better procedure definitions

author: Martin Schanzenbach <schanzen@gnunet.org> 2022-02-04 20:33:49 +0100
committer: Martin Schanzenbach <schanzen@gnunet.org> 2022-02-04 20:33:49 +0100
commit: c972b4c4f0d6fcbd2c3dd4aef66543da7b5d5c6e (patch)
tree: 20d7ea4385f3dc83e293e553795522c2b0beca79
parent: 41437cd20299d6c7c6b90841e143e338bd8b5440 (diff)
download: lsd0001-c972b4c4f0d6fcbd2c3dd4aef66543da7b5d5c6e.tar.gz
lsd0001-c972b4c4f0d6fcbd2c3dd4aef66543da7b5d5c6e.zip
1 files changed, 89 insertions, 81 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index 640e135..c79feb7 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -977,19 +977,23 @@ zTLD := zkl[126..129].zkl[63..125].zkl[0..62]
         key blinding is calculated as follows for PKEY zones:
       </t>
       <artwork name="" type="" align="left" alt=""><![CDATA[
-zk := d * G
+ZKDF-Private(d,label):
-PRK_h := HKDF-Extract ("key-derivation", zk)
+  zk := d * G
-h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+  PRK_h := HKDF-Extract ("key-derivation", zk)
-d' := (h * d) mod L
+  h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+  d' := (h * d) mod L
+  return d'
        ]]></artwork>
       <t>
         Equally, given a label, the output zk' of the ZKDF-Public(zk,label) function is
         calculated as follows for PKEY zones:
       </t>
-         <artwork name="" type="" align="left" alt=""><![CDATA[
+       <artwork name="" type="" align="left" alt=""><![CDATA[
-PRK_h := HKDF-Extract ("key-derivation", zk)
+ZKDF-Public(zk,label)
-h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+  PRK_h := HKDF-Extract ("key-derivation", zk)
-zk' := (h mod L) * zk
+  h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+  zk' := (h mod L) * zk
+  return zk'
        ]]></artwork>
       <t>
         The PKEY cryptosystem uses a hash-based key derivation function (HKDF) as defined in
@@ -1010,28 +1014,41 @@ zk' := (h mod L) * zk
         The Sign() and Verify() functions
         for PKEY zones are implemented using 512-bit ECDSA deterministic
         signatures as specified in <xref target="RFC6979" />.
+         The same functions can be used for derived keys.
       </t>
       <t>
         The S-Encrypt() and S-Decrypt() functions use AES in counter mode
         as defined in <xref target="MODES" /> (CTR-AES-256):
       </t>
-       <artwork name="" type="" align="left" alt=""><![CDATA[
+       <figure anchor="figure_senc_pkey">
-CIPHERTEXT := CTR-AES256(K, IV, DATA)
+         <artwork name="" type="" align="left" alt=""><![CDATA[
-DATA := CTR-AES256(K, IV, CIPHERTEXT)
+S-Encrypt(zk,label,expiration,plaintext):
-         ]]></artwork>
+  PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
+  PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
+  K := HKDF-Expand (PRK_k, label, 256 / 8)
+  NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
+  IV := NONCE | expiration | 0x0000000000000001
+  return CTR-AES256(K, IV, plaintext)
+           ]]></artwork>
+       </figure>
+       <t>The PKEY S-Encrypt Procedure.</t>
+       <figure anchor="figure_sdec_pkey">
+         <artwork name="" type="" align="left" alt=""><![CDATA[
+S-Decrypt(zk,label,expiration,ciphertext):
+  PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
+  PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
+  K := HKDF-Expand (PRK_k, label, 256 / 8)
+  NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
+  IV := NONCE | expiration | 0x0000000000000001
+  return CTR-AES256(K, IV, ciphertext)
+           ]]></artwork>
+       </figure>
+       <t>The PKEY S-Decrypt Procedure.</t>
       <t>
         The key K and counter IV are derived from
-         the record label and the zone key zk as follows:
+         the record label and the zone key zk using a hash-based key
-       </t>
+         derivation function (HDKF) as defined in <xref target="RFC5869" />.
-       <artwork name="" type="" align="left" alt=""><![CDATA[
+         SHA-512 <xref target="RFC6234"/> is used for the
-PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
-PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
-K := HKDF-Expand (PRK_k, label, 256 / 8);
-NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
-]]></artwork>
-       <t>
-         HKDF is a hash-based key derivation function as defined in
-         <xref target="RFC5869" />. Specifically, SHA-512 <xref target="RFC6234"/> is used for the
         extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase.
         The output keying material is 32 bytes (256 bits) for the symmetric
         key and 4 bytes (32 bits) for the nonce.
@@ -1062,31 +1079,6 @@ NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
           ]]></artwork>
       </figure>
       <t>The Block Counter Wire Format.</t>
-       <figure anchor="figure_senc_pkey">
-         <artwork name="" type="" align="left" alt=""><![CDATA[
-S-Encrypt(zk,label,expiration,message):
-  PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
-  PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
-  K := HKDF-Expand (PRK_k, label, 256 / 8);
-  NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
-  IV := NONCE | expiration | 0x0000000000000001
-  return CTR-AES256(K, IV, DATA)
-           ]]></artwork>
-       </figure>
-       <t>The PKEY S-Encrypt Procedure.</t>
-       <figure anchor="figure_sdec_pkey">
-         <artwork name="" type="" align="left" alt=""><![CDATA[
-S-Decrypt(zk,label,expiration,ciphertext):
-  PRK_k := HKDF-Extract ("gns-aes-ctx-key", zk)
-  PRK_n := HKDF-Extract ("gns-aes-ctx-iv", zk)
-  K := HKDF-Expand (PRK_k, label, 256 / 8);
-  NONCE := HKDF-Expand (PRK_n, label, 32 / 8)
-  IV := NONCE | expiration | 0x0000000000000001
-  return CTR-AES256(K, IV, ciphertext)
-           ]]></artwork>
-       </figure>
-       <t>The PKEY S-Decrypt Procedure.</t>
-       <!-- FIXME: Explicit precedures would be nicer Appendix?-->
     </section>
     <section anchor="gnsrecords_edkey" numbered="true" toc="default">
       <name>EDKEY</name>
@@ -1176,23 +1168,27 @@ S-Decrypt(zk,label,expiration,ciphertext):
           key blinding is calculated as follows for EDKEY zones:
         </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
-zk := a * G
+ZKDF-Private(d,label):
-PRK_h := HKDF-Extract ("key-derivation", zk)
+  zk := a * G
-h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+  PRK_h := HKDF-Extract ("key-derivation", zk)
-h[31] &= 7
+  h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
-a1 := a >> 3
+  h[31] &= 7
-a2 := (h * a1) mod L
+  a1 := a >> 3
-a' = a2 << 3
+  a2 := (h * a1) mod L
+  a' = a2 << 3
+  return a'
           ]]></artwork>
         <t>
           Equally, given a label, the output of the ZKDF-Public function is
           calculated as follows for PKEY zones:
         </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
-PRK_h := HKDF-Extract ("key-derivation", zk)
+ZKDF-Public(zk,label):
-h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+  PRK_h := HKDF-Extract ("key-derivation", zk)
-h[31] &= 7  // Implies h mod L == h
+  h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
-zk' := h * zk
+  h[31] &= 7  // Implies h mod L == h
+  zk' := h * zk
+  return zk'
           ]]></artwork>
         <t>
           We note that implementers SHOULD employ a constant time scalar
@@ -1226,36 +1222,44 @@ zk' := h * zk
           co-factor are integer operations.
         </t>
         <t>
+           The Sign(d,message) and Verify(zk,message,signature) procedures MUST
+           be implemented as defined in <xref target="ed25519" />.
+         </t>
+         <t>
           Signatures for EDKEY zones using the derived private key a'
           are not compliant with <xref target="ed25519" />.
           As the corresponding private key to the derived private scalar a'
           is not known, it is not possible to deterministically derive the
           signature part R according to <xref target="ed25519" />.
           Instead, signatures MUST be generated as follows for any given
-           message M:
+           message and private zone key:
           A nonce is calculated from the highest 32 bytes of the
           expansion of the private key d and the blinding factor h.
-           The nonce is then hashed with the message M to r.
+           The nonce is then hashed with the message to r.
           This way, we include the full derivation path in the calculation
           of the R value of the signature, ensuring that it is never reused
           for two different derivation paths or messages.
         </t>
         <!-- Blinded key signatures need a different method signature
           FIXME Should we use a'
-           nonce := SHA-256 (a')?
+           nonce := SHA-256 (a')? Changed for now. Unclear if ok.
         -->
         <artwork name="" type="" align="left" alt=""><![CDATA[
-dh := SHA-512 (d)
+Sign(d,message):
-nonce := SHA-256 (dh[32..63] | h)
+  dh := SHA-512 (d)
-r := SHA-512 (nonce | M)
+  nonce := SHA-256 (dh[32..63] | h)
-R := r * G
+  r := SHA-512 (nonce | message)
-S := r + SHA-512(R | zk' | M) * a' mod L
+  R := r * G
+  S := r + SHA-512(R | zk' | message) * a' mod L
+  return (R,S)
           ]]></artwork>
         <t>
           A signature (R,S) is valid if the following holds:
         </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
-S * G == R + SHA-512(R, zk', M) * zk'
+Verify(zk',message,signature):
+  (R,S) := signature
+  return S * G == R + SHA-512(R, zk', message) * zk'
           ]]></artwork>
         <t>
           The S-Encrypt() and S-Decrypt() functions use XSalsa20
@@ -1263,8 +1267,19 @@ S * G == R + SHA-512(R, zk', M) * zk'
           (XSalsa20-Poly1305):
         </t>
         <artwork name="" type="" align="left" alt=""><![CDATA[
-CIPHERTEXT := XSalsa20-Poly1305(K, IV, DATA)
+S-Encrypt(zk,label,expiration,message):
-DATA := XSalsa20-Poly1305(K, IV, CIPHERTEXT)
+  PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk)
+  PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk)
+  K := HKDF-Expand (PRK_k, label, 256 / 8);
+  NONCE := HKDF-Expand (PRK_n, label, 128 / 8)
+  return XSalsa20-Poly1305(K, IV, message)
+S-Decrypt(zk,label,expiration,ciphertext):
+  PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk)
+  PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk)
+  K := HKDF-Expand (PRK_k, label, 256 / 8);
+  NONCE := HKDF-Expand (PRK_n, label, 128 / 8)
+  return XSalsa20-Poly1305(K, IV, ciphertext)
           ]]></artwork>
         <t>
           The result of the XSalsa20-Poly1305 encryption function is the encrypted
@@ -1275,17 +1290,10 @@ DATA := XSalsa20-Poly1305(K, IV, CIPHERTEXT)
         </t>
         <t>
           The key K and counter IV are derived from
-           the record label and the zone key zk as follows:
+           the record label and the zone key zk using a hash-based key
-         </t>
+           derivation function (HKDF) as defined in
-         <artwork name="" type="" align="left" alt=""><![CDATA[
+           <xref target="RFC5869" />.
-PRK_k := HKDF-Extract ("gns-xsalsa-ctx-key", zk)
+           SHA-512 <xref target="RFC6234"/> is used for the
-PRK_n := HKDF-Extract ("gns-xsalsa-ctx-iv", zk)
-K := HKDF-Expand (PRK_k, label, 256 / 8);
-NONCE := HKDF-Expand (PRK_n, label, 128 / 8)
-]]></artwork>
-         <t>
-           HKDF is a hash-based key derivation function as defined in
-           <xref target="RFC5869" />. Specifically, SHA-512 <xref target="RFC6234"/> is used for the
           extraction phase and SHA-256 <xref target="RFC6234"/> for the expansion phase.
           The output keying material is 32 bytes (256 bits) for the symmetric
           key and 16 bytes (128 bits) for the NONCE.
author	Martin Schanzenbach <schanzen@gnunet.org>	2022-02-04 20:33:49 +0100
committer	Martin Schanzenbach <schanzen@gnunet.org>	2022-02-04 20:33:49 +0100
commit	c972b4c4f0d6fcbd2c3dd4aef66543da7b5d5c6e (patch)
tree	20d7ea4385f3dc83e293e553795522c2b0beca79
parent	41437cd20299d6c7c6b90841e143e338bd8b5440 (diff)
download	lsd0001-c972b4c4f0d6fcbd2c3dd4aef66543da7b5d5c6e.tar.gz lsd0001-c972b4c4f0d6fcbd2c3dd4aef66543da7b5d5c6e.zip