commit d829c781e9de82774375956af7c82f266fb22850
parent c972b4c4f0d6fcbd2c3dd4aef66543da7b5d5c6e
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Fri, 4 Feb 2022 21:16:33 +0100
crypto normative references
Diffstat:
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -1110,7 +1110,8 @@ S-Decrypt(zk,label,expiration,ciphertext):
For EDKEY zones the zone key material is derived using the
curve parameters of the twisted edwards representation
of Curve25519 <xref target="RFC7748" /> (a.k.a. Ed25519)
- with the Ed25519-SHA-512 scheme <xref target="ed25519" />.
+ with the Ed25519 scheme <xref target="ed25519" /> as specified in
+ <xref target="RFC8032" />.
Consequently, we use the following naming convention for our
cryptographic primitives for EDKEY zones:
</t>
@@ -1123,28 +1124,28 @@ S-Decrypt(zk,label,expiration,ciphertext):
<dt>a</dt>
<dd>
is is an integer derived from d using the SHA-512 hash function
- as defined in <xref target="ed25519" />.
+ as defined in <xref target="RFC8032" />.
</dd>
<dt>zk</dt>
<dd>
is the EdDSA public key corresponding to d. It is defined
as the curve point a*G where G is the
group generator of the elliptic curve
- as defined in <xref target="ed25519" />.
+ as defined in <xref target="RFC8032" />.
</dd>
<dt>p</dt>
<dd>
- is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e.
+ is the prime of edwards25519 as defined in <xref target="RFC8032" />, i.e.
2^255 - 19.
</dd>
<dt>G</dt>
<dd>
is the group generator (X(P),Y(P)) of edwards25519 as defined in
- <xref target="RFC7748" />.
+ <xref target="RFC8032" />.
</dd>
<dt>L</dt>
<dd>
- is the order of the prime-order subgroup of edwards25519 in <xref target="RFC7748" />.
+ is the order of the prime-order subgroup of edwards25519 in <xref target="RFC8032" />.
</dd>
<dt>KeyGen()</dt>
<dd>
@@ -1153,7 +1154,7 @@ S-Decrypt(zk,label,expiration,ciphertext):
group generator of the elliptic curve and a is an integer
derived from d using the SHA-512 hash function
as defined
- in Section 3.2. of <xref target="RFC8032" /> represents the KeyGen()
+ in Section 5.1.5 of <xref target="RFC8032" /> represents the KeyGen()
function.
</dd>
</dl>
@@ -1164,11 +1165,14 @@ S-Decrypt(zk,label,expiration,ciphertext):
</t>
<t>
The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>.
+ For brevity, instead of using d as a parameter to the derivation,
+ we define the ZKDF-Private() procedure on the derived integer a.
+ The calculation of a Ed25519 is defined in <xref target="RFC8032" />.
Given a label, the output of the ZKDF-Private function for zone
key blinding is calculated as follows for EDKEY zones:
</t>
<artwork name="" type="" align="left" alt=""><