1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
|
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.5 (Ruby 3.1.2) -->
<!DOCTYPE rfc [
<!ENTITY nbsp " ">
<!ENTITY zwsp "​">
<!ENTITY nbhy "‑">
<!ENTITY wj "⁠">
]>
<rfc ipr="trust200902" docName="draft-guetschow-taler-protocol" category="info" submissionType="independent" tocInclude="true" sortRefs="true" symRefs="true">
<front>
<title>The GNU Taler Protocol</title>
<author initials="M." surname="Gütschow" fullname="Mikolai Gütschow">
<organization abbrev="TU Dresden">TUD Dresden University of Technology</organization>
<address>
<postal>
<street>Helmholtzstr. 10</street>
<city>Dresden</city>
<code>D-01069</code>
<country>Germany</country>
</postal>
<email>mikolai.guetschow@tu-dresden.de</email>
</address>
</author>
<date year="2024" month="March" day="28"/>
<workgroup>independent</workgroup>
<keyword>taler</keyword> <keyword>cryptography</keyword> <keyword>ecash</keyword> <keyword>payments</keyword>
<abstract>
<?line 41?>
<t>[ TBW ]</t>
</abstract>
</front>
<middle>
<?line 45?>
<section anchor="introduction"><name>Introduction</name>
<t>[ TBW ]</t>
<t>Beware that this document is still work-in-progress and may contain errors.
Use at your own risk!</t>
</section>
<section anchor="notation"><name>Notation</name>
<t><list style="symbols">
<t><spanx style="verb">a | b</spanx> denotes the concatenation of a with b</t>
</list></t>
</section>
<section anchor="cryptographic-primitives"><name>Cryptographic Primitives</name>
<section anchor="cryptographic-hash-functions"><name>Cryptographic Hash Functions</name>
<section anchor="sha256"><name>SHA-256</name>
<t>Taler uses SHA-256 as defined in Section 5.1 of <xref target="RFC6234"></xref>.</t>
</section>
<section anchor="sha512"><name>SHA-512</name>
<t>Taler uses SHA-512 as defined in Section 5.2 of <xref target="RFC6234"></xref>.</t>
</section>
<section anchor="sha512-trunc"><name>Truncated SHA-512</name>
</section>
</section>
<section anchor="key-derivation-functions"><name>Key Derivation Functions</name>
<section anchor="hkdf"><name>HKDF</name>
<t>The Hashed Key Derivation Function (HKDF) used in Taler is an instantiation of <xref target="RFC5869"></xref>
with two different hash functions for the Extract and Expand step as suggested in <xref target="HKDF"></xref>.
HMAC-SHA512 (HMAC <xref target="RFC2104"></xref> instantiated with SHA-512, cf. <xref target="sha512"/>) is used for <spanx style="verb">HKDF-Extract</spanx>.
HMAC-SHA256 (HMAC <xref target="RFC2104"></xref> instantiated with SHA-256, cf. <xref target="sha256"/>) is used for <spanx style="verb">HKDF-Expand</spanx>.</t>
<figure><artwork><![CDATA[
HKDF(salt, IKM, info, L) -> OKM
Inputs:
salt optional salt value (a non-secret random value);
if not provided, it is set to a string of 64 zeros.
IKM input keying material
info optional context and application specific information
(can be a zero-length string)
L length of output keying material in octets
(<= 255*32 = 8160)
Output:
OKM output keying material (of L octets)
]]></artwork></figure>
<t>The output OKM is calculated as follows:</t>
<figure><artwork><![CDATA[
PRK = HKDF-Extract(salt, IKM) with Hash = SHA-512, HashLen = 64
OKM = HKDF-Expand(PRK, info, L) with Hash = SHA-256, HashLen = 32
]]></artwork></figure>
</section>
<section anchor="hkdf-mod"><name>HKDF-Mod</name>
<t>Based on the HKDF defined in <xref target="hkdf"/>, this function returns an OKM that is smaller than a given big number N.</t>
<figure><artwork><![CDATA[
HKDF-Mod(N, salt, IKM, info) -> OKM
Inputs:
N big number; Nbits denotes the length of N in bits
salt optional salt value (a non-secret random value);
if not provided, it is set to a string of 64 zeros.
IKM input keying material
info optional context and application specific information
(can be a zero-length string)
Output:
OKM output keying material (smaller than N)
]]></artwork></figure>
<t>The output OKM is calculated as follows:</t>
<figure><artwork><![CDATA[
Nlen = ceil(Nbits / 8)
while true:
counter = 0
c = 2 least significant octets of counter in network-byte order
x = HKDF(salt, IKM, info | c, NLen)
reset all but lower Nbits bits in x
if x < N:
OKM = x
break
counter += 1
]]></artwork></figure>
</section>
</section>
<section anchor="non-blind-signatures"><name>Non-Blind Signatures</name>
<section anchor="ed25519"><name>Ed25519</name>
</section>
</section>
<section anchor="blind-signatures"><name>Blind Signatures</name>
<section anchor="fdh-rsa"><name>FDH-RSA</name>
</section>
<section anchor="clause-schnorr"><name>Clause-Schnorr</name>
</section>
</section>
</section>
<section anchor="the-taler-crypto-protocol"><name>The Taler Crypto Protocol</name>
<section anchor="withdrawal"><name>Withdrawal</name>
</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>
<t>[ TBD ]</t>
</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>
<t>None.</t>
</section>
</middle>
<back>
<references title='Normative References' anchor="sec-normative-references">
<reference anchor="RFC2104">
<front>
<title>HMAC: Keyed-Hashing for Message Authentication</title>
<author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
<author fullname="M. Bellare" initials="M." surname="Bellare"/>
<author fullname="R. Canetti" initials="R." surname="Canetti"/>
<date month="February" year="1997"/>
<abstract>
<t>This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2104"/>
<seriesInfo name="DOI" value="10.17487/RFC2104"/>
</reference>
<reference anchor="RFC5869">
<front>
<title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
<author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
<author fullname="P. Eronen" initials="P." surname="Eronen"/>
<date month="May" year="2010"/>
<abstract>
<t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5869"/>
<seriesInfo name="DOI" value="10.17487/RFC5869"/>
</reference>
<reference anchor="RFC6234">
<front>
<title>US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)</title>
<author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
<author fullname="T. Hansen" initials="T." surname="Hansen"/>
<date month="May" year="2011"/>
<abstract>
<t>Federal Information Processing Standard, FIPS</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6234"/>
<seriesInfo name="DOI" value="10.17487/RFC6234"/>
</reference>
<reference anchor="HKDF">
<front>
<title>Cryptographic Extraction and Key Derivation: The HKDF Scheme</title>
<author fullname="Hugo Krawczyk" initials="H." surname="Krawczyk">
<organization/>
</author>
<date year="2010"/>
</front>
<seriesInfo name="Advances in Cryptology – CRYPTO 2010" value="pp. 631-648"/>
<seriesInfo name="DOI" value="10.1007/978-3-642-14623-7_34"/>
<seriesInfo name="ISBN" value="["9783642146220", "9783642146237"]"/>
<refcontent>Springer Berlin Heidelberg</refcontent></reference>
</references>
<?line 160?>
<section anchor="change-log"><name>Change log</name>
</section>
<section numbered="false" anchor="acknowledgments"><name>Acknowledgments</name>
<t>[ TBD ]</t>
<t>This work was supported in part by the German Federal Ministry of
Education and Research (BMBF) within the project Concrete Contracts.</t>
</section>
</back>
<!-- ##markdown-source:
H4sIAAAAAAAAA+1X23LbNhB9x1dsnRepNWVJvsRm6k59jT225YwvkwfH00Ak
RKKCAA4IWlZc58v61h/rLkBJli8zbZ+bycggsNjrOctlFEXsLoZVxpx0SsSw
dJUL+Ni7hiuuhIVP1jiTGLXEUpNoPkKJ1PKBi7JKuDLJzThyJBgVtSBLuBOZ
sZMYpB4YxmRhY3C2Kl233d5qd9nY2GFmTVWQRCoKgT/asdJZwUeLe0MxQek0
ZgAReDt+ldhJ4UxmeZFP/IZIeJn7VcEnI7xZMvYO7oSuRIwLACsKE0PuXFHG
KyuZdK1MV1q4lrHZiirTNrrWwu0VL60whNLN5VHgFfkVxnjlcmPRvQiNA4T8
nMmhUVzCx7/+DBnyZ3gxhqvrfdi3osTg4FrLO2FL6SZgBnAlklwbZbKJl+b9
vhV3dGEq77cpRwIdOxJqlBvlvuFGCzptf5igqnhBPDEp+rMftTvtja16p9KO
avNR2BHXwZgYcaliGAW/W7PK/uqqKA3qWqlgTBu849BrqsfF4V63016rl+ub
G1v1cqO76nePTvYP0fj5cavTxv/t9ytb7zej1WhjrRt11lAqev/b6hriA1Ey
08tYFEUYPcbFE8fYlxu42v0MX27DwUimqRJU22MMw6RV4qTRC2K7YsytAJdz
hz+yBMRtRZAAXJdOKgUEwEhqgmyG4ZXAdQojPsHsaMelBmGtsWWLXZcCUM3E
VBbMWIOV5fAHst4zjgfLEXzl8Af0vwJmySBs0KggRUQD7YWovBzG0uXQp8t7
c/TKBAkmR5KCJ8g+PzxCWMNhpX2YXuAdXB7tRN31DXh4V+YcF4+MBapWJVqf
nnIMXAykFikSCi6F1wDrrQ55c1OX6bY1V7ne6QaVuHipkk7fUtl9TeWVrXwK
0hfKI0dHjz7aEzGBfWHlXUjUs0gJQXgtH6YD8gjzSvlAlW9cgwbdaJLX3sUQ
g6T64mPpuHZyVpGbGrW3zFfGjQ2kcjAQlqCSU94HU28AAerLenDvYenxcnBf
0J/SiYIyU1ZZhj0jGL4hPzATR2c7exHGT+E36MFbJdrcPnEI73gX6kQtQzJo
wcNDXYrHJkXgQyI3vpLqqHbk69wE1fyfmUDJJyYIQG+YoPjQAvv+/TujrUbJ
lVuG45OzZd/al+G0CdEvcH5yxtixLipXxqFLoRz4nldQ/rgKO3dcVQIaHLTR
USkSKxxYtGFG4aj5wd+e/5MDFHWANL2TqUjRaiAx3nMGKYVNQuqMirmxBt+E
NUhZuoce1grIKcCXCIlhi0HIcMXCycAsukjcF/ehtrwolEwCVMpCJHKAXJz1
KaOf+dlIEGB9bBXeiUgJnWGug3dNL3s6Fa3P0GVTuVecI/SYxGEDfm7j523o
rq//uNqFbdjsbLSbjJ17FSHn59OY39DbQJOnteqmL6knVC1NtzGzCVdJpTxc
OKFeKTPGmnrxTxcnaPkp+uZ4aAZ0+W61PccxPZ/im24b68PIxOw+QauBGp8A
6bkGD9O5htVucHraF6Izk2Kz5wRarBKx07eLJx3q4cF3jsfl8B6Y0hlnAVdZ
7bsCOeXfFASrEVfUL/BZYykzbMlYVZmBrkZ93O89oQJZb/SW4RkjXqdDb1rD
ubIP0OtLVy68M+bQ6JH3dP4/m16w6d+BfqGmvf+E+57y+EuEVI1QtBXYbLJx
LpWgsVbE88EKLW1DPYzhqos15aWDUmaagsZeXDOQsjy9gbXGwdLPJP2JQ9ds
6sdcgPuaMM8bL84byTL0kBihu+AMg0XESKGPMaHvhFbvqv9BA/esRsA9/Ay9
eJbxQMr72TMOnXy4EM9P29CZMg/HHh3tKhzQ4RJD4kgjUb+qD1JsTp0tL/W6
xOH+UXRxuRMe9hTH1010STOvtTQUUVHC+zpMQLMPD6/yMzYH/OwYc3qk0aOy
NDfv4csZsWx5PTT4MXDfj4E4Ie70dl5IYASiFWbJPk+GfhxDbGRIP5PR004y
1GasRJqFz4iHODBWpNtLA65KsfS4YOeKWgsVD8Z+CigKY+spoODWQX/iyR3G
bTgU5IvCTwQtEdE0+bMDnGIDOYgsF1hLbpMcGrtnu4ehLcrQ35C5v+PQRTER
2wUtfCNGov4NMZRdgccNAAA=
-->
</rfc>
|
