[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lsd0001] branch master updated: add modified tor approach for Ed25519-S
From: |
gnunet |
Subject: |
[lsd0001] branch master updated: add modified tor approach for Ed25519-SHA512 |
Date: |
Sat, 19 Sep 2020 15:45:05 +0200 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository lsd0001.
The following commit(s) were added to refs/heads/master by this push:
new 9a394ba add modified tor approach for Ed25519-SHA512
9a394ba is described below
commit 9a394bafd50705ebfb70c7b38920d9a188afedbf
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
AuthorDate: Sat Sep 19 15:38:25 2020 +0200
add modified tor approach for Ed25519-SHA512
---
draft-schanzen-gns.xml | 154 ++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 153 insertions(+), 1 deletion(-)
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index 8db1fd9..bc7ee54 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -342,7 +342,129 @@ zk' := h mod L * zk
</section>
<section anchor="zone_type_edkey" numbered="true" toc="default">
<name>EDKEY Zone</name>
- <t>TODO: Do the same as the above with a Schnorr variant</t>
+ <t>
+ For EDKEY zones the zone key material is derived using the
+ curve parameters of the twisted edwards representation
+ of Curve25519 <xref target="RFC7748" /> (a.k.a. edwards25519)
+ with the Ed25519-SHA-512 scheme (<xref target="ed25519" />).
+ Consequently , we use the following naming convention for our
+ cryptographic primitives for EDKEY zones:
+ </t>
+ <dl>
+ <dt>d</dt>
+ <dd>
+ is a 256-bit EdDSA private zone key.
+ </dd>
+ <dt>zk</dt>
+ <dd>
+ is the EdDSA public zone key corresponding to d. It is defined in
+ <xref target="ed25519" /> as the curve point a*B where B is the
+ group generator of the elliptic curve and a is an integer
+ derived from d using a hashfunction.
+ The public key is used to uniquely identify a GNS zone and is
+ referred to as the "zone key".
+ </dd>
+ <dt>ztype</dt>
+ <dd>
+ is registered with the value "1" in GANA.
+ </dd>
+ <dt>p</dt>
+ <dd>
+ is the prime of edwards25519 as defined in <xref target="RFC7748"
/>, i.e.
+ 2^255 - 19.
+ </dd>
+ <dt>B</dt>
+ <dd>
+ is the group generator (X(P),Y(P)) of edwards25519 as defined in
+ <xref target="RFC7748" />.
+ </dd>
+ <dt>L</dt>
+ <dd>
+ is the prime-order subgroup of edwards25519 in <xref
target="RFC7748" />.
+ </dd>
+ </dl>
+ <t>
+ Given a label, the output of the HDKD-Private function for zone
+ key blinding is calculated as follows for EDKEY zones:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+zk := a * B
+PRK_h := HKDF-Extract ("key-derivation", zk)
+h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+h[0] &= 248;
+h[31] &= 127;
+h[31] |= 64;
+a' := h * a mod L
+ ]]></artwork>
+ <t>
+ Equally, given a label, the output of the HDKD-Public function is
+ calculated as follows for PKEY zones:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+PRK_h := HKDF-Extract ("key-derivation", zk)
+h := HKDF-Expand (PRK_h, label | "gns", 512 / 8)
+h[0] &= 248;
+h[31] &= 127;
+h[31] |= 64;
+zk' := h mod L * zk
+ ]]></artwork>
+ <t>
+ We use a hash-based key derivation function (HKDF) as defined in
+ <xref target="RFC5869" />. We use HMAC-SHA512 for the extraction
+ phase and HMAC-SHA256 for the expansion phase.
+ </t>
+ <dl>
+ <dt>PRK_h</dt>
+ <dd>
+ is key material retrieved using an HKDF using the string
+ "key-derivation" as salt and the public zone key "zk" as initial
+ keying material.
+ </dd>
+ <dt>h</dt>
+ <dd>
+ is the 512-bit HKDF expansion result. The expansion info input is
a
+ concatenation of the label and string "gns".
+ The result of the HKDF must be clamped.
+ </dd>
+ <dt>a</dt>
+ <dd>
+ is the 256-bit integer correspinding to the 256-bit private zone
+ key d as defined in <xref target="zone_type_edkey" />.
+ </dd>
+ <dt>label</dt>
+ <dd>is a UTF-8 string under which the resource records are
published.
+ </dd>
+ <dt>L</dt>
+ <dd>
+ is the prime-order subgroup as defined in <xref
target="zone_type_pkey" />.
+ </dd>
+ </dl>
+ <t>
+ We point out that the multiplication of "zk" with "h" is a point
multiplication,
+ while the multiplication of "a" with "h" is a scalar multiplication.
+ </t>
+ <t>
+ Signatures for EDKEY zones using the derived private key a'
+ are NOT compliant with <xref target="ed25519" />.
+ Instead, signatures MUST be generated as follows for any given
+ message M:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+R := rB
+S := r+SHA512(R,zk',M)*a*h mod L
+ ]]></artwork>
+ <t>
+ A signature (R,S) is valid if the following holds:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+SB == R + SHA512(R,zk',M)A' )
+ ]]></artwork>
+ <t>
+ The "zid" of an EDKEY is 32 + 4 bytes in length. This means that
+ a Base32-encoded "zTLD" will always fit into a single label and does
+ not need any further conversion.
+ </t>
+
</section>
</section>
</section>
@@ -2078,6 +2200,36 @@ ee83f0cc79c4c5ea
</abstract>
</front>
</reference>
+ <reference anchor="ed25519"
target="http://link.springer.com/chapter/10.1007/978-3-642-23951-9_9">
+ <front>
+ <title>High-Speed High-Security Signatures</title>
+ <author initials="D." surname="Bernstein" fullname="Daniel
Bernstein">
+ <organization>University of Illinois at Chicago</organization>
+ </author>
+
+ <author initials="N." surname="Duif"
+ fullname="Niels Duif">
+ <organization>Technische Universiteit Eindhoven</organization>
+
+ </author>
+ <author initials="T." surname="Lange"
+ fullname="Tanja Lange">
+ <organization>Technische Universiteit Eindhoven</organization>
+
+ </author>
+ <author initials="P." surname="Schwabe"
+ fullname="Peter Schwabe">
+ <organization>National Taiwan University</organization>
+
+ </author>
+ <author initials="B." surname="Yang"
+ fullname="Bo-Yin Yang">
+ <organization>Academia Sinica</organization>
+
+ </author>
+ <date year="2011"/>
+ </front>
+ </reference>
<!-- <reference anchor="ISO20022">
<front>
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lsd0001] branch master updated: add modified tor approach for Ed25519-SHA512,
gnunet <=