diff options
author | Martin Schanzenbach <schanzen@gnunet.org> | 2022-03-17 12:49:57 +0100 |
---|---|---|
committer | Martin Schanzenbach <schanzen@gnunet.org> | 2022-03-17 12:49:57 +0100 |
commit | 55941796ffaabc0cca7a88efcbce2c5636bfa761 (patch) | |
tree | 8fefb8882140ed05cea1c4bd84fa36fcbe4da7a6 | |
parent | 8e68428ce4e3c41131a8c168505a9b78ea91e6ad (diff) | |
download | lsd0001-55941796ffaabc0cca7a88efcbce2c5636bfa761.tar.gz lsd0001-55941796ffaabc0cca7a88efcbce2c5636bfa761.zip |
fixes in crypto
-rw-r--r-- | draft-schanzen-gns.xml | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index dc984c3..05f934a 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -1271,14 +1271,15 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
1271 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1271 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1272 | ZKDF-Private(d,label): | 1272 | ZKDF-Private(d,label): |
1273 | /* EdDSA clamping */ | 1273 | /* EdDSA clamping */ |
1274 | a := SHA-512 (d) | 1274 | dh := SHA-512 (d) |
1275 | a := dh[0..31] | ||
1275 | a[0] &= 248 | 1276 | a[0] &= 248 |
1276 | a[31] &= 127 | 1277 | a[31] &= 127 |
1277 | a[31] |= 64 | 1278 | a[31] |= 64 |
1278 | /* Calculate zk from d */ | 1279 | /* Calculate zk corresponding to d */ |
1279 | zk := a * G | 1280 | zk := a * G |
1280 | 1281 | ||
1281 | /* Calculate the blinding factor */ | 1282 | /* Calculate the blinding factor h */ |
1282 | PRK_h := HKDF-Extract ("key-derivation", zk) | 1283 | PRK_h := HKDF-Extract ("key-derivation", zk) |
1283 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) | 1284 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) |
1284 | /* Ensure that h == h mod L */ | 1285 | /* Ensure that h == h mod L */ |
@@ -1354,12 +1355,14 @@ ZKDF-Public(zk,label): | |||
1354 | </t> | 1355 | </t> |
1355 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1356 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1356 | SignDerived(d,label,message): | 1357 | SignDerived(d,label,message): |
1358 | /* Key expansion */ | ||
1359 | dh := SHA-512 (d) | ||
1357 | /* EdDSA clamping */ | 1360 | /* EdDSA clamping */ |
1358 | a := SHA-512 (d) | 1361 | a := dh[0..31] |
1359 | a[0] &= 248 | 1362 | a[0] &= 248 |
1360 | a[31] &= 127 | 1363 | a[31] &= 127 |
1361 | a[31] |= 64 | 1364 | a[31] |= 64 |
1362 | /* Calculate zk from d */ | 1365 | /* Calculate zk corresponding to d */ |
1363 | zk := a * G | 1366 | zk := a * G |
1364 | 1367 | ||
1365 | /* Calculate blinding factor */ | 1368 | /* Calculate blinding factor */ |
@@ -1367,7 +1370,7 @@ SignDerived(d,label,message): | |||
1367 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) | 1370 | h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) |
1368 | 1371 | ||
1369 | d' := ZKDF-Private(d,label) | 1372 | d' := ZKDF-Private(d,label) |
1370 | dh := SHA-512 (d) | 1373 | zk' := h * zk |
1371 | nonce := SHA-256 (dh[32..63] || h) | 1374 | nonce := SHA-256 (dh[32..63] || h) |
1372 | r := SHA-512 (nonce || message) | 1375 | r := SHA-512 (nonce || message) |
1373 | R := r * G | 1376 | R := r * G |