From e9b145074412eca6ae74f12e8ffebf2798f0fd74 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 13:16:41 +0100 Subject: [PATCH 01/11] Move BIP32 to informative references --- draft-bradleylundberg-cfrg-arkg.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index a121b40..44c78a1 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -45,12 +45,6 @@ normative: RFC4949: RFC5869: RFC6090: - BIP32: - target: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki - title: BIP 32 Hierarchical Deterministic Wallets - author: - - name: Pieter Wuille - date: 2012 SEC1: target: http://www.secg.org/sec1-v2.pdf author: @@ -59,6 +53,12 @@ normative: title: SEC 1 Elliptic Curve Cryptography informative: + BIP32: + target: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki + title: BIP 32 Hierarchical Deterministic Wallets + author: + - name: Pieter Wuille + date: 2012 Clermont: target: https://www.cryptoplexity.informatik.tu-darmstadt.de/media/crypt/teaching_1/theses_1/Sebastian_Clermont_Thesis.pdf author: From 8d362b017a4ebf99b227f7df31cb2f15b1d86f3b Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 15:31:34 +0100 Subject: [PATCH 02/11] Fix date and title of SEC 1 reference --- draft-bradleylundberg-cfrg-arkg.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 44c78a1..f1839e6 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -49,8 +49,8 @@ normative: target: http://www.secg.org/sec1-v2.pdf author: - org: Certicom Research - date: 2020 - title: SEC 1 Elliptic Curve Cryptography + date: 2009 + title: 'SEC 1: Elliptic Curve Cryptography' informative: BIP32: From a7fc7ba82f31881cd3a572d3693e9b0c8610d934 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 15:31:48 +0100 Subject: [PATCH 03/11] Fix [SEC1] references --- draft-bradleylundberg-cfrg-arkg.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index f1839e6..9b76bbb 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -497,10 +497,10 @@ Let `crv` be an elliptic curve. Then the `BL` parameter of ARKG may be instantiated as follows: - Elliptic curve points are encoded to and from octet strings - using the procedures defined in sections 2.3.3 and 2.3.4 of [SEC 1][sec1]. + using the procedures defined in sections 2.3.3 and 2.3.4 of [SEC1]. - Elliptic curve scalar values are encoded to and from octet strings - using the procedures defined in sections 2.3.7 and 2.3.8 of [SEC 1][sec1]. + using the procedures defined in sections 2.3.7 and 2.3.8 of [SEC1]. - `N` is the order of `crv`. - `G` is the generator of `crv`. @@ -546,13 +546,13 @@ Let `crv` be an elliptic curve used for ECDH. Then the `KEM` parameter of ARKG may be instantiated as follows: - Elliptic curve points are encoded to and from octet strings - using the procedures defined in sections 2.3.3 and 2.3.4 of [SEC 1][sec1]. + using the procedures defined in sections 2.3.3 and 2.3.4 of [SEC1]. - Elliptic curve coordinate field elements are encoded to and from octet strings - using the procedures defined in sections 2.3.5 and 2.3.6 of [SEC 1][sec1]. + using the procedures defined in sections 2.3.5 and 2.3.6 of [SEC1]. - Elliptic curve scalar values are encoded to and from octet strings - using the procedures defined in sections 2.3.7 and 2.3.8 of [SEC 1][sec1]. + using the procedures defined in sections 2.3.7 and 2.3.8 of [SEC1]. - `ECDH(pk, sk)` represents the compact output of ECDH [RFC6090] using public key (curve point) `pk` and secret key (exponent) `sk`. From 63a054039ca078aaa8857f60531f50bb7e107fe0 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 15:33:02 +0100 Subject: [PATCH 04/11] Escape non-reference usage of [...] --- draft-bradleylundberg-cfrg-arkg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 9b76bbb..edcb6b9 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -168,7 +168,7 @@ Some motivating use cases of ARKG include: - Enhanced forward secrecy for encrypted messaging. For example, [section 8.5.4 of RFC 9052][rfc9052-direct-key-agreement] defines COSE representations for encrypted messages and notes that "Since COSE is designed for a store-and-forward environment rather than an online environment, - [...] forward secrecy (see [RFC4949]) is not achievable. A static key will always be used for the receiver of the COSE object." + \[...\] forward secrecy (see [RFC4949]) is not achievable. A static key will always be used for the receiver of the COSE object." Applications could work around this limitation by exchanging a large number of keys in advance, but that number limits how many messages can be sent before another such exchange is needed. This also requires the sender to allocate storage space for the keys, From fba763398ef1512773bfe3fd64e7a1897fb2bc6c Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 15:33:42 +0100 Subject: [PATCH 05/11] Define reference SEC2 --- draft-bradleylundberg-cfrg-arkg.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index edcb6b9..b3c32e0 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -51,6 +51,12 @@ normative: - org: Certicom Research date: 2009 title: 'SEC 1: Elliptic Curve Cryptography' + SEC2: + target: http://www.secg.org/sec2-v2.pdf + author: + - org: Certicom Research + date: 2010 + title: 'SEC 2: Recommended Elliptic Curve Domain Parameters' informative: BIP32: From ec87e9a7dd4f8cd1472b2d146b823fb3ef952495 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 14:18:30 +0100 Subject: [PATCH 06/11] Rename function options to ARKG instance parameters --- draft-bradleylundberg-cfrg-arkg.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index a121b40..6d6e765 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -361,7 +361,7 @@ The subordinate party will then be able to generate public keys on behalf of the ~~~pseudocode ARKG-Generate-Seed() -> (pk, sk) - Options: + ARKG instance parameters: BL A key blinding scheme. KEM A key encapsulation mechanism. @@ -391,7 +391,7 @@ in order to generate any number of public keys. ~~~pseudocode ARKG-Derive-Public-Key((pk_kem, pk_bl), info) -> (pk', kh) - Options: + ARKG instance parameters: BL A key blinding scheme. KEM A key encapsulation mechanism. MAC A MAC scheme. @@ -439,7 +439,7 @@ in order to derive the same or different secret keys any number of times. ~~~pseudocode ARKG-Derive-Secret-Key((sk_kem, sk_bl), kh, info) -> sk' - Options: + ARKG instance parameters: BL A key blinding scheme. KEM A key encapsulation mechanism. MAC A MAC scheme. From 00cbc06a0c876986af0e401a1a1c185b92d0707c Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 14:22:50 +0100 Subject: [PATCH 07/11] Declare info inputs as octet strings --- draft-bradleylundberg-cfrg-arkg.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 6d6e765..15730be 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -404,8 +404,9 @@ ARKG-Derive-Public-Key((pk_kem, pk_bl), info) -> (pk', kh) Inputs: pk_kem A key encapsulation public key. pk_bl A key blinding public key. - info Optional context and application specific - information (can be a zero-length string). + info An octet string containing optional context + and application specific information + (can be a zero-length string). Output: pk' A blinded public key. @@ -453,8 +454,9 @@ ARKG-Derive-Secret-Key((sk_kem, sk_bl), kh, info) -> sk' sk_kem A key encapsulation secret key. sk_bl A key blinding secret key. kh A key handle output from ARKG-Derive-Public-Key. - info Optional context and application specific - information (can be a zero-length string). + info An octet string containing optional context + and application specific information + (can be a zero-length string). Output: sk' A blinded secret key. From 26666d26ac7331f259e9169d6ed5d63b07c5c255 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Mon, 18 Mar 2024 17:46:17 +0100 Subject: [PATCH 08/11] Tweak first sentence of sections on using EC as BL and KEM --- draft-bradleylundberg-cfrg-arkg.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index a121b40..b5bd467 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -490,7 +490,7 @@ which can be used to define concrete ARKG instantiations. ## Using elliptic curve arithmetic for key blinding {#blinding-ec} Instantiations of ARKG whose output keys are elliptic curve keys -can use elliptic curve arithmetic as the key blinding scheme `BL`. [Frymann2020] [Wilson] +can use elliptic curve arithmetic as the key blinding scheme `BL` [Frymann2020] [Wilson]. This section defines a general formula for such instantiations of `BL`. Let `crv` be an elliptic curve. @@ -539,7 +539,7 @@ BL-Blind-Secret-Key(sk, tau) -> sk_tau ## Using ECDH as the KEM {#kem-ecdh} -Instantiations of ARKG can use ECDH [RFC6090] as the key encapsulation mechanism. +Instantiations of ARKG can use ECDH [RFC6090] as the key encapsulation mechanism `KEM` [Frymann2020] [Wilson]. This section defines a general formula for such instantiations of `KEM`. Let `crv` be an elliptic curve used for ECDH. From 09cf06cb989d3ef01450d214ad571ed6be508029 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Mon, 18 Mar 2024 17:56:29 +0100 Subject: [PATCH 09/11] Convert some TODOs to editor footnotes --- draft-bradleylundberg-cfrg-arkg.md | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index b5bd467..394602a 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -121,6 +121,8 @@ We expect that additional instances will be defined in the future. --- middle +{:emlun: source="Emil"} + # Introduction Asymmetric cryptography, also called public key cryptography, is a fundamental component of much of modern information security. @@ -513,8 +515,6 @@ BL-Generate-Keypair() -> (pk, sk) If pk_tmp equals the point at infinity, abort with an error. pk = pk_tmp - TODO: Also reject G? - BL-Blind-Public-Key(pk, tau) -> pk_tau @@ -523,8 +523,6 @@ BL-Blind-Public-Key(pk, tau) -> pk_tau If pk_tau_tmp equals the point at infinity, abort with an error. pk_tau = pk_tau_tmp - TODO: Also reject G? - BL-Blind-Secret-Key(sk, tau) -> sk_tau @@ -532,10 +530,12 @@ BL-Blind-Secret-Key(sk, tau) -> sk_tau sk_tau_tmp = sk + tau If sk_tau_tmp = 0, abort with an error. sk_tau = sk_tau_tmp - - TODO: Also reject 1? ~~~ +[^also_reject_g]{:emlun} +[^also_reject_1]{:emlun} + + ## Using ECDH as the KEM {#kem-ecdh} @@ -568,8 +568,6 @@ KEM-Generate-Keypair() -> (pk, sk) If pk_tmp equals the point at infinity, abort with an error. pk = pk_tmp - TODO: Also reject G? - KEM-Encaps(pk) -> (k, c) (pk', sk') = KEM-Generate-Keypair() @@ -584,6 +582,8 @@ KEM-Decaps(sk, c) -> k k = ECDH(pk', sk) ~~~ +[^also_reject_g]{:emlun} + ## Using both elliptic curve arithmetic for key blinding and ECDH as the KEM {#blinding-kem-ecdh} @@ -593,7 +593,7 @@ then both of them MAY use the same curve or MAY use different curves. If both use the same curve, then it is also possible to use the same public key as both the key blinding public key and the KEM public key. [Frymann2020] -TODO: Caveats? I think I read in some paper or thesis about specific drawbacks of using the same key for both. +[^same_key_caveats]{:emlun} ## Using HMAC as the MAC {#mac-hmac} @@ -858,3 +858,7 @@ TODO -01 Editorial Fixes to formatting and references. + +[^also_reject_g]: ISSUE: Also reject point G? +[^also_reject_1]: ISSUE: Also reject scalar 1? +[^same_key_caveats]: ISSUE: Caveats? I think I read in some paper or thesis about specific drawbacks of using the same key for both. From 9b63edd02f7fca02baf189f63c38f85f11681988 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Mon, 18 Mar 2024 17:57:25 +0100 Subject: [PATCH 10/11] Remove explicit but unused references section --- draft-bradleylundberg-cfrg-arkg.md | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 394602a..3faec89 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -809,23 +809,6 @@ one can also break the same property of the construction by Frymann et al. TODO -# References - -TODO - -TODO: Ask authors for canonical reference addresses - - - -[att-cred-data]: https://w3c.github.io/webauthn/#attested-credential-data -[authdata]: https://w3c.github.io/webauthn/#authenticator-data -[ctap2-canon]: https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#ctap2-canonical-cbor-encoding-form -[privacy-cons]: https://www.w3.org/TR/2019/WD-webauthn-2-20191126/#sctn-credential-id-privacy-leak -[rp-auth-ext-processing]: https://w3c.github.io/webauthn/#sctn-verifying-assertion -[rp-reg-ext-processing]: https://w3c.github.io/webauthn/#sctn-registering-a-new-credential - - - --- back # Acknowledgements From e0e26efe08e4e05d1996a574c980f94e382a81ee Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Wed, 3 Apr 2024 17:07:32 +0200 Subject: [PATCH 11/11] Disambiguate PRK variable --- draft-bradleylundberg-cfrg-arkg.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index a121b40..145af16 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -625,14 +625,14 @@ Then the `KDF` parameter of ARKG may be instantiated using HKDF [RFC5869] as fol ~~~pseudocode KDF(info, ikm, L) -> okm - PRK = HKDF-Extract with the arguments: + prk = HKDF-Extract with the arguments: Hash: Hash salt: not set IKM: ikm okm = HKDF-Expand with the arguments: Hash: Hash - PRK: PRK + PRK: prk info: info L: L ~~~