crypto primitives: hashes, HKDF, HKDF-ModHEAD master

author: Mikolai Gütschow <mikolai.guetschow@tu-dresden.de> 2024-03-28 16:52:40 +0100
committer: Mikolai Gütschow <mikolai.guetschow@tu-dresden.de> 2024-03-28 16:52:40 +0100
commit: 267fb8ebe469a235205c834b9a36166c16b0c6c1 (patch)
tree: 4e67e9818f6262c58f1f147eed2d6b355ea0b48a /draft-guetschow-taler-protocol.md
parent: eea4a515ece86fa181e89758d5153fea769edec5 (diff)
download: lsd0009-master.tar.gz
lsd0009-master.zip
1 files changed, 103 insertions, 0 deletions
diff --git a/draft-guetschow-taler-protocol.md b/draft-guetschow-taler-protocol.md
index 79e05b7..460bc4e 100644
--- a/draft-guetschow-taler-protocol.md
+++ b/draft-guetschow-taler-protocol.md
@@ -30,6 +30,10 @@ author:
    email: mikolai.guetschow@tu-dresden.de
 normative:
+  RFC2104:
+  RFC5869:
+  RFC6234:
+  HKDF: DOI.10.1007/978-3-642-14623-7_34
 informative:
@@ -44,7 +48,106 @@ informative:
 \[ TBW \]
+Beware that this document is still work-in-progress and may contain errors.
+Use at your own risk!
+# Notation
+- `a | b` denotes the concatenation of a with b
+# Cryptographic Primitives
+## Cryptographic Hash Functions
+### SHA-256 {#sha256}
+Taler uses SHA-256 as defined in Section 5.1 of [RFC6234].
+### SHA-512 {#sha512}
+Taler uses SHA-512 as defined in Section 5.2 of [RFC6234].
+### Truncated SHA-512 {#sha512-trunc}
+## Key Derivation Functions
+### HKDF {#hkdf}
+The Hashed Key Derivation Function (HKDF) used in Taler is an instantiation of [RFC5869]
+with two different hash functions for the Extract and Expand step as suggested in [HKDF].
+HMAC-SHA512 (HMAC [RFC2104] instantiated with SHA-512, cf. {{sha512}}) is used for `HKDF-Extract`.
+HMAC-SHA256 (HMAC [RFC2104] instantiated with SHA-256, cf. {{sha256}}) is used for `HKDF-Expand`.
+~~~
+HKDF(salt, IKM, info, L) -> OKM
+Inputs:
+    salt     optional salt value (a non-secret random value);
+              if not provided, it is set to a string of 64 zeros.
+    IKM      input keying material
+    info     optional context and application specific information
+              (can be a zero-length string)
+    L        length of output keying material in octets
+              (<= 255*32 = 8160)
+Output:
+    OKM      output keying material (of L octets)
+~~~
+The output OKM is calculated as follows:
+~~~
+PRK = HKDF-Extract(salt, IKM) with Hash = SHA-512, HashLen = 64
+OKM = HKDF-Expand(PRK, info, L) with Hash = SHA-256, HashLen = 32
+~~~
+### HKDF-Mod
+Based on the HKDF defined in {{hkdf}}, this function returns an OKM that is smaller than a given big number N.
+~~~
+HKDF-Mod(N, salt, IKM, info) -> OKM
+Inputs:
+    N        big number; Nbits denotes the length of N in bits
+    salt     optional salt value (a non-secret random value);
+              if not provided, it is set to a string of 64 zeros.
+    IKM      input keying material
+    info     optional context and application specific information
+              (can be a zero-length string)
+Output:
+    OKM      output keying material (smaller than N)
+~~~
+The output OKM is calculated as follows:
+~~~
+Nlen = ceil(Nbits / 8)
+while true:
+    counter = 0
+    c = 2 least significant octets of counter in network-byte order
+    x = HKDF(salt, IKM, info | c, NLen)
+    reset all but lower Nbits bits in x
+    if x < N:
+        OKM = x
+        break
+    counter += 1
+~~~
+## Non-Blind Signatures
+### Ed25519
+## Blind Signatures
+### FDH-RSA
+### Clause-Schnorr
+# The Taler Crypto Protocol
+## Withdrawal
 # Security Considerations
author	Mikolai Gütschow <mikolai.guetschow@tu-dresden.de>	2024-03-28 16:52:40 +0100
committer	Mikolai Gütschow <mikolai.guetschow@tu-dresden.de>	2024-03-28 16:52:40 +0100
commit	267fb8ebe469a235205c834b9a36166c16b0c6c1 (patch)
tree	4e67e9818f6262c58f1f147eed2d6b355ea0b48a /draft-guetschow-taler-protocol.md
parent	eea4a515ece86fa181e89758d5153fea769edec5 (diff)
download	lsd0009-master.tar.gz lsd0009-master.zip

diff --git a/draft-guetschow-taler-protocol.md b/draft-guetschow-taler-protocol.md index 79e05b7..460bc4e 100644 --- a/draft-guetschow-taler-protocol.md +++ b/draft-guetschow-taler-protocol.md
@@ -30,6 +30,10 @@ author:
30	email: mikolai.guetschow@tu-dresden.de	30	email: mikolai.guetschow@tu-dresden.de
31		31
32	normative:	32	normative:
		33	RFC2104:
		34	RFC5869:
		35	RFC6234:
		36	HKDF: DOI.10.1007/978-3-642-14623-7_34
33		37
34	informative:	38	informative:
35		39
@@ -44,7 +48,106 @@ informative:
44		48
45	\[ TBW \]	49	\[ TBW \]
46		50
		51	Beware that this document is still work-in-progress and may contain errors.
		52	Use at your own risk!
47		53
		54	# Notation
		55
		56	- `a \| b` denotes the concatenation of a with b
		57
		58	# Cryptographic Primitives
		59
		60	## Cryptographic Hash Functions
		61
		62	### SHA-256 {#sha256}
		63
		64	Taler uses SHA-256 as defined in Section 5.1 of [RFC6234].
		65
		66	### SHA-512 {#sha512}
		67
		68	Taler uses SHA-512 as defined in Section 5.2 of [RFC6234].
		69
		70	### Truncated SHA-512 {#sha512-trunc}
		71
		72	## Key Derivation Functions
		73
		74	### HKDF {#hkdf}
		75
		76	The Hashed Key Derivation Function (HKDF) used in Taler is an instantiation of [RFC5869]
		77	with two different hash functions for the Extract and Expand step as suggested in [HKDF].
		78	HMAC-SHA512 (HMAC [RFC2104] instantiated with SHA-512, cf. {{sha512}}) is used for `HKDF-Extract`.
		79	HMAC-SHA256 (HMAC [RFC2104] instantiated with SHA-256, cf. {{sha256}}) is used for `HKDF-Expand`.
		80
		81	~~~
		82	HKDF(salt, IKM, info, L) -> OKM
		83
		84	Inputs:
		85	salt optional salt value (a non-secret random value);
		86	if not provided, it is set to a string of 64 zeros.
		87	IKM input keying material
		88	info optional context and application specific information
		89	(can be a zero-length string)
		90	L length of output keying material in octets
		91	(<= 255*32 = 8160)
		92
		93	Output:
		94	OKM output keying material (of L octets)
		95	~~~
		96
		97	The output OKM is calculated as follows:
		98
		99	~~~
		100	PRK = HKDF-Extract(salt, IKM) with Hash = SHA-512, HashLen = 64
		101	OKM = HKDF-Expand(PRK, info, L) with Hash = SHA-256, HashLen = 32
		102	~~~
		103
		104	### HKDF-Mod
		105
		106	Based on the HKDF defined in {{hkdf}}, this function returns an OKM that is smaller than a given big number N.
		107
		108	~~~
		109	HKDF-Mod(N, salt, IKM, info) -> OKM
		110
		111	Inputs:
		112	N big number; Nbits denotes the length of N in bits
		113	salt optional salt value (a non-secret random value);
		114	if not provided, it is set to a string of 64 zeros.
		115	IKM input keying material
		116	info optional context and application specific information
		117	(can be a zero-length string)
		118
		119	Output:
		120	OKM output keying material (smaller than N)
		121	~~~
		122
		123	The output OKM is calculated as follows:
		124
		125	~~~
		126	Nlen = ceil(Nbits / 8)
		127	while true:
		128	counter = 0
		129	c = 2 least significant octets of counter in network-byte order
		130	x = HKDF(salt, IKM, info \| c, NLen)
		131	reset all but lower Nbits bits in x
		132	if x < N:
		133	OKM = x
		134	break
		135	counter += 1
		136	~~~
		137
		138	## Non-Blind Signatures
		139
		140	### Ed25519
		141
		142	## Blind Signatures
		143
		144	### FDH-RSA
		145
		146	### Clause-Schnorr
		147
		148	# The Taler Crypto Protocol
		149
		150	## Withdrawal
48		151
49	# Security Considerations	152	# Security Considerations
50		153