@@ -42,6 +42,7 @@ normative:
4242 RFC7800 :
4343 RFC8017 :
4444 RFC8235 :
45+ RFC9180 :
4546 RFC9380 :
4647 SEC2 :
4748 title : " SEC 2: Recommended Elliptic Curve Domain Parameters, Version 2.0"
@@ -233,10 +234,10 @@ The parameters of an HDK instantiation are:
233234 - BL-Combine-Blinding-Factors(bf1, bf2) : Outputs a blinding factor `bf` such that for all blinding key pairs `(pk, sk)`:
234235 - ` BL-Blind-Public-Key(pk, bf) == BL-Blind-Public-Key(BL-Blind-Public-Key(pk, bf1), bf2)`
235236 - ` BL-Blind-Private-Key(pk, bf) == BL-Blind-Private-Key(BL-Blind-Private-Key(pk, bf1), bf2)`
236- - `KEM` : A key encapsulation mechanism, consisting of the functions:
237- - KEM-Derive-Key-Pair(msg, ctx ) : Outputs a key encapsulation key pair `(pk, sk )`.
238- - KEM-Encaps (pk, ctx ) : Outputs `(k, c)` consisting of a shared secret `k` and a ciphertext `c`, taking key encapsulation public key `pk` and domain separation parameter `ctx`, a byte string .
239- - KEM-Decaps(sk, c, ctx ) : Outputs shared secret `k`, taking key encapsulation private key `sk` and domain separation `ctx`, a byte string .
237+ - `KEM` : A key encapsulation mechanism [RFC9180] , consisting of the functions:
238+ - KEM-Derive-Key-Pair(ikm ) : Outputs a key encapsulation key pair `(sk, pk )`.
239+ - KEM-Encap (pk) : Outputs `(k, c)` consisting of a shared secret `k` and a ciphertext `c`, taking key encapsulation public key `pk`.
240+ - KEM-Decap( c, sk ) : Outputs shared secret `k`, taking ciphertext `c` and key encapsulation private key `sk`.
240241- `Authenticate(sk_device, reader_data, bf)` : Outputs `device_data` for use in a protocol for proof of possession, taking a BL blinding private key `sk_device`, remotely received `reader_data`, and a BL blinding factor `bf`.
241242
242243An HDK instantiation MUST specify the instantiation of each of the above functions and values.
@@ -306,12 +307,12 @@ As a prerequisite, the unit possesses a `salt` of `Ns` bytes associated with a p
306307
307308~~~
308309# 1. Unit computes:
309- (pk_kem, sk_kem ) = KEM-Derive-Key-Pair(salt, ID )
310+ (sk_kem, pk_kem ) = KEM-Derive-Key-Pair(salt)
310311
311312# 2. Unit shares with issuer: (pk, pk_kem)
312313
313314# 3. Issuer computes:
314- (salt, kh) = KEM-Encaps (pk_kem, ID )
315+ (salt, kh) = KEM-Encap (pk_kem)
315316
316317# 4. Issuer shares with unit: kh
317318
@@ -324,7 +325,7 @@ pk' = BL-Blind-Public-Key(pk, bf)
324325# 6. Issuer shares with unit: pk'
325326
326327# 7. Unit verifies integrity:
327- salt' = KEM-Decaps(sk_kem, kh, ID )
328+ salt' = KEM-Decap( kh, sk_kem )
328329(bf, salt'') = HDK(salt', index)
329330pk' == BL-Blind-Public-Key(pk, bf)
330331
@@ -505,7 +506,7 @@ This instantiation uses ECDH for proof of possession (see [Using ECDH shared sec
505506 - `H1(msg)` : Implemented by computing `H(ID || msg)`.
506507- `EC` : The NIST curve `secp256r1` (P-256) [SEC2]
507508- `ECDH` : ECKA-DH with curve `EC`
508- - `KEM` : ECKA-DH with curve `EC`
509+ - `KEM` : DHKEM(P-256, HKDF-SHA256) [RFC9180]
509510
510511# # HDK-ECDSA-P256
511512
@@ -517,7 +518,7 @@ This instantiation uses ECDSA for proof of possession (see [Using ECDSA signatur
517518 - `H1(msg)` : Implemented by computing `H(ID || msg)`.
518519- `EC` : The NIST curve `secp256r1` (P-256) [SEC2]
519520- `DSA` : ECDSA with curve `EC`.
520- - `KEM` : ECKA-DH with curve `EC`
521+ - `KEM` : DHKEM(P-256, HKDF-SHA256) [RFC9180]
521522
522523# # HDK-ECSDSA-P256
523524
@@ -529,7 +530,7 @@ This instantiation uses EC-SDSA for proof of possession (see [Using EC-SDSA sign
529530 - `H1(msg)` : Implemented by computing `H(ID || msg)`.
530531- `EC` : The NIST curve `secp256r1` (P-256) [SEC2]
531532- `DSA` : EC-SDSA-opt (the optimised EC-SDSA) with curve `EC`.
532- - `KEM` : ECKA-DH with curve `EC`
533+ - `KEM` : DHKEM(P-256, HKDF-SHA256) [RFC9180]
533534
534535# Application considerations
535536
0 commit comments