diff options
Diffstat (limited to 'draft-schanzen-gns.xml')
-rw-r--r-- | draft-schanzen-gns.xml | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index c79feb7..e78e264 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -1110,7 +1110,8 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
1110 | For EDKEY zones the zone key material is derived using the | 1110 | For EDKEY zones the zone key material is derived using the |
1111 | curve parameters of the twisted edwards representation | 1111 | curve parameters of the twisted edwards representation |
1112 | of Curve25519 <xref target="RFC7748" /> (a.k.a. Ed25519) | 1112 | of Curve25519 <xref target="RFC7748" /> (a.k.a. Ed25519) |
1113 | with the Ed25519-SHA-512 scheme <xref target="ed25519" />. | 1113 | with the Ed25519 scheme <xref target="ed25519" /> as specified in |
1114 | <xref target="RFC8032" />. | ||
1114 | Consequently, we use the following naming convention for our | 1115 | Consequently, we use the following naming convention for our |
1115 | cryptographic primitives for EDKEY zones: | 1116 | cryptographic primitives for EDKEY zones: |
1116 | </t> | 1117 | </t> |
@@ -1123,28 +1124,28 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
1123 | <dt>a</dt> | 1124 | <dt>a</dt> |
1124 | <dd> | 1125 | <dd> |
1125 | is is an integer derived from d using the SHA-512 hash function | 1126 | is is an integer derived from d using the SHA-512 hash function |
1126 | as defined in <xref target="ed25519" />. | 1127 | as defined in <xref target="RFC8032" />. |
1127 | </dd> | 1128 | </dd> |
1128 | <dt>zk</dt> | 1129 | <dt>zk</dt> |
1129 | <dd> | 1130 | <dd> |
1130 | is the EdDSA public key corresponding to d. It is defined | 1131 | is the EdDSA public key corresponding to d. It is defined |
1131 | as the curve point a*G where G is the | 1132 | as the curve point a*G where G is the |
1132 | group generator of the elliptic curve | 1133 | group generator of the elliptic curve |
1133 | as defined in <xref target="ed25519" />. | 1134 | as defined in <xref target="RFC8032" />. |
1134 | </dd> | 1135 | </dd> |
1135 | <dt>p</dt> | 1136 | <dt>p</dt> |
1136 | <dd> | 1137 | <dd> |
1137 | is the prime of edwards25519 as defined in <xref target="RFC7748" />, i.e. | 1138 | is the prime of edwards25519 as defined in <xref target="RFC8032" />, i.e. |
1138 | 2^255 - 19. | 1139 | 2^255 - 19. |
1139 | </dd> | 1140 | </dd> |
1140 | <dt>G</dt> | 1141 | <dt>G</dt> |
1141 | <dd> | 1142 | <dd> |
1142 | is the group generator (X(P),Y(P)) of edwards25519 as defined in | 1143 | is the group generator (X(P),Y(P)) of edwards25519 as defined in |
1143 | <xref target="RFC7748" />. | 1144 | <xref target="RFC8032" />. |
1144 | </dd> | 1145 | </dd> |
1145 | <dt>L</dt> | 1146 | <dt>L</dt> |
1146 | <dd> | 1147 | <dd> |
1147 | is the order of the prime-order subgroup of edwards25519 in <xref target="RFC7748" />. | 1148 | is the order of the prime-order subgroup of edwards25519 in <xref target="RFC8032" />. |
1148 | </dd> | 1149 | </dd> |
1149 | <dt>KeyGen()</dt> | 1150 | <dt>KeyGen()</dt> |
1150 | <dd> | 1151 | <dd> |
@@ -1153,7 +1154,7 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
1153 | group generator of the elliptic curve and a is an integer | 1154 | group generator of the elliptic curve and a is an integer |
1154 | derived from d using the SHA-512 hash function | 1155 | derived from d using the SHA-512 hash function |
1155 | as defined | 1156 | as defined |
1156 | in Section 3.2. of <xref target="RFC8032" /> represents the KeyGen() | 1157 | in Section 5.1.5 of <xref target="RFC8032" /> represents the KeyGen() |
1157 | function. | 1158 | function. |
1158 | </dd> | 1159 | </dd> |
1159 | </dl> | 1160 | </dl> |
@@ -1164,11 +1165,14 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
1164 | </t> | 1165 | </t> |
1165 | <t> | 1166 | <t> |
1166 | The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>. | 1167 | The "EDKEY" ZKDF instantiation is based on <xref target="Tor224"/>. |
1168 | For brevity, instead of using d as a parameter to the derivation, | ||
1169 | we define the ZKDF-Private() procedure on the derived integer a. | ||
1170 | The calculation of a Ed25519 is defined in <xref target="RFC8032" />. | ||
1167 | Given a label, the output of the ZKDF-Private function for zone | 1171 | Given a label, the output of the ZKDF-Private function for zone |
1168 | key blinding is calculated as follows for EDKEY zones: | 1172 | key blinding is calculated as follows for EDKEY zones: |
1169 | </t> | 1173 | </t> |
1170 | <artwork name="" type="" align="left" alt=""><![CDATA[ | 1174 | <artwork name="" type="" align="left" alt=""><![CDATA[ |
1171 | ZKDF-Private(d,label): | 1175 | ZKDF-Private(a,label): |
1172 | zk := a * G | 1176 | zk := a * G |
1173 | PRK_h := HKDF-Extract ("key-derivation", zk) | 1177 | PRK_h := HKDF-Extract ("key-derivation", zk) |
1174 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) | 1178 | h := HKDF-Expand (PRK_h, label | "gns", 512 / 8) |
@@ -1223,14 +1227,14 @@ ZKDF-Public(zk,label): | |||
1223 | </t> | 1227 | </t> |
1224 | <t> | 1228 | <t> |
1225 | The Sign(d,message) and Verify(zk,message,signature) procedures MUST | 1229 | The Sign(d,message) and Verify(zk,message,signature) procedures MUST |
1226 | be implemented as defined in <xref target="ed25519" />. | 1230 | be implemented as defined in <xref target="RFC8032" />. |
1227 | </t> | 1231 | </t> |
1228 | <t> | 1232 | <t> |
1229 | Signatures for EDKEY zones using the derived private key a' | 1233 | Signatures for EDKEY zones using the derived private key a' |
1230 | are not compliant with <xref target="ed25519" />. | 1234 | are not compliant with <xref target="RFC8032" />. |
1231 | As the corresponding private key to the derived private scalar a' | 1235 | As the corresponding private key to the derived private scalar a' |
1232 | is not known, it is not possible to deterministically derive the | 1236 | is not known, it is not possible to deterministically derive the |
1233 | signature part R according to <xref target="ed25519" />. | 1237 | signature part R according to <xref target="RFC8032" />. |
1234 | Instead, signatures MUST be generated as follows for any given | 1238 | Instead, signatures MUST be generated as follows for any given |
1235 | message and private zone key: | 1239 | message and private zone key: |
1236 | A nonce is calculated from the highest 32 bytes of the | 1240 | A nonce is calculated from the highest 32 bytes of the |