[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-exchange] branch master updated: document FDH implementation in d
From: |
gnunet |
Subject: |
[taler-exchange] branch master updated: document FDH implementation in detail, fixing #6182 |
Date: |
Wed, 15 Jul 2020 22:25:23 +0200 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository exchange.
The following commit(s) were added to refs/heads/master by this push:
new c6278cee document FDH implementation in detail, fixing #6182
c6278cee is described below
commit c6278ceeab336169c72ef55b2c3399738bcc89be
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Wed Jul 15 22:25:06 2020 +0200
document FDH implementation in detail, fixing #6182
---
doc/system/taler/implementation.tex | 27 ++++++++++++++++++++++++---
1 file changed, 24 insertions(+), 3 deletions(-)
diff --git a/doc/system/taler/implementation.tex
b/doc/system/taler/implementation.tex
index 973e9789..4b095b77 100644
--- a/doc/system/taler/implementation.tex
+++ b/doc/system/taler/implementation.tex
@@ -1536,9 +1536,30 @@ We write $\mathbb{Z}^*_N$ for the multiplicative group
of integers modulo $N$.
Given an $r \in \mathbb{Z}^*_N$, we write $r^{-1}$ for the multiplicative
inverse modulo $N$ of $r$.
-We write $H(m)$ for the SHA-512 hash of a bit string,
-and $\FDH(N,m)$ for the full domain hash that maps the bit string $m$ to an
element
-of $\mathbb{Z}^*_N$.
+We write $H(m)$ for the SHA-512 hash of a bit string.
+
+We write $\FDH(N,m)$ for the full domain hash that maps the bit string $m$ to
+an element of $\mathbb{Z}^*_N$. Specifically, $\FDH(N,m)$ is computed by
+first computing $H(m)$. Let $b := \lceil \log_2 N\rceil$. The full domain
+hash is then computed by iteratively computing a HKDF to obtain $b$ bits of
+output until the $b$-bit value is below $N$. The inputs to the HKDF are a
+``secret key'', a fixed context plus a 16-bit counter (in big endian) as a
+context chunk that is incremented until the computation succeeds. For the
+source key material, we use a binary encoding of the public RSA key with
+modulus $N$.\footnote{So technically, it is $\FDH(N,e,m)$, but we use the
+ simplified notation $\FDH(N,m)$.} Here, the public RSA key is encoded by
+first expressing the number of bits of the modulus and the public exponent as
+16-bit numbers in big endian, followed by the two numbers (again in unsigned
+big endian encoding).\footnote{See
+ \texttt{GNUNET\_CRYPTO\_rsa\_public\_key\_encode()}.} For the context, the
+C-string ``RSA-FDA FTpsW!'' (without 0-termination) is used. For the KDF, we
+instantiate the HKDF described in RFC 5869~\cite{rfc5869} using HMAC-SHA512 as
+XTR and HMAC-SHA256 as PRF*.\footnote{As suggested in
+ \url{http://eprint.iacr.org/2010/264.pdf}} Let the result of the first
+successful iteration of the HKDF function be $r$ with $0 \le r < N$. Then, to
+protect against a malicious exchange when blinding values, the $FDH(N,m)$
+function checks that $\gcd(r,n) = 1$. If not, the $\FDH(n,m)$ calculation
+fails because $n$ is determined to be malicious.
The expression $x \randsel X$ denotes uniform random selection of an element
$x$ from set $X$. We use $\algo{SelectSeeded}(s, X) \mapsto x$ for
pseudo-random uniform
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-exchange] branch master updated: document FDH implementation in detail, fixing #6182,
gnunet <=