2 files changed, 180 insertions, 98 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index a0edad4..ce0a183 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -133,43 +133,170 @@
   <section anchor="zones" numbered="true" toc="default">
     <name>Zones</name>
     <t>
-       A zone in GNS is defined by a public/private ECDSA key pair (d,zk),
+       A GNS zone is established by creating a zone key pair.
-       where d is the private key and zk the corresponding public key.
+       GNS is extensible with respect to the cryptographic scheme used.
-       GNS employs the curve parameters of the twisted edwards representation
+       The two zone key schemes specified within this document are
-       of Curve25519 <xref target="RFC7748" /> (a.k.a. edwards25519)
+       called PKEY and EDKEY, respectively.
-       with the ECDSA scheme (<xref target="RFC6979" />).
-       In the following, we use the following naming convention for our
-       cryptographic primitives:
     </t>
-     <dl>
+     <section anchor="zone_privacy" numbered="true" toc="default">
-       <dt>d</dt>
+       <name>Privacy</name>
-       <dd>
+       <t>
-         is a 256-bit ECDSA private key.
+         In GNS, the contents of a zone are cryptographically signed before
-         In GNS, records are signed using a key derived from "d" as described in
+         publishing. Instead of the zone private key "d", the signature MUST
-         <xref target="publish" />.
+         be created using a blinded public/private key pair d' and zk'.
-       </dd>
+         This blinding is realized using a Hierarchical Deterministic Key
-       <dt>p</dt>
+         Derivation (HDKD) scheme.
-       <dd>
+         Such a scheme allows the zone owner to derivate a private d' and a
-         is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e.
+         resolver to derive the corresponding public key zk' in a deterministic
-         2^255 - 19.
+         manner from the original public and private zone keys as well as a
-       </dd>
+         label.
-       <dt>B</dt>
+       </t>
-       <dd>
+       <t>
-         is the group generator (X(P),Y(P)) of edwards25519 as defined in
+         We define that for any type of zone key material the function
-        <xref target="RFC7748" />.
+         "HDKD-Private" must be defined as:
-       </dd>
+       </t>
-       <dt>L</dt>
+       <artwork name="" type="" align="left" alt=""><![CDATA[
-       <dd>
+HDKD-Private(d, label) -> d'
-         is the prime-order subgroup of edwards25519 in <xref target="RFC7748" />.
+       ]]></artwork>
-       </dd>
+       <t>
-       <dt>zk</dt>
+         where:
-       <dd>
+       </t>
-         is the ECDSA public key corresponding to d. It is defined in
+       <dl>
-         <xref target="RFC6979" /> as the curve point d*B where B is the group
+         <dt>d</dt>
-         generator of the elliptic curve. The public key is used to uniquely
+         <dd>
-         identify a GNS zone and is referred to as the "zone key".
+           Is the private zone key input.
-       </dd>
+         </dd>
-     </dl>
+         <dt>label</dt>
+         <dd>
+           Is the resource record label.
+         </dd>
+         <dt>d'</dt>
+         <dd>
+           Is the derived (blinded) private zone key.
+         </dd>
+       </dl>
+       <t>
+         Correspondingly, the function "HDKD-Public" must be defined as:
+       </t>
+       <artwork name="" type="" align="left" alt=""><![CDATA[
+HDKD-Public(zk, label) -> zk'
+       ]]></artwork>
+       <t>
+         where:
+       </t>
+       <dl>
+         <dt>zk</dt>
+         <dd>
+           Is the public zone key input.
+         </dd>
+         <dt>label</dt>
+         <dd>
+           Is the resource record label.
+         </dd>
+         <dt>d'</dt>
+         <dd>
+           Is the derived (blinded) public zone key.
+         </dd>
+       </dl>
+     </section>
+     <section anchor="zone_types" numbered="true" toc="default">
+       <name>Zone Types</name>
+       <section anchor="zone_type_pkey" numbered="true" toc="default">
+         <name>PKEY Zone</name>
+         <t>
+           A PKEY zone in GNS is defined by a public/private ECDSA key pair (d,zk),
+           where d is the private key and zk the corresponding public key.
+           GNS employs the curve parameters of the twisted edwards representation
+           of Curve25519 <xref target="RFC7748" /> (a.k.a. edwards25519)
+           with the ECDSA scheme (<xref target="RFC6979" />).
+           In the following, we use the following naming convention for our
+           cryptographic primitives:
+         </t>
+         <dl>
+           <dt>d</dt>
+           <dd>
+             is a 256-bit ECDSA private key.
+           </dd>
+           <dt>p</dt>
+           <dd>
+             is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e.
+             2^255 - 19.
+           </dd>
+           <dt>B</dt>
+           <dd>
+             is the group generator (X(P),Y(P)) of edwards25519 as defined in
+            <xref target="RFC7748" />.
+           </dd>
+           <dt>L</dt>
+           <dd>
+             is the prime-order subgroup of edwards25519 in <xref target="RFC7748" />.
+           </dd>
+           <dt>zk</dt>
+           <dd>
+             is the ECDSA public key corresponding to d. It is defined in
+             <xref target="RFC6979" /> as the curve point d*B where B is the group
+             generator of the elliptic curve. The public key is used to uniquely
+             identify a GNS zone and is referred to as the "zone key".
+           </dd>
+         </dl>
+         <t>
+           Given a label, the output of the HDKD-Private function is
+           calculated as follows for PKEY zones:
+         </t>
+         <artwork name="" type="" align="left" alt=""><![CDATA[
+zk := d * B
+PRK_h := HKDF-Extract ("key-derivation", zk)
+h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+d' := h * d mod L
+           ]]></artwork>
+         <t>
+           Equally, given a label, the output of the HDKD-Public function is
+           calculated as follows for PKEY zones:
+         </t>
+         <artwork name="" type="" align="left" alt=""><![CDATA[
+PRK_h := HKDF-Extract ("key-derivation", zk)
+h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+zk' := h mod L * zk
+         ]]></artwork>
+         <t>
+           We use a hash-based key derivation function (HKDF) as defined in
+           <xref target="RFC5869" />. We use HMAC-SHA512 for the extraction
+           phase and HMAC-SHA256 for the expansion phase.
+         </t>
+         <dl>
+           <dt>PRK_h</dt>
+           <dd>
+             is key material retrieved using an HKDF using the string
+             "key-derivation" as salt and the public zone key "zk" as initial
+             keying material.
+           </dd>
+           <dt>h</dt>
+           <dd>
+             is the 512-bit HKDF expansion result. The expansion info input is a
+             concatenation of the label and string "gns".
+           </dd>
+           <dt>d</dt>
+           <dd>
+             is the 256-bit private zone key as defined in <xref target="zone_type_pkey" />.
+           </dd>
+           <dt>label</dt>
+           <dd>is a UTF-8 string under which the resource records are published.
+           </dd>
+           <dt>L</dt>
+           <dd>
+             is the prime-order subgroup as defined in <xref target="zone_type_pkey" />.
+           </dd>
+         </dl>
+         <t>
+           We point out that the multiplication of "zk" with "h" is a point multiplication,
+           while the multiplication of "d" with "h" is a scalar multiplication.
+         </t>
+       </section>
+       <section anchor="zone_type_edkey" numbered="true" toc="default">
+         <name>EDKEY Zone</name>
+         <t>TODO: Do the same as the above with a Schnorr variant</t>
+       </section>
+     </section>
   </section>
   <section anchor="rrecords" numbered="true" toc="default">
     <name>Resource Records</name>
@@ -537,7 +664,6 @@
       </dl>
     </section>
   </section>
   <section anchor="publish" numbered="true" toc="default">
     <name>Publishing Records</name>
     <t>
@@ -550,67 +676,28 @@
       label of the contained records.
     </t>
     <section anchor="blinding" numbered="true" toc="default">
-       <name>Key Derivations</name>
+       <name>DHT Key Derivations</name>
       <t>
         Given a label, the DHT key "q" is derived as follows:
       </t>
       <artwork name="" type="" align="left" alt=""><![CDATA[
-PRK_h := HKDF-Extract ("key-derivation", zk)
+q := SHA512 (HDKD-Public(zk, label))
-h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
-d_h := h * d mod L
-zk_h := h mod L * zk
-q := SHA512 (zk_h)
         ]]></artwork>
-       <t>
-         We use a hash-based key derivation function (HKDF) as defined in
-         <xref target="RFC5869" />. We use HMAC-SHA512 for the extraction
-         phase and HMAC-SHA256 for the expansion phase.
-       </t>
       <dl>
-         <dt>PRK_h</dt>
-         <dd>
-           is key material retrieved using an HKDF using the string
-           "key-derivation" as salt and the public zone key "zk" as initial
-           keying material.
-         </dd>
-         <dt>h</dt>
-         <dd>
-           is the 512-bit HKDF expansion result. The expansion info input is a
-           concatenation of the label and string "gns".
-         </dd>
-         <dt>d</dt>
-         <dd>
-           is the 256-bit private zone key as defined in <xref target="zones" />.
-         </dd>
         <dt>label</dt>
         <dd>is a UTF-8 string under which the resource records are published.
         </dd>
-         <dt>d_h</dt>
+         <dt>zk</dt>
-         <dd>
-           is a 256-bit private key derived from the "d" using the
-           keying material "h".
-         </dd>
-         <dt>zk_h</dt>
-         <dd>
-           is a 256-bit public key derived from the zone key "zk" using the
-           keying material "h".
-         </dd>
-         <dt>L</dt>
         <dd>
-           is the prime-order subgroup as defined in <xref target="zones" />.
+           is the public zone key.
         </dd>
         <dt>q</dt>
         <dd>
           Is the 512-bit DHT key under which the resource records block is
           published.
-           It is the SHA512 hash over the public key "zk_h" corresponding to the
+           It is the SHA512 hash over the derived public zone key.
-           derived private key "d_h".
         </dd>
       </dl>
-       <t>
-         We point out that the multiplication of "zk" with "h" is a point multiplication,
-         while the multiplication of "d" with "h" is a scalar multiplication.
-       </t>
     </section>
     <section anchor="wire" numbered="true" toc="default">
       <name>Resource Records Block</name>
@@ -630,18 +717,16 @@ q := SHA512 (zk_h)
         <artwork name="" type="" align="left" alt=""><![CDATA[
 0     8     16    24    32    40    48    56
 +-----+-----+-----+-----+-----+-----+-----+-----+
+|                   ZONE TYPE                   |
+-----+-----+-----+-----+-----+-----+-----+-----+
 |                   SIGNATURE                   |
-|                                               |
+/                                               /
-|                                               |
+/                                               /
-|                                               |
-|                                               |
-|                                               |
-|                                               |
 |                                               |
 +-----+-----+-----+-----+-----+-----+-----+-----+
 |                  PUBLIC KEY                   |
-|                                               |
+/                                               /
-|                                               |
+/                                               /
 |                                               |
 +-----+-----+-----+-----+-----+-----+-----+-----+
 |         SIZE          |       PURPOSE         |
@@ -658,17 +743,14 @@ q := SHA512 (zk_h)
       <dl>
         <dt>SIGNATURE</dt>
         <dd>
-           A 512-bit ECDSA deterministic signature compliant with
+           The signature is computed over the data following
-           <xref target="RFC6979" />. The signature is computed over the data
+           the PUBLIC KEY field.
-           following the PUBLIC KEY field.
+           The signature is created using the derived private key "d'" (see
-           The signature is created using the derived private key "d_h" (see
+           <xref target="zone_types" />).
-           <xref target="publish" />).
         </dd>
         <dt>PUBLIC KEY</dt>
         <dd>
-           is the 256-bit public key "zk_h" to be used to verify SIGNATURE. The
+           is the public key "zk'" to be used to verify SIGNATURE.
-           wire format of this value is defined in <xref target="RFC8032" />,
-           Section 5.1.5.
         </dd>
         <dt>SIZE</dt>
         <dd>
diff --git a/ietf/secdispatch/gns.tex b/ietf/secdispatch/gns.tex
index 00c9151..2f9269c 100644
--- a/ietf/secdispatch/gns.tex
+++ b/ietf/secdispatch/gns.tex
@@ -10,7 +10,7 @@
 \usepackage{multirow}
 \title{The GNU Name System\\\small{secdispatch -- IETF 108}\\\small{\url{https://datatracker.ietf.org/doc/draft-schanzen-gns/}}}
 \date{30/7/2020}
-\author{Martin Schanzenbach}
+\author{Martin Schanzenbach\\Christian Grothoff\\Bernd Fix}
 \institute{\hfill\large{GNUnet} \includegraphics[trim={0cm 1.5cm 0cm 0cm},clip,width=4em]{gnunet}}
 \begin{document}
  \metroset{block=fill,sectionpage=progressbar,numbering=counter}