+ (R,S) := signature
+ return S * G == R + SHA-512(R, zk', message) * zk'
]]></artwork>
<t>
The S-Encrypt() and S-Decrypt() functions use XSalsa20
@@ -1263,8 +1267,19 @@ S * G == R + SHA-512(R, zk', M) * zk'
(XSalsa20-Poly1305):
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-CIPHERTEXT := XSalsa20-Poly1305(K, IV, DATA)
-DATA := XSalsa20-Poly1305(K, IV, CIPHERTEXT)
+S-Encrypt(zk,label,expiration,message):
+ PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk)
+ PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk)
+ K := HKDF-Expand (PRK_k, label, 256 / 8);
+ NONCE := HKDF-Expand (PRK_n, label, 128 / 8)
+ return XSalsa20-Poly1305(K, IV, message)
+
+S-Decrypt(zk,label,expiration,ciphertext):
+ PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk)
+ PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk)
+ K := HKDF-Expand (PRK_k, label, 256 / 8);
+ NONCE := HKDF-Expand (PRK_n, label, 128 / 8)
+ return XSalsa20-Poly1305(K, IV, ciphertext)
]]></artwork>
<t>
The result of the XSalsa20-Poly1305 encryption function is the encrypted
@@ -1275,17 +1290,10 @@ DATA := XSalsa20-Poly1305(K, IV, CIPHERTEXT)
</t>
<t>
The key K and counter IV are derived from
- the record label and the zone key zk as follows:
- </t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
-PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk)
-PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk)
-K := HKDF-Expand (PRK_k, label, 256 / 8);
-NONCE := HKDF-Expand (PRK_n, label, 128 / 8)
-]]></artwork>
- <t>
- HKDF is a hash-based key derivation function as defined in
- <xref target="RFC5869" />. Specifically, SHA-512 <xref target="RFC6234"/> is used for the
+ the record label and the zone key zk using a hash-based key
+ derivation function (HKDF) as defined in
+ <xref target="RFC5869" />.
+ SHA-512 <xref target="RFC6234"/> is used for the
extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase.
The output keying material is 32 bytes (256 bits) for the symmetric
key and 16 bytes (128 bits) for the NONCE.
