[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lsd0009] branch master updated: crypto primitives: hashes, HKDF, HKDF-M
From: |
gnunet |
Subject: |
[lsd0009] branch master updated: crypto primitives: hashes, HKDF, HKDF-Mod |
Date: |
Thu, 28 Mar 2024 16:52:45 +0100 |
This is an automated email from the git hooks/post-receive script.
mikolai-guetschow pushed a commit to branch master
in repository lsd0009.
The following commit(s) were added to refs/heads/master by this push:
new 267fb8e crypto primitives: hashes, HKDF, HKDF-Mod
267fb8e is described below
commit 267fb8ebe469a235205c834b9a36166c16b0c6c1
Author: Mikolai Gütschow <mikolai.guetschow@tu-dresden.de>
AuthorDate: Thu Mar 28 16:52:40 2024 +0100
crypto primitives: hashes, HKDF, HKDF-Mod
---
draft-guetschow-taler-protocol.md | 103 ++++++++++++++++
draft-guetschow-taler-protocol.xml | 238 ++++++++++++++++++++++++++++++++++---
2 files changed, 325 insertions(+), 16 deletions(-)
diff --git a/draft-guetschow-taler-protocol.md
b/draft-guetschow-taler-protocol.md
index 79e05b7..460bc4e 100644
--- a/draft-guetschow-taler-protocol.md
+++ b/draft-guetschow-taler-protocol.md
@@ -30,6 +30,10 @@ author:
email: mikolai.guetschow@tu-dresden.de
normative:
+ RFC2104:
+ RFC5869:
+ RFC6234:
+ HKDF: DOI.10.1007/978-3-642-14623-7_34
informative:
@@ -44,7 +48,106 @@ informative:
\[ TBW \]
+Beware that this document is still work-in-progress and may contain errors.
+Use at your own risk!
+# Notation
+
+- `a | b` denotes the concatenation of a with b
+
+# Cryptographic Primitives
+
+## Cryptographic Hash Functions
+
+### SHA-256 {#sha256}
+
+Taler uses SHA-256 as defined in Section 5.1 of [RFC6234].
+
+### SHA-512 {#sha512}
+
+Taler uses SHA-512 as defined in Section 5.2 of [RFC6234].
+
+### Truncated SHA-512 {#sha512-trunc}
+
+## Key Derivation Functions
+
+### HKDF {#hkdf}
+
+The Hashed Key Derivation Function (HKDF) used in Taler is an instantiation of
[RFC5869]
+with two different hash functions for the Extract and Expand step as suggested
in [HKDF].
+HMAC-SHA512 (HMAC [RFC2104] instantiated with SHA-512, cf. {{sha512}}) is used
for `HKDF-Extract`.
+HMAC-SHA256 (HMAC [RFC2104] instantiated with SHA-256, cf. {{sha256}}) is used
for `HKDF-Expand`.
+
+~~~
+HKDF(salt, IKM, info, L) -> OKM
+
+Inputs:
+ salt optional salt value (a non-secret random value);
+ if not provided, it is set to a string of 64 zeros.
+ IKM input keying material
+ info optional context and application specific information
+ (can be a zero-length string)
+ L length of output keying material in octets
+ (<= 255*32 = 8160)
+
+Output:
+ OKM output keying material (of L octets)
+~~~
+
+The output OKM is calculated as follows:
+
+~~~
+PRK = HKDF-Extract(salt, IKM) with Hash = SHA-512, HashLen = 64
+OKM = HKDF-Expand(PRK, info, L) with Hash = SHA-256, HashLen = 32
+~~~
+
+### HKDF-Mod
+
+Based on the HKDF defined in {{hkdf}}, this function returns an OKM that is
smaller than a given big number N.
+
+~~~
+HKDF-Mod(N, salt, IKM, info) -> OKM
+
+Inputs:
+ N big number; Nbits denotes the length of N in bits
+ salt optional salt value (a non-secret random value);
+ if not provided, it is set to a string of 64 zeros.
+ IKM input keying material
+ info optional context and application specific information
+ (can be a zero-length string)
+
+Output:
+ OKM output keying material (smaller than N)
+~~~
+
+The output OKM is calculated as follows:
+
+~~~
+Nlen = ceil(Nbits / 8)
+while true:
+ counter = 0
+ c = 2 least significant octets of counter in network-byte order
+ x = HKDF(salt, IKM, info | c, NLen)
+ reset all but lower Nbits bits in x
+ if x < N:
+ OKM = x
+ break
+ counter += 1
+~~~
+
+## Non-Blind Signatures
+
+### Ed25519
+
+## Blind Signatures
+
+### FDH-RSA
+
+### Clause-Schnorr
+
+# The Taler Crypto Protocol
+
+## Withdrawal
# Security Considerations
diff --git a/draft-guetschow-taler-protocol.xml
b/draft-guetschow-taler-protocol.xml
index eab6d50..891e5e7 100644
--- a/draft-guetschow-taler-protocol.xml
+++ b/draft-guetschow-taler-protocol.xml
@@ -38,7 +38,7 @@
<abstract>
-<?line 37?>
+<?line 41?>
<t>[ TBW ]</t>
@@ -53,12 +53,131 @@
<middle>
-<?line 41?>
+<?line 45?>
<section anchor="introduction"><name>Introduction</name>
<t>[ TBW ]</t>
+<t>Beware that this document is still work-in-progress and may contain errors.
+Use at your own risk!</t>
+
+</section>
+<section anchor="notation"><name>Notation</name>
+
+<t><list style="symbols">
+ <t><spanx style="verb">a | b</spanx> denotes the concatenation of a with
b</t>
+</list></t>
+
+</section>
+<section anchor="cryptographic-primitives"><name>Cryptographic
Primitives</name>
+
+<section anchor="cryptographic-hash-functions"><name>Cryptographic Hash
Functions</name>
+
+<section anchor="sha256"><name>SHA-256</name>
+
+<t>Taler uses SHA-256 as defined in Section 5.1 of <xref
target="RFC6234"></xref>.</t>
+
+</section>
+<section anchor="sha512"><name>SHA-512</name>
+
+<t>Taler uses SHA-512 as defined in Section 5.2 of <xref
target="RFC6234"></xref>.</t>
+
+</section>
+<section anchor="sha512-trunc"><name>Truncated SHA-512</name>
+
+</section>
+</section>
+<section anchor="key-derivation-functions"><name>Key Derivation
Functions</name>
+
+<section anchor="hkdf"><name>HKDF</name>
+
+<t>The Hashed Key Derivation Function (HKDF) used in Taler is an instantiation
of <xref target="RFC5869"></xref>
+with two different hash functions for the Extract and Expand step as suggested
in <xref target="HKDF"></xref>.
+HMAC-SHA512 (HMAC <xref target="RFC2104"></xref> instantiated with SHA-512,
cf. <xref target="sha512"/>) is used for <spanx
style="verb">HKDF-Extract</spanx>.
+HMAC-SHA256 (HMAC <xref target="RFC2104"></xref> instantiated with SHA-256,
cf. <xref target="sha256"/>) is used for <spanx
style="verb">HKDF-Expand</spanx>.</t>
+
+<figure><artwork><![CDATA[
+HKDF(salt, IKM, info, L) -> OKM
+
+Inputs:
+ salt optional salt value (a non-secret random value);
+ if not provided, it is set to a string of 64 zeros.
+ IKM input keying material
+ info optional context and application specific information
+ (can be a zero-length string)
+ L length of output keying material in octets
+ (<= 255*32 = 8160)
+
+Output:
+ OKM output keying material (of L octets)
+]]></artwork></figure>
+
+<t>The output OKM is calculated as follows:</t>
+
+<figure><artwork><![CDATA[
+PRK = HKDF-Extract(salt, IKM) with Hash = SHA-512, HashLen = 64
+OKM = HKDF-Expand(PRK, info, L) with Hash = SHA-256, HashLen = 32
+]]></artwork></figure>
+
+</section>
+<section anchor="hkdf-mod"><name>HKDF-Mod</name>
+
+<t>Based on the HKDF defined in <xref target="hkdf"/>, this function returns
an OKM that is smaller than a given big number N.</t>
+
+<figure><artwork><![CDATA[
+HKDF-Mod(N, salt, IKM, info) -> OKM
+
+Inputs:
+ N big number; Nbits denotes the length of N in bits
+ salt optional salt value (a non-secret random value);
+ if not provided, it is set to a string of 64 zeros.
+ IKM input keying material
+ info optional context and application specific information
+ (can be a zero-length string)
+
+Output:
+ OKM output keying material (smaller than N)
+]]></artwork></figure>
+
+<t>The output OKM is calculated as follows:</t>
+
+<figure><artwork><![CDATA[
+Nlen = ceil(Nbits / 8)
+while true:
+ counter = 0
+ c = 2 least significant octets of counter in network-byte order
+ x = HKDF(salt, IKM, info | c, NLen)
+ reset all but lower Nbits bits in x
+ if x < N:
+ OKM = x
+ break
+ counter += 1
+]]></artwork></figure>
+
+</section>
+</section>
+<section anchor="non-blind-signatures"><name>Non-Blind Signatures</name>
+
+<section anchor="ed25519"><name>Ed25519</name>
+
+</section>
+</section>
+<section anchor="blind-signatures"><name>Blind Signatures</name>
+
+<section anchor="fdh-rsa"><name>FDH-RSA</name>
+
+</section>
+<section anchor="clause-schnorr"><name>Clause-Schnorr</name>
+
+</section>
+</section>
+</section>
+<section anchor="the-taler-crypto-protocol"><name>The Taler Crypto
Protocol</name>
+
+<section anchor="withdrawal"><name>Withdrawal</name>
+
+</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>
@@ -77,10 +196,74 @@
<back>
+ <references title='Normative References' anchor="sec-normative-references">
+
+
+
+<reference anchor="RFC2104">
+ <front>
+ <title>HMAC: Keyed-Hashing for Message Authentication</title>
+ <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
+ <author fullname="M. Bellare" initials="M." surname="Bellare"/>
+ <author fullname="R. Canetti" initials="R." surname="Canetti"/>
+ <date month="February" year="1997"/>
+ <abstract>
+ <t>This document describes HMAC, a mechanism for message authentication
using cryptographic hash functions. HMAC can be used with any iterative
cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret
shared key. The cryptographic strength of HMAC depends on the properties of the
underlying hash function. This memo provides information for the Internet
community. This memo does not specify an Internet standard of any kind</t>
+ </abstract>
+ </front>
+ <seriesInfo name="RFC" value="2104"/>
+ <seriesInfo name="DOI" value="10.17487/RFC2104"/>
+</reference>
+
+<reference anchor="RFC5869">
+ <front>
+ <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
+ <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
+ <author fullname="P. Eronen" initials="P." surname="Eronen"/>
+ <date month="May" year="2010"/>
+ <abstract>
+ <t>This document specifies a simple Hashed Message Authentication Code
(HMAC)-based key derivation function (HKDF), which can be used as a building
block in various protocols and applications. The key derivation function (KDF)
is intended to support a wide range of applications and requirements, and is
conservative in its use of cryptographic hash functions. This document is not
an Internet Standards Track specification; it is published for informational
purposes.</t>
+ </abstract>
+ </front>
+ <seriesInfo name="RFC" value="5869"/>
+ <seriesInfo name="DOI" value="10.17487/RFC5869"/>
+</reference>
+
+<reference anchor="RFC6234">
+ <front>
+ <title>US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)</title>
+ <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
+ <author fullname="T. Hansen" initials="T." surname="Hansen"/>
+ <date month="May" year="2011"/>
+ <abstract>
+ <t>Federal Information Processing Standard, FIPS</t>
+ </abstract>
+ </front>
+ <seriesInfo name="RFC" value="6234"/>
+ <seriesInfo name="DOI" value="10.17487/RFC6234"/>
+</reference>
+
+<reference anchor="HKDF">
+ <front>
+ <title>Cryptographic Extraction and Key Derivation: The HKDF Scheme</title>
+ <author fullname="Hugo Krawczyk" initials="H." surname="Krawczyk">
+ <organization/>
+ </author>
+ <date year="2010"/>
+ </front>
+ <seriesInfo name="Advances in Cryptology – CRYPTO 2010" value="pp. 631-648"/>
+ <seriesInfo name="DOI" value="10.1007/978-3-642-14623-7_34"/>
+ <seriesInfo name="ISBN" value="["9783642146220",
"9783642146237"]"/>
+<refcontent>Springer Berlin Heidelberg</refcontent></reference>
+
+
+
+
+ </references>
-<?line 57?>
+<?line 160?>
<section anchor="change-log"><name>Change log</name>
@@ -98,19 +281,42 @@ Education and Research (BMBF) within the project Concrete
Contracts.</t>
</back>
<!-- ##markdown-source:
-H4sIAAAAAAAAA22TzW7UMBDH736K0XKBg7NpkZAaCYm2SwuHVgi24kA5eO3Z
-xKxjR/ZkVwH1zbjxYoydQrWCS+SMfzPznw9LKcW+gZdCkCWHDSzWHcL17R2s
-lcMIH2KgoINbCBO0Vz0TJqotyXZESroLB0kZlMMjKLQibEOcGrB+G4SwQ2yA
-4pjotK7P6lNxCHHXxjAOmTA4IH88iUQRVX9s2+HEtGkEgISSp5x0nAYKbVRD
-NxUDapW6chrU1LNnEuIZ7NGP2PABIOIQGuiIhtQsl62lqvWjR6pCbJcumZql
-VWxeFtpxCYmeeAb+wy+FUCN1IbI8yckB5v7c2F1wysL1r59zh8odOzawvlvB
-KmLi4uDO2z3GZGmCsIU16s4HF9qp0GqzibjPDn/4Ys49Qhb2Dl3fBUff2VDB
-SV0uNYdqjnAdDOtZyfqkfnX2aBk95dlcY+yVn5Nhr6xroJ91V38n+4ZGaeZw
-lUEhfGAfYtUNT5Vn+/QnpJSsmdUoTULcf4H1xWe4/zpf9NYYh3ki7zl5MKMm
-G/wRli8/oR5jbsdl8MkajCpj6ZFbFY5DnN+e/0PcBo/VnGyj9C5zl53yLQJ3
-NP+d650PB4emnbfjR+PHfoMRzevFVrmEi4ejPOvOJsiLCgeVII3DECKh4eXk
-DYsEmwkov5PSRbjCrMXx5L3lHuSBirdcZpEHyhv4iAlV1B08v7i5uHoBB0sd
-x8ox+OF8Q025Jh2RMB9KH1MlfgM5XuVzngMAAA==
+H4sIAAAAAAAAA+1X23LbNhB9x1dsnRepNWVJvsRm6k59jT225YwvkwfH00Ak
+RKKCAA4IWlZc58v61h/rLkBJli8zbZ+bycggsNjrOctlFEXsLoZVxpx0SsSw
+dJUL+Ni7hiuuhIVP1jiTGLXEUpNoPkKJ1PKBi7JKuDLJzThyJBgVtSBLuBOZ
+sZMYpB4YxmRhY3C2Kl233d5qd9nY2GFmTVWQRCoKgT/asdJZwUeLe0MxQek0
+ZgAReDt+ldhJ4UxmeZFP/IZIeJn7VcEnI7xZMvYO7oSuRIwLACsKE0PuXFHG
+KyuZdK1MV1q4lrHZiirTNrrWwu0VL60whNLN5VHgFfkVxnjlcmPRvQiNA4T8
+nMmhUVzCx7/+DBnyZ3gxhqvrfdi3osTg4FrLO2FL6SZgBnAlklwbZbKJl+b9
+vhV3dGEq77cpRwIdOxJqlBvlvuFGCzptf5igqnhBPDEp+rMftTvtja16p9KO
+avNR2BHXwZgYcaliGAW/W7PK/uqqKA3qWqlgTBu849BrqsfF4V63016rl+ub
+G1v1cqO76nePTvYP0fj5cavTxv/t9ytb7zej1WhjrRt11lAqev/b6hriA1Ey
+08tYFEUYPcbFE8fYlxu42v0MX27DwUimqRJU22MMw6RV4qTRC2K7YsytAJdz
+hz+yBMRtRZAAXJdOKgUEwEhqgmyG4ZXAdQojPsHsaMelBmGtsWWLXZcCUM3E
+VBbMWIOV5fAHst4zjgfLEXzl8Af0vwJmySBs0KggRUQD7YWovBzG0uXQp8t7
+c/TKBAkmR5KCJ8g+PzxCWMNhpX2YXuAdXB7tRN31DXh4V+YcF4+MBapWJVqf
+nnIMXAykFikSCi6F1wDrrQ55c1OX6bY1V7ne6QaVuHipkk7fUtl9TeWVrXwK
+0hfKI0dHjz7aEzGBfWHlXUjUs0gJQXgtH6YD8gjzSvlAlW9cgwbdaJLX3sUQ
+g6T64mPpuHZyVpGbGrW3zFfGjQ2kcjAQlqCSU94HU28AAerLenDvYenxcnBf
+0J/SiYIyU1ZZhj0jGL4hPzATR2c7exHGT+E36MFbJdrcPnEI73gX6kQtQzJo
+wcNDXYrHJkXgQyI3vpLqqHbk69wE1fyfmUDJJyYIQG+YoPjQAvv+/TujrUbJ
+lVuG45OzZd/al+G0CdEvcH5yxtixLipXxqFLoRz4nldQ/rgKO3dcVQIaHLTR
+USkSKxxYtGFG4aj5wd+e/5MDFHWANL2TqUjRaiAx3nMGKYVNQuqMirmxBt+E
+NUhZuoce1grIKcCXCIlhi0HIcMXCycAsukjcF/ehtrwolEwCVMpCJHKAXJz1
+KaOf+dlIEGB9bBXeiUgJnWGug3dNL3s6Fa3P0GVTuVecI/SYxGEDfm7j523o
+rq//uNqFbdjsbLSbjJ17FSHn59OY39DbQJOnteqmL6knVC1NtzGzCVdJpTxc
+OKFeKTPGmnrxTxcnaPkp+uZ4aAZ0+W61PccxPZ/im24b68PIxOw+QauBGp8A
+6bkGD9O5htVucHraF6Izk2Kz5wRarBKx07eLJx3q4cF3jsfl8B6Y0hlnAVdZ
+7bsCOeXfFASrEVfUL/BZYykzbMlYVZmBrkZ93O89oQJZb/SW4RkjXqdDb1rD
+ubIP0OtLVy68M+bQ6JH3dP4/m16w6d+BfqGmvf+E+57y+EuEVI1QtBXYbLJx
+LpWgsVbE88EKLW1DPYzhqos15aWDUmaagsZeXDOQsjy9gbXGwdLPJP2JQ9ds
+6sdcgPuaMM8bL84byTL0kBihu+AMg0XESKGPMaHvhFbvqv9BA/esRsA9/Ay9
+eJbxQMr72TMOnXy4EM9P29CZMg/HHh3tKhzQ4RJD4kgjUb+qD1JsTp0tL/W6
+xOH+UXRxuRMe9hTH1010STOvtTQUUVHC+zpMQLMPD6/yMzYH/OwYc3qk0aOy
+NDfv4csZsWx5PTT4MXDfj4E4Ie70dl5IYASiFWbJPk+GfhxDbGRIP5PR004y
+1GasRJqFz4iHODBWpNtLA65KsfS4YOeKWgsVD8Z+CigKY+spoODWQX/iyR3G
+bTgU5IvCTwQtEdE0+bMDnGIDOYgsF1hLbpMcGrtnu4ehLcrQ35C5v+PQRTER
+2wUtfCNGov4NMZRdgccNAAA=
-->
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lsd0009] branch master updated: crypto primitives: hashes, HKDF, HKDF-Mod,
gnunet <=