commit d135c69bba240bf94da369af945f31ea9c4bf419
parent cd861f43f674190230d04acb57c817dfceb52ecd
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
Date: Fri, 4 Sep 2020 22:24:16 +0200
towards zone crypto agility
Diffstat:
2 files changed, 180 insertions(+), 98 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -133,43 +133,170 @@
<section anchor="zones" numbered="true" toc="default">
<name>Zones</name>
<t>
- A zone in GNS is defined by a public/private ECDSA key pair (d,zk),
- where d is the private key and zk the corresponding public key.
- GNS employs the curve parameters of the twisted edwards representation
- of Curve25519 <xref target="RFC7748" /> (a.k.a. edwards25519)
- with the ECDSA scheme (<xref target="RFC6979" />).
- In the following, we use the following naming convention for our
- cryptographic primitives:
+ A GNS zone is established by creating a zone key pair.
+ GNS is extensible with respect to the cryptographic scheme used.
+ The two zone key schemes specified within this document are
+ called PKEY and EDKEY, respectively.
</t>
- <dl>
- <dt>d</dt>
- <dd>
- is a 256-bit ECDSA private key.
- In GNS, records are signed using a key derived from "d" as described in
- <xref target="publish" />.
- </dd>
- <dt>p</dt>
- <dd>
- is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e.
- 2^255 - 19.
- </dd>
- <dt>B</dt>
- <dd>
- is the group generator (X(P),Y(P)) of edwards25519 as defined in
- <xref target="RFC7748" />.
- </dd>
- <dt>L</dt>
- <dd>
- is the prime-order subgroup of edwards25519 in <xref target="RFC7748" />.
- </dd>
- <dt>zk</dt>
- <dd>
- is the ECDSA public key corresponding to d. It is defined in
- <xref target="RFC6979" /> as the curve point d*B where B is the group
- generator of the elliptic curve. The public key is used to uniquely
- identify a GNS zone and is referred to as the "zone key".
- </dd>
- </dl>
+ <section anchor="zone_privacy" numbered="true" toc="default">
+ <name>Privacy</name>
+ <t>
+ In GNS, the contents of a zone are cryptographically signed before
+ publishing. Instead of the zone private key "d", the signature MUST
+ be created using a blinded public/private key pair d' and zk'.
+ This blinding is realized using a Hierarchical Deterministic Key
+ Derivation (HDKD) scheme.
+ Such a scheme allows the zone owner to derivate a private d' and a
+ resolver to derive the corresponding public key zk' in a deterministic
+ manner from the original public and private zone keys as well as a
+ label.
+ </t>
+ <t>
+ We define that for any type of zone key material the function
+ "HDKD-Private" must be defined as:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+HDKD-Private(d, label) -> d'
+ ]]></artwork>
+ <t>
+ where:
+ </t>
+ <dl>
+ <dt>d</dt>
+ <dd>
+ Is the private zone key input.
+ </dd>
+ <dt>label</dt>
+ <dd>
+ Is the resource record label.
+ </dd>
+ <dt>d'</dt>
+ <dd>
+ Is the derived (blinded) private zone key.
+ </dd>
+ </dl>
+ <t>
+ Correspondingly, the function "HDKD-Public" must be defined as:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+HDKD-Public(zk, label) -> zk'
+ ]]></artwork>
+ <t>
+ where:
+ </t>
+ <dl>
+ <dt>zk</dt>
+ <dd>
+ Is the public zone key input.
+ </dd>
+ <dt>label</dt>
+ <dd>
+ Is the resource record label.
+ </dd>
+ <dt>d'</dt>
+ <dd>
+ Is the derived (blinded) public zone key.
+ </dd>
+ </dl>
+ </section>
+ <section anchor="zone_types" numbered="true" toc="default">
+ <name>Zone Types</name>
+ <section anchor="zone_type_pkey" numbered="true" toc="default">
+ <name>PKEY Zone</name>
+ <t>
+ A PKEY zone in GNS is defined by a public/private ECDSA key pair (d,zk),
+ where d is the private key and zk the corresponding public key.
+ GNS employs the curve parameters of the twisted edwards representation
+ of Curve25519 <xref target="RFC7748" /> (a.k.a. edwards25519)
+ with the ECDSA scheme (<xref target="RFC6979" />).
+ In the following, we use the following naming convention for our
+ cryptographic primitives:
+ </t>
+ <dl>
+ <dt>d</dt>
+ <dd>
+ is a 256-bit ECDSA private key.
+ </dd>
+ <dt>p</dt>
+ <dd>
+ is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e.
+ 2^255 - 19.
+ </dd>
+ <dt>B</dt>
+ <dd>
+ is the group generator (X(P),Y(P)) of edwards25519 as defined in
+ <xref target="RFC7748" />.
+ </dd>
+ <dt>L</dt>
+ <dd>
+ is the prime-order subgroup of edwards25519 in <xref target="RFC7748" />.
+ </dd>
+ <dt>zk</dt>
+ <dd>
+ is the ECDSA public key corresponding to d. It is defined in
+ <xref target="RFC6979" /> as the curve point d*B where B is the group
+ generator of the elliptic curve. The public key is used to uniquely
+ identify a GNS zone and is referred to as the "zone key".
+ </dd>
+ </dl>
+ <t>
+ Given a label, the output of the HDKD-Private function is
+ calculated as follows for PKEY zones:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+zk := d * B
+PRK_h := HKDF-Extract ("key-derivation", zk)
+h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+d' := h * d mod L
+ ]]></artwork>
+ <t>
+ Equally, given a label, the output of the HDKD-Public function is
+ calculated as follows for PKEY zones:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+PRK_h := HKDF-Extract ("key-derivation", zk)
+h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+zk' := h mod L * zk
+ ]]></artwork>
+ <t>
+ We use a hash-based key derivation function (HKDF) as defined in
+ <xref target="RFC5869" />. We use HMAC-SHA512 for the extraction
+ phase and HMAC-SHA256 for the expansion phase.
+ </t>
+ <dl>
+ <dt>PRK_h</dt>
+ <dd>
+ is key material retrieved using an HKDF using the string
+ "key-derivation" as salt and the public zone key "zk" as initial
+ keying material.
+ </dd>
+ <dt>h</dt>
+ <dd>
+ is the 512-bit HKDF expansion result. The expansion info input is a
+ concatenation of the label and string "gns".
+ </dd>
+ <dt>d</dt>
+ <dd>
+ is the 256-bit private zone key as defined in <xref target="zone_type_pkey" />.
+ </dd>
+ <dt>label</dt>
+ <dd>is a UTF-8 string under which the resource records are published.
+ </dd>
+ <dt>L</dt>
+ <dd>
+ is the prime-order subgroup as defined in <xref target="zone_type_pkey" />.
+ </dd>
+ </dl>
+ <t>
+ We point out that the multiplication of "zk" with "h" is a point multiplication,
+ while the multiplication of "d" with "h" is a scalar multiplication.
+ </t>
+ </section>
+ <section anchor="zone_type_edkey" numbered="true" toc="default">
+ <name>EDKEY Zone</name>
+ <t>TODO: Do the same as the above with a Schnorr variant</t>
+ </section>
+ </section>
</section>
<section anchor="rrecords" numbered="true" toc="default">
<name>Resource Records</name>
@@ -537,7 +664,6 @@
</dl>
</section>
</section>
-
<section anchor="publish" numbered="true" toc="default">
<name>Publishing Records</name>
<t>
@@ -550,67 +676,28 @@
label of the contained records.
</t>
<section anchor="blinding" numbered="true" toc="default">
- <name>Key Derivations</name>
+ <name>DHT Key Derivations</name>
<t>
Given a label, the DHT key "q" is derived as follows:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-PRK_h := HKDF-Extract ("key-derivation", zk)
-h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
-d_h := h * d mod L
-zk_h := h mod L * zk
-q := SHA512 (zk_h)
+q := SHA512 (HDKD-Public(zk, label))
]]></artwork>
- <t>
- We use a hash-based key derivation function (HKDF) as defined in
- <xref target="RFC5869" />. We use HMAC-SHA512 for the extraction
- phase and HMAC-SHA256 for the expansion phase.
- </t>
<dl>
- <dt>PRK_h</dt>
- <dd>
- is key material retrieved using an HKDF using the string
- "key-derivation" as salt and the public zone key "zk" as initial
- keying material.
- </dd>
- <dt>h</dt>
- <dd>
- is the 512-bit HKDF expansion result. The expansion info input is a
- concatenation of the label and string "gns".
- </dd>
- <dt>d</dt>
- <dd>
- is the 256-bit private zone key as defined in <xref target="zones" />.
- </dd>
<dt>label</dt>
<dd>is a UTF-8 string under which the resource records are published.
</dd>
- <dt>d_h</dt>
- <dd>
- is a 256-bit private key derived from the "d" using the
- keying material "h".
- </dd>
- <dt>zk_h</dt>
- <dd>
- is a 256-bit public key derived from the zone key "zk" using the
- keying material "h".
- </dd>
- <dt>L</dt>
+ <dt>zk</dt>
<dd>
- is the prime-order subgroup as defined in <xref target="zones" />.
+ is the public zone key.
</dd>
<dt>q</dt>
<dd>
Is the 512-bit DHT key under which the resource records block is
published.
- It is the SHA512 hash over the public key "zk_h" corresponding to the
- derived private key "d_h".
+ It is the SHA512 hash over the derived public zone key.
</dd>
</dl>
- <t>
- We point out that the multiplication of "zk" with "h" is a point multiplication,
- while the multiplication of "d" with "h" is a scalar multiplication.
- </t>
</section>
<section anchor="wire" numbered="true" toc="default">
<name>Resource Records Block</name>
@@ -630,18 +717,16 @@ q := SHA512 (zk_h)
<artwork name="" type="" align="left" alt=""><![CDATA[
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
+| ZONE TYPE |
++-----+-----+-----+-----+-----+-----+-----+-----+
| SIGNATURE |
-| |
-| |
-| |
-| |
-| |
-| |
+/ /
+/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| PUBLIC KEY |
-| |
-| |
+/ /
+/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
| SIZE | PURPOSE |
@@ -658,17 +743,14 @@ q := SHA512 (zk_h)
<dl>
<dt>SIGNATURE</dt>
<dd>
- A 512-bit ECDSA deterministic signature compliant with
- <xref target="RFC6979" />. The signature is computed over the data
- following the PUBLIC KEY field.
- The signature is created using the derived private key "d_h" (see
- <xref target="publish" />).
+ The signature is computed over the data following
+ the PUBLIC KEY field.
+ The signature is created using the derived private key "d'" (see
+ <xref target="zone_types" />).
</dd>
<dt>PUBLIC KEY</dt>
<dd>
- is the 256-bit public key "zk_h" to be used to verify SIGNATURE. The
- wire format of this value is defined in <xref target="RFC8032" />,
- Section 5.1.5.
+ is the public key "zk'" to be used to verify SIGNATURE.
</dd>
<dt>SIZE</dt>
<dd>
diff --git a/ietf/secdispatch/gns.tex b/ietf/secdispatch/gns.tex
@@ -10,7 +10,7 @@
\usepackage{multirow}
\title{The GNU Name System\\\small{secdispatch -- IETF 108}\\\small{\url{https://datatracker.ietf.org/doc/draft-schanzen-gns/}}}
\date{30/7/2020}
-\author{Martin Schanzenbach}
+\author{Martin Schanzenbach\\Christian Grothoff\\Bernd Fix}
\institute{\hfill\large{GNUnet} \includegraphics[trim={0cm 1.5cm 0cm 0cm},clip,width=4em]{gnunet}}
\begin{document}
\metroset{block=fill,sectionpage=progressbar,numbering=counter}
