commit e90cb113eb1e3550497dc214fb459fd4441e520f
parent a1d2f683368a330d320451a16ed69874ad62cbd5
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
Date: Tue, 6 Oct 2020 13:58:16 +0200
minor considerations
Diffstat:
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
@@ -679,7 +679,13 @@ PRK_h := HKDF-Extract ("key-derivation", zk)
h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
h[31] &= 7 // Implies h mod L == h
zk’ := h * zk
- ]]></artwork>
+ ]]></artwork>
+ <t>
+ We note that implementors must employ a constant time scalar
+ multiplication for the constructions above. Also, implementors
+ must ensure that the private key "a" is an ed25519 private key
+ and specifically that "a[0] & 7 == 0" holds.
+ </t>
<t>
The EDKEY cryptosystem uses a
hash-based key derivation function (HKDF) as defined in
@@ -698,7 +704,8 @@ zk’ := h * zk
</t>
<t>
We point out that the multiplication of "zk" with "h" is a point multiplication,
- while the multiplication of "a" with "h" is a scalar multiplication.
+ while the division and multiplication of "a" and "a1" with the
+ cofactor are integer operations.
</t>
<t>
Signatures for EDKEY zones using the derived private key "a'"
