diff options
author | Mikolai Gütschow <mikolai.guetschow@tu-dresden.de> | 2024-03-28 16:52:40 +0100 |
---|---|---|
committer | Mikolai Gütschow <mikolai.guetschow@tu-dresden.de> | 2024-03-28 16:52:40 +0100 |
commit | 267fb8ebe469a235205c834b9a36166c16b0c6c1 (patch) | |
tree | 4e67e9818f6262c58f1f147eed2d6b355ea0b48a /draft-guetschow-taler-protocol.md | |
parent | eea4a515ece86fa181e89758d5153fea769edec5 (diff) | |
download | lsd0009-master.tar.gz lsd0009-master.zip |
Diffstat (limited to 'draft-guetschow-taler-protocol.md')
-rw-r--r-- | draft-guetschow-taler-protocol.md | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/draft-guetschow-taler-protocol.md b/draft-guetschow-taler-protocol.md index 79e05b7..460bc4e 100644 --- a/draft-guetschow-taler-protocol.md +++ b/draft-guetschow-taler-protocol.md | |||
@@ -30,6 +30,10 @@ author: | |||
30 | email: mikolai.guetschow@tu-dresden.de | 30 | email: mikolai.guetschow@tu-dresden.de |
31 | 31 | ||
32 | normative: | 32 | normative: |
33 | RFC2104: | ||
34 | RFC5869: | ||
35 | RFC6234: | ||
36 | HKDF: DOI.10.1007/978-3-642-14623-7_34 | ||
33 | 37 | ||
34 | informative: | 38 | informative: |
35 | 39 | ||
@@ -44,7 +48,106 @@ informative: | |||
44 | 48 | ||
45 | \[ TBW \] | 49 | \[ TBW \] |
46 | 50 | ||
51 | Beware that this document is still work-in-progress and may contain errors. | ||
52 | Use at your own risk! | ||
47 | 53 | ||
54 | # Notation | ||
55 | |||
56 | - `a | b` denotes the concatenation of a with b | ||
57 | |||
58 | # Cryptographic Primitives | ||
59 | |||
60 | ## Cryptographic Hash Functions | ||
61 | |||
62 | ### SHA-256 {#sha256} | ||
63 | |||
64 | Taler uses SHA-256 as defined in Section 5.1 of [RFC6234]. | ||
65 | |||
66 | ### SHA-512 {#sha512} | ||
67 | |||
68 | Taler uses SHA-512 as defined in Section 5.2 of [RFC6234]. | ||
69 | |||
70 | ### Truncated SHA-512 {#sha512-trunc} | ||
71 | |||
72 | ## Key Derivation Functions | ||
73 | |||
74 | ### HKDF {#hkdf} | ||
75 | |||
76 | The Hashed Key Derivation Function (HKDF) used in Taler is an instantiation of [RFC5869] | ||
77 | with two different hash functions for the Extract and Expand step as suggested in [HKDF]. | ||
78 | HMAC-SHA512 (HMAC [RFC2104] instantiated with SHA-512, cf. {{sha512}}) is used for `HKDF-Extract`. | ||
79 | HMAC-SHA256 (HMAC [RFC2104] instantiated with SHA-256, cf. {{sha256}}) is used for `HKDF-Expand`. | ||
80 | |||
81 | ~~~ | ||
82 | HKDF(salt, IKM, info, L) -> OKM | ||
83 | |||
84 | Inputs: | ||
85 | salt optional salt value (a non-secret random value); | ||
86 | if not provided, it is set to a string of 64 zeros. | ||
87 | IKM input keying material | ||
88 | info optional context and application specific information | ||
89 | (can be a zero-length string) | ||
90 | L length of output keying material in octets | ||
91 | (<= 255*32 = 8160) | ||
92 | |||
93 | Output: | ||
94 | OKM output keying material (of L octets) | ||
95 | ~~~ | ||
96 | |||
97 | The output OKM is calculated as follows: | ||
98 | |||
99 | ~~~ | ||
100 | PRK = HKDF-Extract(salt, IKM) with Hash = SHA-512, HashLen = 64 | ||
101 | OKM = HKDF-Expand(PRK, info, L) with Hash = SHA-256, HashLen = 32 | ||
102 | ~~~ | ||
103 | |||
104 | ### HKDF-Mod | ||
105 | |||
106 | Based on the HKDF defined in {{hkdf}}, this function returns an OKM that is smaller than a given big number N. | ||
107 | |||
108 | ~~~ | ||
109 | HKDF-Mod(N, salt, IKM, info) -> OKM | ||
110 | |||
111 | Inputs: | ||
112 | N big number; Nbits denotes the length of N in bits | ||
113 | salt optional salt value (a non-secret random value); | ||
114 | if not provided, it is set to a string of 64 zeros. | ||
115 | IKM input keying material | ||
116 | info optional context and application specific information | ||
117 | (can be a zero-length string) | ||
118 | |||
119 | Output: | ||
120 | OKM output keying material (smaller than N) | ||
121 | ~~~ | ||
122 | |||
123 | The output OKM is calculated as follows: | ||
124 | |||
125 | ~~~ | ||
126 | Nlen = ceil(Nbits / 8) | ||
127 | while true: | ||
128 | counter = 0 | ||
129 | c = 2 least significant octets of counter in network-byte order | ||
130 | x = HKDF(salt, IKM, info | c, NLen) | ||
131 | reset all but lower Nbits bits in x | ||
132 | if x < N: | ||
133 | OKM = x | ||
134 | break | ||
135 | counter += 1 | ||
136 | ~~~ | ||
137 | |||
138 | ## Non-Blind Signatures | ||
139 | |||
140 | ### Ed25519 | ||
141 | |||
142 | ## Blind Signatures | ||
143 | |||
144 | ### FDH-RSA | ||
145 | |||
146 | ### Clause-Schnorr | ||
147 | |||
148 | # The Taler Crypto Protocol | ||
149 | |||
150 | ## Withdrawal | ||
48 | 151 | ||
49 | # Security Considerations | 152 | # Security Considerations |
50 | 153 | ||