You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-dijkhuis-cfrg-hdkeys.md
+41-3
Original file line number
Diff line number
Diff line change
@@ -393,6 +393,46 @@ Step 4 MAY be postponed to be combined with step 6. Steps 5 to 8 MAY be combined
393
393
394
394
# Generic HDK instantiations
395
395
396
+
## Using digital signatures
397
+
398
+
Instantiations of HDK using digital signatures require the following cryptographic constructs:
399
+
400
+
- `DSA`: A digital signature algorithm , consisting of the functions:
401
+
- Sign(sk, msg): Outputs the signature created using private signing key `sk` over byte string `msg`.
402
+
- Verify(signature, pk, msg): Outputs whether `signature` is a signature over `msg` using public verification key `pk`.
403
+
404
+
Using these constructs, an example proof of possession protocol is:
405
+
406
+
~~~
407
+
# 1. Unit shares with reader: pk
408
+
409
+
# 2. Reader computes:
410
+
nonce = generate_random_nonce() # out of scope for this spec
411
+
412
+
# 3. Reader shares with unit: nonce
413
+
414
+
# 4. Unit computes:
415
+
msg = create_message(pk, nonce) # out of scope for this spec
416
+
signature = Sign(sk, msg)
417
+
418
+
# 5. Reader computes:
419
+
msg = create_message(pk, nonce) # out of scope for this spec
420
+
Verify(signature, pk, msg)
421
+
~~~
422
+
423
+
By design of `BL`, the same proof of possession protocol can be used with blinded key pairs and BlindSign, in such a way that the reader does not recognise that key blinding was used.
424
+
425
+
An instantiation using `DSA` intantiates the following:
426
+
427
+
~~~
428
+
def BlindSign(sk, bf, msg):
429
+
sk' = BlindPrivateKey(sk, bf)
430
+
signature = Sign(sk', msg)
431
+
return signature
432
+
~~~
433
+
434
+
- [I-D.draft-irtf-cfrg-signature-key-blinding-07]
435
+
396
436
## Using elliptic curves
397
437
398
438
Instantiations of HDK using elliptic curves require the following cryptographic constructs:
@@ -529,8 +569,6 @@ Such instantiations of HDK use EC additive blinding (see [Using EC additive blin
529
569
- `DSA`: An EC digital signature algorithm , consisting of the functions:
530
570
- Sign(sk, msg): Outputs the signature `(c, r)` created using private signing key `sk` over byte string `msg`.
531
571
- Verify(signature, pk, msg): Outputs whether `signature` is a signature over `msg` using public verification key `pk`.
532
-
- Serialize(c, r): Outputs the byte array serialization of the signature `(c, r)`.
533
-
- Deserialize(bytes): Outputs the signature `(c, r)` represented by byte string `bytes`.
534
572
535
573
Using these constructs, an example proof of possession protocol is:
536
574
@@ -610,7 +648,7 @@ This instantiation uses ECDH for proof of possession (see [Using ECDH shared sec
610
648
611
649
This instantiation uses ECDSA for proof of possession (see [Using ECDSA signatures](#using-ecdsa-signatures)) and ECDH for `KEM`.
612
650
613
-
- `ID`: `"HDK-ECSDSA-P256-v1"`
651
+
- `ID`: `"HDK-ECDSA-P256-v1"`
614
652
- `Ns`: 32
615
653
- `H`: SHA-256 [FIPS180-4] with:
616
654
- `H(msg)`: Implemented by computing `H(ID || msg)`.
0 commit comments