From c275534fd6831df57eb65b1bf18e7fb94802b102 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Wed, 3 Apr 2024 17:05:51 +0200 Subject: [PATCH 1/9] Remove impossible conditions --- draft-bradleylundberg-cfrg-arkg.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index a121b40..91b34e1 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -509,9 +509,7 @@ Then the `BL` parameter of ARKG may be instantiated as follows: BL-Generate-Keypair() -> (pk, sk) sk = Random(1, N) - pk_tmp = G^sk - If pk_tmp equals the point at infinity, abort with an error. - pk = pk_tmp + pk = G^sk TODO: Also reject G? @@ -519,9 +517,7 @@ BL-Generate-Keypair() -> (pk, sk) BL-Blind-Public-Key(pk, tau) -> pk_tau If tau = 0 or tau >= N, abort with an error. - pk_tau_tmp = pk * (G^tau) - If pk_tau_tmp equals the point at infinity, abort with an error. - pk_tau = pk_tau_tmp + pk_tau = pk * (G^tau) TODO: Also reject G? @@ -564,9 +560,7 @@ Then the `KEM` parameter of ARKG may be instantiated as follows: KEM-Generate-Keypair() -> (pk, sk) sk = Random(1, N) - pk_tmp = G^sk - If pk_tmp equals the point at infinity, abort with an error. - pk = pk_tmp + pk = G^sk TODO: Also reject G? From 9e8fd04e06a28cbb88e5c209d36038bba0200937 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Wed, 3 Apr 2024 17:12:29 +0200 Subject: [PATCH 2/9] Remove TODOs about rejecting generator and 1 --- draft-bradleylundberg-cfrg-arkg.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 91b34e1..3d6582a 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -511,16 +511,12 @@ BL-Generate-Keypair() -> (pk, sk) sk = Random(1, N) pk = G^sk - TODO: Also reject G? - BL-Blind-Public-Key(pk, tau) -> pk_tau If tau = 0 or tau >= N, abort with an error. pk_tau = pk * (G^tau) - TODO: Also reject G? - BL-Blind-Secret-Key(sk, tau) -> sk_tau @@ -528,8 +524,6 @@ BL-Blind-Secret-Key(sk, tau) -> sk_tau sk_tau_tmp = sk + tau If sk_tau_tmp = 0, abort with an error. sk_tau = sk_tau_tmp - - TODO: Also reject 1? ~~~ @@ -562,8 +556,6 @@ KEM-Generate-Keypair() -> (pk, sk) sk = Random(1, N) pk = G^sk - TODO: Also reject G? - KEM-Encaps(pk) -> (k, c) (pk', sk') = KEM-Generate-Keypair() From 5b9f36778fb64a5ba6a5d151cc8a75374efaa897 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Wed, 3 Apr 2024 17:13:59 +0200 Subject: [PATCH 3/9] Fix: N is the order of the generator, not the curve --- draft-bradleylundberg-cfrg-arkg.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 3d6582a..8c2d996 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -502,8 +502,8 @@ Then the `BL` parameter of ARKG may be instantiated as follows: - Elliptic curve scalar values are encoded to and from octet strings using the procedures defined in sections 2.3.7 and 2.3.8 of [SEC 1][sec1]. -- `N` is the order of `crv`. - `G` is the generator of `crv`. +- `N` is the order of `G`. ~~~pseudocode BL-Generate-Keypair() -> (pk, sk) @@ -547,8 +547,8 @@ Then the `KEM` parameter of ARKG may be instantiated as follows: - `ECDH(pk, sk)` represents the compact output of ECDH [RFC6090] using public key (curve point) `pk` and secret key (exponent) `sk`. -- `N` is the order of `crv`. - `G` is the generator of `crv`. +- `N` is the order of `G`. ~~~pseudocode KEM-Generate-Keypair() -> (pk, sk) From 4197573ee75f1b6b2958edec5a2f8cc5c9819720 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Wed, 3 Apr 2024 17:21:15 +0200 Subject: [PATCH 4/9] Use additive notation for EC arithmetic --- draft-bradleylundberg-cfrg-arkg.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 8c2d996..1d296c1 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -206,10 +206,11 @@ The following notation is used throughout this document: - When literal text strings are to be interpreted as octet strings, they are encoded using UTF-8. -- Elliptic curve operations are written in multiplicative notation: - `*` denotes point multiplication, i.e., the curve group operation; - `^` denotes point exponentiation, i.e., repeated point multiplication of the base with itself; - and `+` denotes scalar addition modulo the curve order. +- Elliptic curve operations are written in additive notation: + `+` denotes point addition, i.e., the curve group operation; + `*` denotes point multiplication, i.e., repeated point addition; + and `+` also denotes scalar addition modulo the curve order. + `*` has higher precedence than `+`, i.e., `a + b * C` is equivalent to `a + (b * C)`. - `Random(min_inc, max_exc)` represents a cryptographically secure random integer greater than or equal to `min_inc` and strictly less than `max_exc`. @@ -509,13 +510,13 @@ Then the `BL` parameter of ARKG may be instantiated as follows: BL-Generate-Keypair() -> (pk, sk) sk = Random(1, N) - pk = G^sk + pk = sk * G BL-Blind-Public-Key(pk, tau) -> pk_tau If tau = 0 or tau >= N, abort with an error. - pk_tau = pk * (G^tau) + pk_tau = pk + tau * G BL-Blind-Secret-Key(sk, tau) -> sk_tau @@ -554,7 +555,7 @@ Then the `KEM` parameter of ARKG may be instantiated as follows: KEM-Generate-Keypair() -> (pk, sk) sk = Random(1, N) - pk = G^sk + pk = sk * G KEM-Encaps(pk) -> (k, c) From 06d8cc311e6245d4f7599f5a3e95e7464d065a3b Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Thu, 4 Apr 2024 15:00:36 +0200 Subject: [PATCH 5/9] Remove TODO about single-key caveats, and generalize to non-EC instances --- draft-bradleylundberg-cfrg-arkg.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index a121b40..9e57dac 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -585,15 +585,15 @@ KEM-Decaps(sk, c) -> k ~~~ -## Using both elliptic curve arithmetic for key blinding and ECDH as the KEM {#blinding-kem-ecdh} - -If elliptic curve arithmetic is used for key blinding and ECDH is used as the KEM, -as described in the previous sections, -then both of them MAY use the same curve or MAY use different curves. -If both use the same curve, then it is also possible to use the same public key -as both the key blinding public key and the KEM public key. [Frymann2020] - -TODO: Caveats? I think I read in some paper or thesis about specific drawbacks of using the same key for both. +## Using the same key for both key blinding and KEM {#blinding-kem-same-key} + +When an ARKG instance uses the same type of key for both the key blinding and the KEM - +for example, if elliptic curve arithmetic is used for key blinding as described in {{blinding-ec}} +and ECDH is used as the KEM as described in {{kem-ecdh}} [Frymann2020] - +then the two keys MAY be the same key. +Representations of such an ARKG seed MAY allow for omitting the second copy of the constituent key, +but such representations MUST clearly identify that the single constituent key is to be used +both as the key blinding key and the KEM key. ## Using HMAC as the MAC {#mac-hmac} From 3c56059046e429367300891beb5fbed458c8de60 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Thu, 4 Apr 2024 15:42:04 +0200 Subject: [PATCH 6/9] Add note about deterministic key generation --- draft-bradleylundberg-cfrg-arkg.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index a121b40..6cf75c0 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -379,6 +379,22 @@ ARKG-Generate-Seed() -> (pk, sk) sk = (sk_kem, sk_bl) ~~~ +### Deterministic key generation + +Although the above definition expresses the key generation as opaque, +likely sampling random key distributions, +implementations MAY choose to implement the functions `BL-Generate-Keypair()`, +`KEM-Generate-Keypair()` and `ARKG-Generate-Seed()` +as deriving keys deterministically from some given input key material. +This can be thought of as defining a single-use ARKG instance where these functions return a constant result. +This use case is beyond the scope of this document +since the implementation of `ARKG-Generate-Seed` is internal to the delegating party, +even if applications choose to distribute the delegating party across multiple processing entities. + +For example, one entity may randomly sample `pk_bl`, derive `pk_kem` deterministically from `pk_bl` +and submit only `pk_bl` to a separate service that uses the same procedure to also derive the same `pk_kem`. +This document considers both of these entities as parts of the same logical delegating party. + ## The function ARKG-Derive-Public-Key From 68a88bba764f0e4096065a8d6b50b3d885b7bc7d Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Mon, 8 Apr 2024 14:19:47 +0200 Subject: [PATCH 7/9] Address review comments --- draft-bradleylundberg-cfrg-arkg.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 6cf75c0..717fe4b 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -382,11 +382,11 @@ ARKG-Generate-Seed() -> (pk, sk) ### Deterministic key generation Although the above definition expresses the key generation as opaque, -likely sampling random key distributions, +likely sampling uniformly random key distributions, implementations MAY choose to implement the functions `BL-Generate-Keypair()`, `KEM-Generate-Keypair()` and `ARKG-Generate-Seed()` -as deriving keys deterministically from some given input key material. -This can be thought of as defining a single-use ARKG instance where these functions return a constant result. +as deterministic functions of some out-of-band input. +This can be thought of as defining a single-use ARKG instance where these function outputs are static. This use case is beyond the scope of this document since the implementation of `ARKG-Generate-Seed` is internal to the delegating party, even if applications choose to distribute the delegating party across multiple processing entities. From 9843dcc10880ed0732f74ca0029f9cfc3ea7fcb6 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Mon, 8 Apr 2024 15:07:16 +0200 Subject: [PATCH 8/9] Fix description of output in ARKG-Derive-Public-Key introduction --- draft-bradleylundberg-cfrg-arkg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index ce1663c..6ff5ff3 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -421,7 +421,7 @@ ARKG-Derive-Public-Key((pk_kem, pk_bl), info) -> (pk', kh) kh A key handle for deriving the blinded secret key sk' corresponding to pk'. - The output (pk, sk) is calculated as follows: + The output (pk', kh) is calculated as follows: (k, c) = KEM-Encaps(pk_kem) tau = KDF("arkg-blind" || 0x00 || info, k, L_bl) From ee9d68a26ea6fab20c2de278c8719a21e676e77c Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Mon, 8 Apr 2024 16:35:32 +0200 Subject: [PATCH 9/9] Use seed term instead of key in ARKG-Generate-Seed output description --- draft-bradleylundberg-cfrg-arkg.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index ce1663c..fd510f8 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -376,8 +376,8 @@ ARKG-Generate-Seed() -> (pk, sk) Inputs: None Output: - (pk, sk) An ARKG seed key pair with public key pk - and private key sk. + (pk, sk) An ARKG seed pair with public seed pk + and private seed sk. The output (pk, sk) is calculated as follows: