Skip to content

Commit

Permalink
Script updating gh-pages from d6c935f. [ci skip]
Browse files Browse the repository at this point in the history
  • Loading branch information
ID Bot committed Apr 12, 2024
1 parent 5ecc1e0 commit 3aed430
Show file tree
Hide file tree
Showing 2 changed files with 77 additions and 38 deletions.
59 changes: 42 additions & 17 deletions review-2024-04-03/ec-arithmetic/draft-bradleylundberg-cfrg-arkg.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1040,7 +1040,7 @@
</tr></thead>
<tfoot><tr>
<td class="left">Lundberg &amp; Bradley</td>
<td class="center">Expires 10 October 2024</td>
<td class="center">Expires 14 October 2024</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
Expand All @@ -1053,12 +1053,12 @@
<dd class="internet-draft">draft-bradleylundberg-cfrg-arkg-latest</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2024-04-08" class="published">8 April 2024</time>
<time datetime="2024-04-12" class="published">12 April 2024</time>
</dd>
<dt class="label-intended-status">Intended Status:</dt>
<dd class="intended-status">Informational</dd>
<dt class="label-expires">Expires:</dt>
<dd class="expires"><time datetime="2024-10-10">10 October 2024</time></dd>
<dd class="expires"><time datetime="2024-10-14">14 October 2024</time></dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
Expand Down Expand Up @@ -1117,7 +1117,7 @@ <h2 id="name-status-of-this-memo">
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow"></a></p>
<p id="section-boilerplate.1-4">
This Internet-Draft will expire on 10 October 2024.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
This Internet-Draft will expire on 14 October 2024.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
</section>
</div>
<div id="copyright">
Expand Down Expand Up @@ -1165,6 +1165,11 @@ <h2 id="name-copyright-notice">
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2">
<p id="section-toc.1-1.2.2.2.1"><a href="#section-2.2" class="auto internal xref">2.2</a>.  <a href="#name-the-function-arkg-generate-" class="internal xref">The function ARKG-Generate-Seed</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2.2.1">
<p id="section-toc.1-1.2.2.2.2.1.1"><a href="#section-2.2.1" class="auto internal xref">2.2.1</a>.  <a href="#name-deterministic-key-generatio" class="internal xref">Deterministic key generation</a></p>
</li>
</ul>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.3">
<p id="section-toc.1-1.2.2.3.1"><a href="#section-2.3" class="auto internal xref">2.3</a>.  <a href="#name-the-function-arkg-derive-pu" class="internal xref">The function ARKG-Derive-Public-Key</a></p>
Expand All @@ -1184,7 +1189,7 @@ <h2 id="name-copyright-notice">
<p id="section-toc.1-1.3.2.2.1"><a href="#section-3.2" class="auto internal xref">3.2</a>.  <a href="#name-using-ecdh-as-the-kem" class="internal xref">Using ECDH as the KEM</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.3">
<p id="section-toc.1-1.3.2.3.1"><a href="#section-3.3" class="auto internal xref">3.3</a>.  <a href="#name-using-both-elliptic-curve-a" class="internal xref">Using both elliptic curve arithmetic for key blinding and ECDH as the KEM</a></p>
<p id="section-toc.1-1.3.2.3.1"><a href="#section-3.3" class="auto internal xref">3.3</a>.  <a href="#name-using-the-same-key-for-both" class="internal xref">Using the same key for both key blinding and KEM</a></p>
</li>
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.4">
<p id="section-toc.1-1.3.2.4.1"><a href="#section-3.4" class="auto internal xref">3.4</a>.  <a href="#name-using-hmac-as-the-mac" class="internal xref">Using HMAC as the MAC</a></p>
Expand Down Expand Up @@ -1567,8 +1572,8 @@ <h3 id="name-the-function-arkg-generate-">
Inputs: None

Output:
(pk, sk) An ARKG seed key pair with public key pk
and private key sk.
(pk, sk) An ARKG seed pair with public seed pk
and private seed sk.

The output (pk, sk) is calculated as follows:

Expand All @@ -1578,6 +1583,25 @@ <h3 id="name-the-function-arkg-generate-">
sk = (sk_kem, sk_bl)
</pre><a href="#section-2.2-2" class="pilcrow"></a>
</div>
<div id="deterministic-key-generation">
<section id="section-2.2.1">
<h4 id="name-deterministic-key-generatio">
<a href="#section-2.2.1" class="section-number selfRef">2.2.1. </a><a href="#name-deterministic-key-generatio" class="section-name selfRef">Deterministic key generation</a>
</h4>
<p id="section-2.2.1-1">Although the above definition expresses the key generation as opaque,
likely sampling uniformly random key distributions,
implementations <span class="bcp14">MAY</span> choose to implement the functions <code>BL-Generate-Keypair()</code>,
<code>KEM-Generate-Keypair()</code> and <code>ARKG-Generate-Seed()</code>
as deterministic functions of some out-of-band input.
This can be thought of as defining a single-use ARKG instance where these function outputs are static.
This use case is beyond the scope of this document
since the implementation of <code>ARKG-Generate-Seed</code> is internal to the delegating party,
even if applications choose to distribute the delegating party across multiple processing entities.<a href="#section-2.2.1-1" class="pilcrow"></a></p>
<p id="section-2.2.1-2">For example, one entity may randomly sample <code>pk_bl</code>, derive <code>pk_kem</code> deterministically from <code>pk_bl</code>
and submit only <code>pk_bl</code> to a separate service that uses the same procedure to also derive the same <code>pk_kem</code>.
This document considers both of these entities as parts of the same logical delegating party.<a href="#section-2.2.1-2" class="pilcrow"></a></p>
</section>
</div>
</section>
</div>
<div id="the-function-arkg-derive-public-key">
Expand Down Expand Up @@ -1615,7 +1639,7 @@ <h3 id="name-the-function-arkg-derive-pu">
kh A key handle for deriving the blinded
secret key sk' corresponding to pk'.

The output (pk, sk) is calculated as follows:
The output (pk', kh) is calculated as follows:

(k, c) = KEM-Encaps(pk_kem)
tau = KDF("arkg-blind" || 0x00 || info, k, L_bl)
Expand Down Expand Up @@ -1802,17 +1826,18 @@ <h3 id="name-using-ecdh-as-the-kem">
</div>
</section>
</div>
<div id="blinding-kem-ecdh">
<div id="blinding-kem-same-key">
<section id="section-3.3">
<h3 id="name-using-both-elliptic-curve-a">
<a href="#section-3.3" class="section-number selfRef">3.3. </a><a href="#name-using-both-elliptic-curve-a" class="section-name selfRef">Using both elliptic curve arithmetic for key blinding and ECDH as the KEM</a>
<h3 id="name-using-the-same-key-for-both">
<a href="#section-3.3" class="section-number selfRef">3.3. </a><a href="#name-using-the-same-key-for-both" class="section-name selfRef">Using the same key for both key blinding and KEM</a>
</h3>
<p id="section-3.3-1">If elliptic curve arithmetic is used for key blinding and ECDH is used as the KEM,
as described in the previous sections,
then both of them <span class="bcp14">MAY</span> use the same curve or <span class="bcp14">MAY</span> use different curves.
If both use the same curve, then it is also possible to use the same public key
as both the key blinding public key and the KEM public key. <span>[<a href="#Frymann2020" class="cite xref">Frymann2020</a>]</span><a href="#section-3.3-1" class="pilcrow"></a></p>
<p id="section-3.3-2"><span class="cref" id="same_key_caveats">ISSUE: Caveats? I think I read in some paper or thesis about specific drawbacks of using the same key for both.<span class="crefSource">Emil</span></span><a href="#section-3.3-2" class="pilcrow"></a></p>
<p id="section-3.3-1">When an ARKG instance uses the same type of key for both the key blinding and the KEM -
for example, if elliptic curve arithmetic is used for key blinding as described in <a href="#blinding-ec" class="auto internal xref">Section 3.1</a>
and ECDH is used as the KEM as described in <a href="#kem-ecdh" class="auto internal xref">Section 3.2</a> <span>[<a href="#Frymann2020" class="cite xref">Frymann2020</a>]</span> -
then the two keys <span class="bcp14">MAY</span> be the same key.
Representations of such an ARKG seed <span class="bcp14">MAY</span> allow for omitting the second copy of the constituent key,
but such representations <span class="bcp14">MUST</span> clearly identify that the single constituent key is to be used
both as the key blinding key and the KEM key.<a href="#section-3.3-1" class="pilcrow"></a></p>
</section>
</div>
<div id="mac-hmac">
Expand Down
56 changes: 35 additions & 21 deletions review-2024-04-03/ec-arithmetic/draft-bradleylundberg-cfrg-arkg.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
Crypto Forum E. Lundberg, Ed.
Internet-Draft J. Bradley
Intended status: Informational Yubico
Expires: 10 October 2024 8 April 2024
Expires: 14 October 2024 12 April 2024


The Asynchronous Remote Key Generation (ARKG) algorithm
Expand Down Expand Up @@ -54,7 +54,7 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

This Internet-Draft will expire on 10 October 2024.
This Internet-Draft will expire on 14 October 2024.

Copyright Notice

Expand All @@ -78,13 +78,13 @@ Table of Contents
2. The Asynchronous Remote Key Generation (ARKG) algorithm
2.1. Instance parameters
2.2. The function ARKG-Generate-Seed
2.2.1. Deterministic key generation
2.3. The function ARKG-Derive-Public-Key
2.4. The function ARKG-Derive-Secret-Key
3. Generic ARKG instantiations
3.1. Using elliptic curve arithmetic for key blinding
3.2. Using ECDH as the KEM
3.3. Using both elliptic curve arithmetic for key blinding and
ECDH as the KEM
3.3. Using the same key for both key blinding and KEM
3.4. Using HMAC as the MAC
3.5. Using HKDF as the KDF
4. Concrete ARKG instantiations
Expand Down Expand Up @@ -410,8 +410,8 @@ Table of Contents
Inputs: None

Output:
(pk, sk) An ARKG seed key pair with public key pk
and private key sk.
(pk, sk) An ARKG seed pair with public seed pk
and private seed sk.

The output (pk, sk) is calculated as follows:

Expand All @@ -420,6 +420,25 @@ Table of Contents
pk = (pk_kem, pk_bl)
sk = (sk_kem, sk_bl)

2.2.1. Deterministic key generation

Although the above definition expresses the key generation as opaque,
likely sampling uniformly random key distributions, implementations
MAY choose to implement the functions BL-Generate-Keypair(), KEM-
Generate-Keypair() and ARKG-Generate-Seed() as deterministic
functions of some out-of-band input. This can be thought of as
defining a single-use ARKG instance where these function outputs are
static. This use case is beyond the scope of this document since the
implementation of ARKG-Generate-Seed is internal to the delegating
party, even if applications choose to distribute the delegating party
across multiple processing entities.

For example, one entity may randomly sample pk_bl, derive pk_kem
deterministically from pk_bl and submit only pk_bl to a separate
service that uses the same procedure to also derive the same pk_kem.
This document considers both of these entities as parts of the same
logical delegating party.

2.3. The function ARKG-Derive-Public-Key

This function is performed by the subordinate party, which holds the
Expand Down Expand Up @@ -454,7 +473,7 @@ Table of Contents
kh A key handle for deriving the blinded
secret key sk' corresponding to pk'.

The output (pk, sk) is calculated as follows:
The output (pk', kh) is calculated as follows:

(k, c) = KEM-Encaps(pk_kem)
tau = KDF("arkg-blind" || 0x00 || info, k, L_bl)
Expand Down Expand Up @@ -613,21 +632,16 @@ Table of Contents
pk' = c
k = ECDH(pk', sk)

3.3. Using both elliptic curve arithmetic for key blinding and ECDH as
the KEM

If elliptic curve arithmetic is used for key blinding and ECDH is
used as the KEM, as described in the previous sections, then both of
them MAY use the same curve or MAY use different curves. If both use
the same curve, then it is also possible to use the same public key
as both the key blinding public key and the KEM public key.
[Frymann2020]

3.3. Using the same key for both key blinding and KEM

// ISSUE: Caveats? I think I read in some paper or thesis about
// specific drawbacks of using the same key for both.
//
// -- Emil
When an ARKG instance uses the same type of key for both the key
blinding and the KEM - for example, if elliptic curve arithmetic is
used for key blinding as described in Section 3.1 and ECDH is used as
the KEM as described in Section 3.2 [Frymann2020] - then the two keys
MAY be the same key. Representations of such an ARKG seed MAY allow
for omitting the second copy of the constituent key, but such
representations MUST clearly identify that the single constituent key
is to be used both as the key blinding key and the KEM key.

3.4. Using HMAC as the MAC

Expand Down

0 comments on commit 3aed430

Please sign in to comment.