aboutsummaryrefslogtreecommitdiff
path: root/draft-schanzen-gns.xml
diff options
context:
space:
mode:
Diffstat (limited to 'draft-schanzen-gns.xml')
-rw-r--r--draft-schanzen-gns.xml26
1 files changed, 15 insertions, 11 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index c79feb7..e78e264 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -1110,7 +1110,8 @@ S-Decrypt(zk,label,expiration,ciphertext):
1110 For EDKEY zones the zone key material is derived using the 1110 For EDKEY zones the zone key material is derived using the
1111 curve parameters of the twisted edwards representation 1111 curve parameters of the twisted edwards representation
1112 of Curve25519 <xref target="RFC7748" /> (a.k.a. Ed25519) 1112 of Curve25519 <xref target="RFC7748" /> (a.k.a. Ed25519)
1113 with the Ed25519-SHA-512 scheme <xref target="ed25519" />. 1113 with the Ed25519 scheme <xref target="ed25519" /> as specified in
1114 <xref target="RFC8032" />.
1114 Consequently, we use the following naming convention for our 1115 Consequently, we use the following naming convention for our
1115 cryptographic primitives for EDKEY zones: 1116 cryptographic primitives for EDKEY zones:
1116 </t> 1117 </t>
@@ -1123,28 +1124,28 @@ S-Decrypt(zk,label,expiration,ciphertext):
1123 <dt>a</dt> 1124 <dt>a</dt>
1124 <dd> 1125 <dd>
1125 is is an integer derived from d using the SHA-512 hash function 1126 is is an integer derived from d using the SHA-512 hash function
1126 as defined in <xref target="ed25519" />. 1127 as defined in <xref target="RFC8032" />.
1127 </dd> 1128 </dd>
1128 <dt>zk</dt> 1129 <dt>zk</dt>
1129 <dd> 1130 <dd>
1130 is the EdDSA public key corresponding to d. It is defined 1131 is the EdDSA public key corresponding to d. It is defined
1131 as the curve point a*G where G is the 1132 as the curve point a*G where G is the
1132 group generator of the elliptic curve 1133 group generator of the elliptic curve
1133 as defined in <xref target="ed25519" />. 1134 as defined in <xref target="RFC8032" />.
1134 </dd> 1135 </dd>
1135 <dt>p</dt> 1136 <dt>p</dt>
1136 <dd> 1137 <dd>
1137 is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e. 1138 is the prime of edwards25519 as defined in <xref target="RFC8032" />, i.e.
1138 2^255 - 19. 1139 2^255 - 19.
1139 </dd> 1140 </dd>
1140 <dt>G</dt> 1141 <dt>G</dt>
1141 <dd> 1142 <dd>
1142 is the group generator (X(P),Y(P)) of edwards25519 as defined in 1143 is the group generator (X(P),Y(P)) of edwards25519 as defined in
1143 <xref target="RFC7748" />. 1144 <xref target="RFC8032" />.
1144 </dd> 1145 </dd>
1145 <dt>L</dt> 1146 <dt>L</dt>
1146 <dd> 1147 <dd>
1147 is the order of the prime-order subgroup of edwards25519 in <xref target="RFC7748" />. 1148 is the order of the prime-order subgroup of edwards25519 in <xref target="RFC8032" />.
1148 </dd> 1149 </dd>
1149 <dt>KeyGen()</dt> 1150 <dt>KeyGen()</dt>
1150 <dd> 1151 <dd>
@@ -1153,7 +1154,7 @@ S-Decrypt(zk,label,expiration,ciphertext):
1153 group generator of the elliptic curve and a is an integer 1154 group generator of the elliptic curve and a is an integer
1154 derived from d using the SHA-512 hash function 1155 derived from d using the SHA-512 hash function
1155 as defined 1156 as defined
1156 in Section 3.2. of <xref target="RFC8032" /> represents the KeyGen() 1157 in Section 5.1.5 of <xref target="RFC8032" /> represents the KeyGen()
1157 function. 1158 function.
1158 </dd> 1159 </dd>
1159 </dl> 1160 </dl>
@@ -1164,11 +1165,14 @@ S-Decrypt(zk,label,expiration,ciphertext):
1164 </t> 1165 </t>
1165 <t> 1166 <t>
1166 The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>. 1167 The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>.
1168 For brevity, instead of using d as a parameter to the derivation,
1169 we define the ZKDF-Private() procedure on the derived integer a.
1170 The calculation of a Ed25519 is defined in <xref target="RFC8032" />.
1167 Given a label, the output of the ZKDF-Private function for zone 1171 Given a label, the output of the ZKDF-Private function for zone
1168 key blinding is calculated as follows for EDKEY zones: 1172 key blinding is calculated as follows for EDKEY zones:
1169 </t> 1173 </t>
1170 <artwork name="" type="" align="left" alt=""><![CDATA[ 1174 <artwork name="" type="" align="left" alt=""><![CDATA[
1171ZKDF-Private(d,label): 1175ZKDF-Private(a,label):
1172 zk := a * G 1176 zk := a * G
1173 PRK_h := HKDF-Extract ("key-derivation", zk) 1177 PRK_h := HKDF-Extract ("key-derivation", zk)
1174 h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) 1178 h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
@@ -1223,14 +1227,14 @@ ZKDF-Public(zk,label):
1223 </t> 1227 </t>
1224 <t> 1228 <t>
1225 The Sign(d,message) and Verify(zk,message,signature) procedures MUST 1229 The Sign(d,message) and Verify(zk,message,signature) procedures MUST
1226 be implemented as defined in <xref target="ed25519" />. 1230 be implemented as defined in <xref target="RFC8032" />.
1227 </t> 1231 </t>
1228 <t> 1232 <t>
1229 Signatures for EDKEY zones using the derived private key a' 1233 Signatures for EDKEY zones using the derived private key a'
1230 are not compliant with <xref target="ed25519" />. 1234 are not compliant with <xref target="RFC8032" />.
1231 As the corresponding private key to the derived private scalar a' 1235 As the corresponding private key to the derived private scalar a'
1232 is not known, it is not possible to deterministically derive the 1236 is not known, it is not possible to deterministically derive the
1233 signature part R according to <xref target="ed25519" />. 1237 signature part R according to <xref target="RFC8032" />.
1234 Instead, signatures MUST be generated as follows for any given 1238 Instead, signatures MUST be generated as follows for any given
1235 message and private zone key: 1239 message and private zone key:
1236 A nonce is calculated from the highest 32 bytes of the 1240 A nonce is calculated from the highest 32 bytes of the
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-18 14:05:40 +0000