commit 619f168b3efaae4643cc251dd8d6af23407507a8
parent f9ad03dcf8b27b42dd27d7fa9a9c1674089b9c98
Author: Mikolai Gütschow <mikolai.guetschow@tu-dresden.de>
Date: Mon, 8 Jul 2024 12:50:37 +0200
crypto primitives: details for RSA-FDH
Diffstat:
2 files changed, 247 insertions(+), 54 deletions(-)
diff --git a/draft-guetschow-taler-protocol.md b/draft-guetschow-taler-protocol.md
@@ -181,7 +181,7 @@ Output:
OKM output keying material (smaller than N)
~~~
-The final output `OKM` is determined iteratively based on a counter initialized at zero,
+The final output `OKM` is determined deterministically based on a counter initialized at zero,
where `c` denotes the two least significant octets of the counter in network-byte order
~~~
@@ -198,7 +198,9 @@ do until OKM < N:
## Blind Signatures
-### RSA-FDH
+### RSA-FDH {#rsa-fdh}
+
+#### Supporting Functions
~~~
RSA-FDH(msg, pubkey) -> fdh
@@ -222,6 +224,94 @@ fdh = HKDF-Mod(pubkey.N, salt, msg, info)
The resulting `fdh` can be used to test against a malicious RSA pubkey
by verifying that the greatest common denominator (gcd) of `fdh` and `pubkey.N` is 1.
+~~~
+RSA-FDH-Derive(bks, pubkey) -> out
+
+Inputs:
+ bks blinding key secret of length L = 8 octets
+ pubkey RSA public key consisting of modulus N and public exponent e
+
+Output:
+ out full-domain hash of bks over pubkey.N
+~~~
+
+`out` is calculated based on HKDF-Mod from {{hkdf-mod}} as follows:
+
+~~~
+info = 0x426c696e64696e67204b4446 ("Blinding KDF" encoded as UTF-8)
+salt = 0x426c696e64696e67204b444620657874726163746f7220484d4143206b6579 ("Blinding KDF extractor HMAC key" encoded as UTF-8)
+fdh = HKDF-Mod(pubkey.N, salt, bks, info)
+~~~
+
+#### Blinding
+
+~~~
+RSA-FDH-Blind(msg, bks, pubkey) -> out
+
+Inputs:
+ msg message
+ bks blinding key secret of length L = 8 octets
+ pubkey RSA public key consisting of modulus N and public exponent e
+
+Output:
+ out message blinded for pubkey
+~~~
+
+`out` is calculated based on RSA-FDH from {{rsa-fdh}} as follows:
+
+~~~
+data = RSA-FDH(msg, pubkey)
+r = RSA-FDH-Derive(bks, pubkey)
+r_e = r ** pubkey.e (mod N)
+out = r_e * data (mod N)
+~~~
+
+#### Signing
+
+#### Unblinding
+
+~~~
+RSA-FDH-Unblind(sig, bks, pubkey) -> out
+
+Inputs:
+ sig blind signature
+ bks blinding key secret of length L = 8 octets
+ pubkey RSA public key consisting of modulus N and public exponent e
+
+Output:
+ out unblinded signature
+~~~
+
+`out` is calculated as follows:
+
+~~~
+r = RSA-FDH-Derive(bks, pubkey)
+r_inv = inverse of r (mod N)
+out = sig * r_inv (mod N)
+~~~
+
+#### Verifying
+
+~~~
+RSA-FDH-Verify(msg, sig, pubkey) -> out
+
+Inputs:
+ msg message
+ sig signature of pubkey over msg
+ pubkey RSA public key consisting of modulus N and public exponent e
+
+Output:
+ out true, if sig is a valid signature
+~~~
+
+`out` is calculated based on RSA-FDH from {{rsa-fdh}} as follows:
+
+~~~
+data = RSA-FDH(msg, pubkey)
+exp = sig ** pubkey.e (mod N)
+out = (data == exp)
+~~~
+
### Clause-Schnorr
# The Taler Crypto Protocol
diff --git a/draft-guetschow-taler-protocol.xml b/draft-guetschow-taler-protocol.xml
@@ -200,7 +200,7 @@ Output:
OKM output keying material (smaller than N)
]]></artwork></figure>
-<t>The final output <spanx style="verb">OKM</spanx> is determined iteratively based on a counter initialized at zero,
+<t>The final output <spanx style="verb">OKM</spanx> is determined deterministically based on a counter initialized at zero,
where <spanx style="verb">c</spanx> denotes the two least significant octets of the counter in network-byte order</t>
<figure><artwork><![CDATA[
@@ -223,6 +223,8 @@ do until OKM < N:
<section anchor="rsa-fdh"><name>RSA-FDH</name>
+<section anchor="supporting-functions"><name>Supporting Functions</name>
+
<figure><artwork><![CDATA[
RSA-FDH(msg, pubkey) -> fdh
@@ -245,6 +247,99 @@ fdh = HKDF-Mod(pubkey.N, salt, msg, info)
<t>The resulting <spanx style="verb">fdh</spanx> can be used to test against a malicious RSA pubkey
by verifying that the greatest common denominator (gcd) of <spanx style="verb">fdh</spanx> and <spanx style="verb">pubkey.N</spanx> is 1.</t>
+<figure><artwork><![CDATA[
+RSA-FDH-Derive(bks, pubkey) -> out
+
+Inputs:
+ bks blinding key secret of length L = 8 octets
+ pubkey RSA public key consisting of modulus N and public exponent e
+
+Output:
+ out full-domain hash of bks over pubkey.N
+]]></artwork></figure>
+
+<t><spanx style="verb">out</spanx> is calculated based on HKDF-Mod from <xref target="hkdf-mod"/> as follows:</t>
+
+<figure><artwork><![CDATA[
+info = 0x426c696e64696e67204b4446 ("Blinding KDF" encoded as UTF-8)
+salt = 0x426c696e64696e67204b444620657874726163746f7220484d4143206b6579 ("Blinding KDF extractor HMAC key" encoded as UTF-8)
+fdh = HKDF-Mod(pubkey.N, salt, bks, info)
+]]></artwork></figure>
+
+</section>
+<section anchor="blinding"><name>Blinding</name>
+
+<figure><artwork><![CDATA[
+RSA-FDH-Blind(msg, bks, pubkey) -> out
+
+Inputs:
+ msg message
+ bks blinding key secret of length L = 8 octets
+ pubkey RSA public key consisting of modulus N and public exponent e
+
+Output:
+ out message blinded for pubkey
+]]></artwork></figure>
+
+<t><spanx style="verb">out</spanx> is calculated based on RSA-FDH from <xref target="rsa-fdh"/> as follows:</t>
+
+<figure><artwork><![CDATA[
+data = RSA-FDH(msg, pubkey)
+r = RSA-FDH-Derive(bks, pubkey)
+r_e = r ** pubkey.e (mod N)
+out = r_e * data (mod N)
+]]></artwork></figure>
+
+</section>
+<section anchor="signing"><name>Signing</name>
+
+</section>
+<section anchor="unblinding"><name>Unblinding</name>
+
+<figure><artwork><![CDATA[
+RSA-FDH-Unblind(sig, bks, pubkey) -> out
+
+Inputs:
+ sig blind signature
+ bks blinding key secret of length L = 8 octets
+ pubkey RSA public key consisting of modulus N and public exponent e
+
+Output:
+ out unblinded signature
+]]></artwork></figure>
+
+<t><spanx style="verb">out</spanx> is calculated as follows:</t>
+
+<figure><artwork><![CDATA[
+r = RSA-FDH-Derive(bks, pubkey)
+r_inv = inverse of r (mod N)
+out = sig * r_inv (mod N)
+]]></artwork></figure>
+
+</section>
+<section anchor="verifying"><name>Verifying</name>
+
+<figure><artwork><![CDATA[
+RSA-FDH-Verify(msg, sig, pubkey) -> out
+
+Inputs:
+ msg message
+ sig signature of pubkey over msg
+ pubkey RSA public key consisting of modulus N and public exponent e
+
+Output:
+ out true, if sig is a valid signature
+]]></artwork></figure>
+
+<t><spanx style="verb">out</spanx> is calculated based on RSA-FDH from <xref target="rsa-fdh"/> as follows:</t>
+
+<figure><artwork><![CDATA[
+data = RSA-FDH(msg, pubkey)
+exp = sig ** pubkey.e (mod N)
+out = (data == exp)
+]]></artwork></figure>
+
+</section>
</section>
<section anchor="clause-schnorr"><name>Clause-Schnorr</name>
@@ -352,7 +447,7 @@ by verifying that the greatest common denominator (gcd) of <spanx style="verb">f
-<?line 239?>
+<?line 329?>
<section anchor="change-log"><name>Change log</name>
@@ -370,56 +465,64 @@ Education and Research (BMBF) within the project Concrete Contracts.</t>
</back>
<!-- ##markdown-source:
-H4sIAAAAAAAAA81YW3PbuhF+56/Y47xIrShLsiQ7OnGnjh3HnsRKJnYmDzlu
-DZEQhZoiOCRoWUmdX9a3/rF+C4C6JadzOu20zWQsEtgbdr+9gGEYBg8jOggC
-o0wqR7R3M5P0evyRbkQqC3pfaKMjne4FsY4yMQdFXIipCZNKmjKa6UVomDDM
-PWEQCSMTXSxHpLKpDgKVFyMyRVWaXqfzvNMLFrq4Twpd5UwRy1ziT2aC0hRS
-zLfX7uUS1PEoIArJ6rFPUbHMjU4Kkc+WdkFGopzZp1ws5+Asg+AZPciskiM8
-EBUy1yOaGZOXo/39RJl2klWZNG1dJPtpGXdgWhvL+5Y6xRFKs6YHwQ/o94NA
-VGamC5gXQjmR88+VutepUPT6739zHrJ7YBzRzcczOitkicPRx0w9yKJUZkl6
-SjcymmU61cnSUovJpJAPzFDT22X2kYRhFzKdz3RqvmChTd2O3YwgarRFHukY
-9pyFnW5n+NyvVJnh2LyWxVxkTpmcC5WOaO7sbq8i+0dThbET145lEGQaPAZW
-czw+nJ/2up2+fxwcDZ/7x2HvwK5evDk7h/J3l+1uB/87h/vPD4/Cg3DY74Xd
-PqjCwz8f9EF4fXG9oht2ekf748vrm/b55fvrdveoE/YBIQBppToIwjCEg3B0
-EZkg+OUz3bz8RL/cuo25iuNUcvgvcVIdV5FROtsieykXopBkZsLgjyoJ0K4Y
-NYTn0qg0JcZoqDJGdQIPlCSymOZiCQdmRqiMZFHoomwHH0tJELPUVUF6kVGh
-yvufWPtYG+E0h3Qn6K80uSM4UgNZUCpZEGdKZokYAYIWysxowsyna4CrCDmo
-5ooPz6je3bwA8um8yuwxLcEzePQk7A2G9PVZORN4eAqCb9++BX65MS+TJoV/
-oBknTXCZ5ZUZWSBgg3+QgliiOc4tEsm2pTJLYNtbekG9Pw27pCMjOcfeVWbF
-zNKsEM8WqwRJxNxT9SjjWgbb+xbwP6aDXi2HjQvuWMAdh4Ddo61k5q4PI0rK
-UZCupTsp9dvdFg34z5D/cICG7R5zfPYovG2v3THo9pw78LDhDrz9u+7o9gb/
-GX8M+7/ZH3ya7/3RY3/02B8HtT/6/8Qf1qsNVGYLxLhebq78FNq9/1Nv7aDn
-Zu0j77hIF8jcXGcxPKitE6eqgMwVJ0v/sW9jOVUZtCLRv371oHkaOUcYOc+h
-f9MfgbX+mHjrc2d00L11RqEGbJYZjXi5dI/VdIraT9NCz2tJ+x7kG7o/ozTe
-8gNbqTLUAJE6Tz2ItJIIJ9eDK++yEzQjFDEVOR2nKP6+HlxcnZwiqrO5qKPJ
-KyE7s4EW24Lhj8ZGFa5AXHIW4OJy4eMSbRUda8PUFx1Xt7wTt+O0BRBosgAp
-ZVRIY1/X6BDMKhCdmpMp2aw1pGJhhC2UxUQZUSw96zaOYAb5Xx/THYtcbmHb
-plYk0qhKLfx3XO/726138htYeyYL9eCcu1Nwudexg+/j6ZPDIquDpF9howZz
-NKkqnTY3ayluM3gtjUAYV43hs++vt4F1tFlojx/uWFuRAKB0YcHy6tF2R1sF
-Xj3m/FMamfMhyyrh1PLHZDtuR8Ed/4ae647tKunOggToBDjvWrSYqVRSTcgi
-d+kA4DtqRNM2ksZi7anZ9nADU6MUqWnR5Zurlp0MW/TWQu7dmysPk9KFkOls
-CC0MgXi7YBFPDUGZzkIPoQJGIIHsVvNny7z+p6YgNYQO/qBiGUOp6+/gQzkQ
-PEupLGEHo/B+kYVGN2c+GLhRx4BSpsLwgSiKNHA7U71lIA8FDFV2s8jztE7B
-MpeRmiJfVgOMznasbEQI+QQzhDUh9GB1tjUt7VtP6bdgr8f2jmkcTl8Rd1S8
-OKbeYPA71L1jOuoOO83tlHnnD/xrchtQ+daLbn5XbZn7u0Sa6jTVi9JXzPcf
-3kDzJsLWWGi66nHhCmhdfxubXbEZsI6VAEZeAyI3ULQrwja2zVbhza5TNbzS
-McZAwdmnXXW1GbxV9m0yP7Vc6V7VOsCuKjKbqGyVLe6MqrlIOYXxniGWCYY1
-hFUllFXzCdbHG4nA2hvjFu3kw4+TYVxHcS3sZxqjAG4Nk2tsjNl4bJdbqfS/
-zqXfkEz/hWz611C/FdLxBvCBEezXwwbk2E4SSzDOHXyM7fMPMl3SpAaZcHcv
-LvOukasvnCvGWtoKFjPUc7qLti8JXOtdWyxVkvHh0Rl2ppe1WMIF1V5cJkvM
-Hbg347psza5JjqmDazzhRaXWAS9o7Lzx6PNrt0jj3hK1KJIqbTDoyv2jZnPl
-vmMLxPIHFtpl2Pe4vnRC/e+PqVsnIu5HWfgyxWWfrsEokFX1tPIqRrXqPrdU
-P6b4cH0Snp9duMP5Fx7EWpRXEwTSptI0nm2nUj2g+hHTrjl6Yon8DKzZuQQQ
-LBVugg7Tc9wi06pEbjEkPZl8xGjJHVhu4wpqrZZplaYhMoovi7ZJsyBYoHHp
-92rbYz+NgGd3Glnhpq4YblZ0ZSmERU9P3xdaGzEE+XHQGxz0u724P+z38dvp
-Dwf9w87hweCw16XGnnPZCZ3f5OWnn/ZIZvylwFbujzfn4VEzsGXi2NeVRm1u
-E3DYXpK8VG+vH2XAbjheGb+SUFc9Gyxb9dZ5hfBWqfW5c4jPZTsj8QDP9wGR
-CJ6PkE3IThUpjbD42EF+MFkS3KumNpX94C0JN3j7QQdhnc95+kaGIVOFwbDU
-SKK4ybFxOjnAd7WxNiZdf2k6TQUsCa/5M01R8CWdbXaDm7uRr76VWeR+Qk+K
-C7EQ/Mq3tKrgTz2njKzY3wNK/1nizH6WeEaXJ+OT7yiQKDzp87eNiYju7ecB
-lCQM/KlO+O0kus/0IpVx4r58fR25PiHj472pSEu597Sl54YbGtcJWthxMM91
-4cfBXBRI3qX1mvtCROeSbUnpCmULhZRn9uBVXPmazP76IEspimhGjZdXL89d
-N/Z3FjSMv+B+ymfiJiP5wQ4A6A//AK8YASV6FAAA
+H4sIAAAAAAAAA81ZW1fbSBJ+16+oIS92FhnbGAOeYc+SEAIngeQEsnnIsENb
+atsaZMmn1QKcLPll+7Z/bL+qbvkW5zJnZneHw7Gl7uqu6qqvbu0wDIPbHm0H
+gU1sqnu0cTnS9Pz8LV2qVBt6bXKbR3m6EcR5lKkxKGKjBjYcltoW0Si/Cy0T
+hhNPGETK6mFupj1KskEeBMnE9MiasrDtZnO/2Q7ucnMzNHk5YYpYTzQ+MhsU
+1mg1Xh670VNQx72AKCThI0+RmU5sPjRqMprKgI5UMZKniZqOsbIIgkd0q7NS
+9/BAZPQk79HI2knR29oaJrYxzMpM20ZuhltpETchWgPDW0Kd4giFndODYA39
+VhCo0o5yA/FCMCdy+jlLbvJUJfT83/9yGpI5LOzR5dsjOjK6wOHobZbcalMk
+dkr5gC51NMryNB9OhVr1+0bf8oKKXoZZRxqCneh0PMpT+wEDDWo1ZTLCVr0l
+8iiPIc9R2Gw1u/t+pMws2+a5NmOVOWZ6rJK0R2Mnd2Nm2b/ZMozddo1YB0GW
+Y42F1GyPN8dP261mxz/u7HX3/WO3vS2jJy+OjsH81Wmj1cR/c3drf3cv3A67
+nXbY6oAq3P1luwPCi5OLGV232d7bOj+9uGwcn76+aLT2mmEHEAKQZqyDIAxD
+KAhHV5ENgp/f0+WTd/TzlZsYJ3Gcajb/KU6ax2VkkzxbInui75TRZEfK4iMp
+CNAuGTWE58ImaUqM0TDJGNVDaKAglcU0VlMoMLMqyUgbk5uiEbwtNGGbaV4a
+yu8yMklx8wNzP8+tcpxDulb0T+pfExSZA1lgqnkj9pRMiBgBiu4SO6I+L346
+B3gSwQeTccKHZ1SvTp4A+XRcZnJMIXgEjR6G7Z0ufXxUjBQeHoLg06dPgR+u
+jYthncK/0oidJjjNJqXtCRAwwV9wQQzRGOdWQ82ypTobQraX9BO1/9FtUR5Z
+zT72qrSzxbybbOKXxckQTsSrB8m9jqs9WN6XgP8BbberfVi44Jo3uGYTsHpy
+2ZlXV4dRBU0QkC60Oyl1Gq1N2uGPLn+wgbqNNq9471F41ZirY6fVdurAw4I6
+8PZ71dFq7/wx+uh2vlsffJrP9dFmfbRZH9uVPjpf0YdotYbILECMq+H6TE+h
+zP1JtbWCnsu5jrziotzAcyd5FkODuShxkBjsOVvJu6/XbawHSQaucPSPHz1o
+HnpOEVaPJ+C/qI9ApD8gnnrf7G23rpxQiAGLYSaHvZy7x8lggNhPA5OPq522
+PMgXeL9HaLziB5YyyRADVOo0davSUsOcHA/OvMoOkYwQxJLI8XiK4O/jwcnZ
+4VNYdTRWlTV5JGRl1pBiNyH4vRWrQhWwy4Q3cHY58XaJloKOyDDwQcfFLa/E
+ZTstAQScBCCFjoy28jpHh+KlCtapVjIlizWHVKyskkBp+olVZuqXLuMIYpD/
+9jZdkcj5FqbFtSKVRmUq8F9Rvc9vV17JLyDtkTbJrVPuSsDlXMcKvokHDw6L
+zA47fWEZ1XhFncrCcXO1VsJpBq+FVTDjLDG89/n1KhBF27vc44cz1pIlAKjc
+CFie3Ut2lCjw7H7CX4XVEz5kUQ7ZtfwxWY6rXnDN36Ffdc1yFXQtIAE6Ac7r
+TbobJammipC3XKUDgK+pFg0acBrB2kO94eGGRbVCpXaTTl+cbUpluEkvBXKv
+Xpx5mBTOhEwnJhQYAvEyIIinmqIsz0IPIQMh4EAyVf9RFs//kgFILSGD3yax
+jsHU5XesQzhQXEsl2ZAVjMD7QZsc2ZzXQcCFOAaUMhWKD1hRpYGbGeRLAnJR
+wFBlNavJJK1csJjoKBnAX2YFTJ6tSFmLYPI+aggRIfRgdbLVhfalp/RTkNdj
+e0U0NqePiCssfjqg9s7OY8S9A9prdZv1ZZd55Q/8pX1rYPnSb13/LNry6s8c
+aZCnaX5X+Ij5+s0LcF5E2BwLdRc9TlwAreJvbTEr1gPmMduAkVfDlgsoWt1C
+EttiqvBiV64anuUxykDF3pe76CoevBT2xZkfNl3onsU6wK40mTgqSyXBnVE1
+Vim7MN4z2HKIYg1mTYaUleM+xs8XHIG51843acUf1jvDeWXF+WY/0jkC4FIx
+OcfGOQuP6WLJlf7fvvQdzvQ/8Kbfhvolk54vAB8YwXxVbGAfySSxxsKxwKd6
+TApOxmk6pX4FNeU6MA72Lp0nH9hjrMi7GdyNENXpOlpuFTjiu+RYJMOMVYD8
+sFLDzLcltKnSvvSnqD7QPaNpFuErkgNqopknvCSpqOEnOnc6ufdethqq0b1E
+mxTpJK0x9IqtvXp9psQDgWOxRkIZhnz389YT7P9yQK3KHdElZeGTFC0/XWCh
+gm9VNcuzGDGrtS9U6yneXByGx0cnyLumUOEgHj3IOOrbcjLJjWVzLuRpZumX
+cNG2SZOyD6OL22HxsttVxawvR2XM0RPz5WfgUmoYwLVgSzv8j9FxpmUBP2T4
+ejJ9jzKUs7VexiDYCpdBmaYhvI8bS0novBEkyG+hL8e2ce4rF6xZrVxm6Kqi
+i6srXQgLIdHDw+dBWewKKNzvtHe2O6123Ol2Ovhudro7nd3m7vbObrtFtQ2n
+skM6vpwU737YIJ3xrYJE+beXx+FePZCQcuBjUK0Stw7QLA9pHqqm5486YDUc
+zISf7VBFSDGWRMi5DwIEZSo6dwrxfi/1FBf73DuooeJaCj4HT06iJIdZvO2w
+f9CfEtSbDMTtfZGuCd2+XP7ArOMxV+rwQ7iysiisasMorrNtHE828HUlrNik
+1ViCWSiVn671b4oltEmRvYg2ELgYzzhncRhXPi4vNlBI34sp/o8HZFU9rwMk
+C7kOkGtK6d8HyE67G3X3u7rbkc9dQLIPaCKlbzypFIR9vwLFL+/RbnZ3dvd2
+O7vtbqu7vdvpDnbbmNvrxJ1WZxuzfczvr3CCuqRqAQSkk8Lp1zH/BowFBQsw
+llBVsVnGjYy6IPVN7KyLVH86PFVdvQgEpXGb4t3w2yCq4rzHUBXs10BIOsQD
+WhflAzOfWOeXgflFg8LQ48ezwEQ1HJZTPx8Dc6B47LrQamJuSE5OYkd5e5v1
+1xrWj9eQJb/DtKCam1Eyq6S/P6eJy6wy7lzQr/Xay5b7tnWS7BY0+NSmkGsl
+s2Ie1tZjcoSf2+fvVahfNogbdkgRo/xWV6tsNDs0i+a1LNESi/7Lmrem1Jtc
+orMsfIfARXzyXXb4g30MklaG+KIX1dwGB3yshbbsaaqQvMML/hXEGL4D5zTv
+7kXchffspygpCd+h5YuNulP8ypegpeFfUp6yOmN/zVb4W/8jufV/RKeH54ef
+UaAC5Ys0/umgr6IbuX1HxY9glebsznQY3WT5Xarjofth6WPPtWE6PtgYqLTQ
+Gw9LfC65X+QCnO7ktkVqUddUTpRBVTyVQsP9AEPHmmVJ6UzaBcNXYsGzuPQt
+D6PgjS60MtGIak/Onhy7ZtdfCaIf+1VHls/Ejq/5QTIV2q//ABmMIxbZGwAA
-->
