diff --git a/review-2024-04-03/ec-arithmetic/draft-bradleylundberg-cfrg-arkg.html b/review-2024-04-03/ec-arithmetic/draft-bradleylundberg-cfrg-arkg.html index c9e3c4e..57c42b3 100644 --- a/review-2024-04-03/ec-arithmetic/draft-bradleylundberg-cfrg-arkg.html +++ b/review-2024-04-03/ec-arithmetic/draft-bradleylundberg-cfrg-arkg.html @@ -1040,7 +1040,7 @@ Lundberg & Bradley -Expires 10 October 2024 +Expires 14 October 2024 [Page] @@ -1053,12 +1053,12 @@
draft-bradleylundberg-cfrg-arkg-latest
Published:
- +
Intended Status:
Informational
Expires:
-
+
Authors:
@@ -1117,7 +1117,7 @@

time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

- This Internet-Draft will expire on 10 October 2024.

+ This Internet-Draft will expire on 14 October 2024.

+
+
+

+2.2.1. Deterministic key generation +

+

Although the above definition expresses the key generation as opaque, +likely sampling uniformly random key distributions, +implementations MAY choose to implement the functions BL-Generate-Keypair(), +KEM-Generate-Keypair() and ARKG-Generate-Seed() +as deterministic functions of some out-of-band input. +This can be thought of as defining a single-use ARKG instance where these function outputs are static. +This use case is beyond the scope of this document +since the implementation of ARKG-Generate-Seed is internal to the delegating party, +even if applications choose to distribute the delegating party across multiple processing entities.

+

For example, one entity may randomly sample pk_bl, derive pk_kem deterministically from pk_bl +and submit only pk_bl to a separate service that uses the same procedure to also derive the same pk_kem. +This document considers both of these entities as parts of the same logical delegating party.

+
+
@@ -1615,7 +1639,7 @@

kh A key handle for deriving the blinded secret key sk' corresponding to pk'. - The output (pk, sk) is calculated as follows: + The output (pk', kh) is calculated as follows: (k, c) = KEM-Encaps(pk_kem) tau = KDF("arkg-blind" || 0x00 || info, k, L_bl) @@ -1802,17 +1826,18 @@

-
+
-

-3.3. Using both elliptic curve arithmetic for key blinding and ECDH as the KEM +

+3.3. Using the same key for both key blinding and KEM

-

If elliptic curve arithmetic is used for key blinding and ECDH is used as the KEM, -as described in the previous sections, -then both of them MAY use the same curve or MAY use different curves. -If both use the same curve, then it is also possible to use the same public key -as both the key blinding public key and the KEM public key. [Frymann2020]

-

ISSUE: Caveats? I think I read in some paper or thesis about specific drawbacks of using the same key for both.Emil

+

When an ARKG instance uses the same type of key for both the key blinding and the KEM - +for example, if elliptic curve arithmetic is used for key blinding as described in Section 3.1 +and ECDH is used as the KEM as described in Section 3.2 [Frymann2020] - +then the two keys MAY be the same key. +Representations of such an ARKG seed MAY allow for omitting the second copy of the constituent key, +but such representations MUST clearly identify that the single constituent key is to be used +both as the key blinding key and the KEM key.

diff --git a/review-2024-04-03/ec-arithmetic/draft-bradleylundberg-cfrg-arkg.txt b/review-2024-04-03/ec-arithmetic/draft-bradleylundberg-cfrg-arkg.txt index 5be1a0e..2ab8eec 100644 --- a/review-2024-04-03/ec-arithmetic/draft-bradleylundberg-cfrg-arkg.txt +++ b/review-2024-04-03/ec-arithmetic/draft-bradleylundberg-cfrg-arkg.txt @@ -5,7 +5,7 @@ Crypto Forum E. Lundberg, Ed. Internet-Draft J. Bradley Intended status: Informational Yubico -Expires: 10 October 2024 8 April 2024 +Expires: 14 October 2024 12 April 2024 The Asynchronous Remote Key Generation (ARKG) algorithm @@ -54,7 +54,7 @@ Status of This Memo time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 10 October 2024. + This Internet-Draft will expire on 14 October 2024. Copyright Notice @@ -78,13 +78,13 @@ Table of Contents 2. The Asynchronous Remote Key Generation (ARKG) algorithm 2.1. Instance parameters 2.2. The function ARKG-Generate-Seed + 2.2.1. Deterministic key generation 2.3. The function ARKG-Derive-Public-Key 2.4. The function ARKG-Derive-Secret-Key 3. Generic ARKG instantiations 3.1. Using elliptic curve arithmetic for key blinding 3.2. Using ECDH as the KEM - 3.3. Using both elliptic curve arithmetic for key blinding and - ECDH as the KEM + 3.3. Using the same key for both key blinding and KEM 3.4. Using HMAC as the MAC 3.5. Using HKDF as the KDF 4. Concrete ARKG instantiations @@ -410,8 +410,8 @@ Table of Contents Inputs: None Output: - (pk, sk) An ARKG seed key pair with public key pk - and private key sk. + (pk, sk) An ARKG seed pair with public seed pk + and private seed sk. The output (pk, sk) is calculated as follows: @@ -420,6 +420,25 @@ Table of Contents pk = (pk_kem, pk_bl) sk = (sk_kem, sk_bl) +2.2.1. Deterministic key generation + + Although the above definition expresses the key generation as opaque, + likely sampling uniformly random key distributions, implementations + MAY choose to implement the functions BL-Generate-Keypair(), KEM- + Generate-Keypair() and ARKG-Generate-Seed() as deterministic + functions of some out-of-band input. This can be thought of as + defining a single-use ARKG instance where these function outputs are + static. This use case is beyond the scope of this document since the + implementation of ARKG-Generate-Seed is internal to the delegating + party, even if applications choose to distribute the delegating party + across multiple processing entities. + + For example, one entity may randomly sample pk_bl, derive pk_kem + deterministically from pk_bl and submit only pk_bl to a separate + service that uses the same procedure to also derive the same pk_kem. + This document considers both of these entities as parts of the same + logical delegating party. + 2.3. The function ARKG-Derive-Public-Key This function is performed by the subordinate party, which holds the @@ -454,7 +473,7 @@ Table of Contents kh A key handle for deriving the blinded secret key sk' corresponding to pk'. - The output (pk, sk) is calculated as follows: + The output (pk', kh) is calculated as follows: (k, c) = KEM-Encaps(pk_kem) tau = KDF("arkg-blind" || 0x00 || info, k, L_bl) @@ -613,21 +632,16 @@ Table of Contents pk' = c k = ECDH(pk', sk) -3.3. Using both elliptic curve arithmetic for key blinding and ECDH as - the KEM - - If elliptic curve arithmetic is used for key blinding and ECDH is - used as the KEM, as described in the previous sections, then both of - them MAY use the same curve or MAY use different curves. If both use - the same curve, then it is also possible to use the same public key - as both the key blinding public key and the KEM public key. - [Frymann2020] - +3.3. Using the same key for both key blinding and KEM - // ISSUE: Caveats? I think I read in some paper or thesis about - // specific drawbacks of using the same key for both. - // - // -- Emil + When an ARKG instance uses the same type of key for both the key + blinding and the KEM - for example, if elliptic curve arithmetic is + used for key blinding as described in Section 3.1 and ECDH is used as + the KEM as described in Section 3.2 [Frymann2020] - then the two keys + MAY be the same key. Representations of such an ARKG seed MAY allow + for omitting the second copy of the constituent key, but such + representations MUST clearly identify that the single constituent key + is to be used both as the key blinding key and the KEM key. 3.4. Using HMAC as the MAC