aboutsummaryrefslogtreecommitdiff
path: root/draft-schanzen-gns.xml
diff options
context:
space:
mode:
Diffstat (limited to 'draft-schanzen-gns.xml')
-rw-r--r--draft-schanzen-gns.xml97
1 files changed, 27 insertions, 70 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index 10ba55a..a57ca8f 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -1,4 +1,4 @@
1<?xml version='1.0' encoding='utf-8'?> 1<?xml version='1.0' encoding='utf-8'?
2<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent" [ 2<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent" [
3<!ENTITY RFC1034 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1034.xml"> 3<!ENTITY RFC1034 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1034.xml">
4<!ENTITY RFC1035 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml"> 4<!ENTITY RFC1035 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1035.xml">
@@ -281,8 +281,7 @@
281 </dd> 281 </dd>
282 <dt>Zone Key Derivation Function</dt> 282 <dt>Zone Key Derivation Function</dt>
283 <dd> 283 <dd>
284 The zone key derivation function (ZKDF) blinds a key using a label. 284 The zone key derivation function (ZKDF) blinds a zone key using a label.
285 There are different functions for public and private keys, respectively.
286 </dd> 285 </dd>
287 <dt>Zone Owner</dt> 286 <dt>Zone Owner</dt>
288 <dd> 287 <dd>
@@ -453,15 +452,7 @@
453 is a function to generate a new private key d and 452 is a function to generate a new private key d and
454 the corresponding public zone key zk. 453 the corresponding public zone key zk.
455 </dd> 454 </dd>
456 <dt>ZKDF-Private(d,label) -> d'</dt> 455 <dt>ZKDF(zk,label) -> zk'</dt>
457 <dd>
458 is a zone key derivation function which blinds a private key d
459 using label, resulting in another private key which
460 can be used to create cryptographic signatures.
461 GNS only requires a signature to be created directly with
462 d to sign a revocation message for the zone key zk.
463 </dd>
464 <dt>ZKDF-Public(zk,label) -> zk'</dt>
465 <dd> 456 <dd>
466 is a zone key derivation function which blinds a zone key zk 457 is a zone key derivation function which blinds a zone key zk
467 using a label. zk and zk' must be unlinkable. Furthermore, 458 using a label. zk and zk' must be unlinkable. Furthermore,
@@ -502,7 +493,7 @@
502 <dt>SignDerived(d,label,message) -> signature</dt> 493 <dt>SignDerived(d,label,message) -> signature</dt>
503 <dd> 494 <dd>
504 is a function to sign a message (typically encrypted record data) that 495 is a function to sign a message (typically encrypted record data) that
505 can be verified using the derived zone key zk' := ZKDF-Public(zk,label). 496 can be verified using the derived zone key zk' := ZKDF(zk,label).
506 In order to leverage performance-enhancing caching features of certain 497 In order to leverage performance-enhancing caching features of certain
507 underlying storages, in particular DHTs, a deterministic signature 498 underlying storages, in particular DHTs, a deterministic signature
508 scheme is recommended. 499 scheme is recommended.
@@ -510,7 +501,7 @@
510 <dt>VerifyDerived(zk,label,message,signature) -> boolean</dt> 501 <dt>VerifyDerived(zk,label,message,signature) -> boolean</dt>
511 <dd> 502 <dd>
512 is function to verify the signature using the derived zone key 503 is function to verify the signature using the derived zone key
513 zk' := ZKDF-Public(zk,label). 504 zk' := ZKDF(zk,label).
514 The function returns a boolean value of "TRUE" if the signature is valid, 505 The function returns a boolean value of "TRUE" if the signature is valid,
515 and otherwise "FALSE". 506 and otherwise "FALSE".
516 </dd> 507 </dd>
@@ -1068,25 +1059,11 @@ zTLD[126..129].zTLD[63..125].zTLD[0..62]
1068 The zone type and zone key of a PKEY are 4 + 32 bytes in length. This means that 1059 The zone type and zone key of a PKEY are 4 + 32 bytes in length. This means that
1069 a zTLD will always fit into a single label and does 1060 a zTLD will always fit into a single label and does
1070 not need any further conversion. 1061 not need any further conversion.
1071 </t> 1062 Given a label, the output zk' of the ZKDF(zk,label) function is
1072 <t>
1073 Given a label, the output d' of the ZKDF-Private(d,label) function for zone
1074 key blinding is calculated as follows for PKEY zones:
1075 </t>
1076 <artwork name="" type="" align="left" alt=""><![CDATA[
1077ZKDF-Private(d,label):
1078 zk := d * G
1079 PRK_h := HKDF-Extract ("key-derivation", zk)
1080 h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
1081 d' := (h * d) mod L
1082 return d'
1083 ]]></artwork>
1084 <t>
1085 Equally, given a label, the output zk' of the ZKDF-Public(zk,label) function is
1086 calculated as follows for PKEY zones: 1063 calculated as follows for PKEY zones:
1087 </t> 1064 </t>
1088 <artwork name="" type="" align="left" alt=""><![CDATA[ 1065 <artwork name="" type="" align="left" alt=""><![CDATA[
1089ZKDF-Public(zk,label): 1066ZKDF(zk,label):
1090 PRK_h := HKDF-Extract ("key-derivation", zk) 1067 PRK_h := HKDF-Extract ("key-derivation", zk)
1091 h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) 1068 h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
1092 zk' := (h mod L) * zk 1069 zk' := (h mod L) * zk
@@ -1113,7 +1090,10 @@ ZKDF-Public(zk,label):
1113 </t> 1090 </t>
1114 <artwork name="" type="" align="left" alt=""><![CDATA[ 1091 <artwork name="" type="" align="left" alt=""><![CDATA[
1115SignDerived(d,label,message): 1092SignDerived(d,label,message):
1116 d' := ZKDF-Private(d,label) 1093 zk := d * G
1094 PRK_h := HKDF-Extract ("key-derivation", zk)
1095 h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
1096 d' := (h * d) mod L
1117 return Sign(d',message) 1097 return Sign(d',message)
1118 ]]></artwork> 1098 ]]></artwork>
1119 <t> 1099 <t>
@@ -1121,7 +1101,7 @@ SignDerived(d,label,message):
1121 </t> 1101 </t>
1122 <artwork name="" type="" align="left" alt=""><![CDATA[ 1102 <artwork name="" type="" align="left" alt=""><![CDATA[
1123VerifyDerived(zk,label,message,signature): 1103VerifyDerived(zk,label,message,signature):
1124 zk' := ZKDF-Public(zk,label) 1104 zk' := ZKDF(zk,label)
1125 return Verify(zk',message,signature) 1105 return Verify(zk',message,signature)
1126 ]]></artwork> 1106 ]]></artwork>
1127 <t> 1107 <t>
@@ -1265,37 +1245,11 @@ S-Decrypt(zk,label,expiration,ciphertext):
1265 <t> 1245 <t>
1266 The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>. 1246 The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>.
1267 The calculation of a is defined in Section 5.1.5 of <xref target="RFC8032" />. 1247 The calculation of a is defined in Section 5.1.5 of <xref target="RFC8032" />.
1268 Given a label, the output of the ZKDF-Private function for zone 1248 Given a label, the output of the ZKDF function is
1269 key blinding is calculated as follows:
1270 </t>
1271 <artwork name="" type="" align="left" alt=""><![CDATA[
1272ZKDF-Private(d,label):
1273 /* EdDSA clamping */
1274 dh := SHA-512 (d)
1275 a := dh[0..31]
1276 a[0] &= 248
1277 a[31] &= 127
1278 a[31] |= 64
1279 /* Calculate zk corresponding to d */
1280 zk := a * G
1281
1282 /* Calculate the blinding factor h */
1283 PRK_h := HKDF-Extract ("key-derivation", zk)
1284 h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
1285 /* Ensure that h == h mod L */
1286 h[31] &= 7
1287
1288 a1 := a >> 3
1289 a2 := (h * a1) mod L
1290 d' := a2 << 3
1291 return d'
1292 ]]></artwork>
1293 <t>
1294 Equally, given a label, the output of the ZKDF-Public function is
1295 calculated as follows: 1249 calculated as follows:
1296 </t> 1250 </t>
1297 <artwork name="" type="" align="left" alt=""><![CDATA[ 1251 <artwork name="" type="" align="left" alt=""><![CDATA[
1298ZKDF-Public(zk,label): 1252ZKDF(zk,label):
1299 /* Calculate the blinding factor */ 1253 /* Calculate the blinding factor */
1300 PRK_h := HKDF-Extract ("key-derivation", zk) 1254 PRK_h := HKDF-Extract ("key-derivation", zk)
1301 h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) 1255 h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
@@ -1339,9 +1293,9 @@ ZKDF-Public(zk,label):
1339 be implemented as defined in <xref target="RFC8032" />. 1293 be implemented as defined in <xref target="RFC8032" />.
1340 </t> 1294 </t>
1341 <t> 1295 <t>
1342 Signatures for EDKEY zones using the derived private scalar d' 1296 Signatures for EDKEY zones use a derived private scalar d'
1343 are not compliant with <xref target="RFC8032" />. 1297 which is not compliant with <xref target="RFC8032" />.
1344 As the corresponding private key to the derived private scalar d' 1298 As the corresponding private key to the derived private scalar
1345 is not known, it is not possible to deterministically derive the 1299 is not known, it is not possible to deterministically derive the
1346 signature part R according to <xref target="RFC8032" />. 1300 signature part R according to <xref target="RFC8032" />.
1347 Instead, signatures <bcp14>MUST</bcp14> be generated as follows for any given 1301 Instead, signatures <bcp14>MUST</bcp14> be generated as follows for any given
@@ -1368,9 +1322,13 @@ SignDerived(d,label,message):
1368 /* Calculate blinding factor */ 1322 /* Calculate blinding factor */
1369 PRK_h := HKDF-Extract ("key-derivation", zk) 1323 PRK_h := HKDF-Extract ("key-derivation", zk)
1370 h := HKDF-Expand (PRK_h, label || "gns", 512 / 8) 1324 h := HKDF-Expand (PRK_h, label || "gns", 512 / 8)
1325 /* Ensure that h == h mod L */
1326 h[31] &= 7
1371 1327
1372 d' := ZKDF-Private(d,label)
1373 zk' := h * zk 1328 zk' := h * zk
1329 a1 := a >> 3
1330 a2 := (h * a1) mod L
1331 d' := a2 << 3
1374 nonce := SHA-256 (dh[32..63] || h) 1332 nonce := SHA-256 (dh[32..63] || h)
1375 r := SHA-512 (nonce || message) 1333 r := SHA-512 (nonce || message)
1376 R := r * G 1334 R := r * G
@@ -1382,7 +1340,7 @@ SignDerived(d,label,message):
1382 </t> 1340 </t>
1383 <artwork name="" type="" align="left" alt=""><![CDATA[ 1341 <artwork name="" type="" align="left" alt=""><![CDATA[
1384VerifyDerived(zk,label,message,signature): 1342VerifyDerived(zk,label,message,signature):
1385 zk' := ZKDF-Public(zk,label) 1343 zk' := ZKDF(zk,label)
1386 (R,S) := signature 1344 (R,S) := signature
1387 return S * G == R + SHA-512(R, zk', message) * zk' 1345 return S * G == R + SHA-512(R, zk', message) * zk'
1388 ]]></artwork> 1346 ]]></artwork>
@@ -1779,7 +1737,7 @@ GET(key) -> value
1779 Given a label, the storage key q is derived as follows: 1737 Given a label, the storage key q is derived as follows:
1780 </t> 1738 </t>
1781 <artwork name="" type="" align="left" alt=""><![CDATA[ 1739 <artwork name="" type="" align="left" alt=""><![CDATA[
1782q := SHA-512 (ZKDF-Public(zk, label)) 1740q := SHA-512 (ZKDF(zk, label))
1783 ]]></artwork> 1741 ]]></artwork>
1784 <dl> 1742 <dl>
1785 <dt>label</dt> 1743 <dt>label</dt>
@@ -1851,7 +1809,7 @@ q := SHA-512 (ZKDF-Public(zk, label))
1851 </dd> 1809 </dd>
1852 <dt>ZONE KEY</dt> 1810 <dt>ZONE KEY</dt>
1853 <dd> 1811 <dd>
1854 is the blinded zone key "ZKDF-Public(zk, label)" 1812 is the blinded zone key "ZKDF(zk, label)"
1855 to be used to verify SIGNATURE. 1813 to be used to verify SIGNATURE.
1856 The length and format of the public key depends on the ztype. 1814 The length and format of the public key depends on the ztype.
1857 </dd> 1815 </dd>
@@ -1860,9 +1818,8 @@ q := SHA-512 (ZKDF-Public(zk, label))
1860 The signature is computed over the EXPIRATION and BDATA fields 1818 The signature is computed over the EXPIRATION and BDATA fields
1861 as detailed in <xref target="figure_rrsigwithpseudo"/>. 1819 as detailed in <xref target="figure_rrsigwithpseudo"/>.
1862 The length and format of the signature depends on the ztype. 1820 The length and format of the signature depends on the ztype.
1863 The signature is created using the Sign() function of 1821 The signature is created using the SignDerived() function of
1864 the cryptosystem of the zone and the derived private key 1822 the cryptosystem of the zone (see <xref target="zones" />).
1865 "ZKDF-Private(d, label)" (see <xref target="zones" />).
1866 </dd> 1823 </dd>
1867 <dt>EXPIRATION</dt> 1824 <dt>EXPIRATION</dt>
1868 <dd> 1825 <dd>
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-16 11:27:38 +0000