summaryrefslogtreecommitdiff log msg author committer range
path: root/doc/system/taler/implementation.tex
diff options
 context: 12345678910152025303540 space: includeignore mode: unifiedssdiffstat only
author committer Christian Grothoff 2020-07-15 22:25:06 +0200 Christian Grothoff 2020-07-15 22:25:06 +0200 c6278ceeab336169c72ef55b2c3399738bcc89be (patch) 5b5c151359594fc9185769f83522fd4f901ac03d /doc/system/taler/implementation.tex 9e92cc608932abc6caf53dce7cd96984f793f4e3 (diff) exchange-c6278ceeab336169c72ef55b2c3399738bcc89be.tar.gzexchange-c6278ceeab336169c72ef55b2c3399738bcc89be.tar.bz2exchange-c6278ceeab336169c72ef55b2c3399738bcc89be.zip
document FDH implementation in detail, fixing #6182
Diffstat (limited to 'doc/system/taler/implementation.tex')
-rw-r--r--doc/system/taler/implementation.tex27
1 files changed, 24 insertions, 3 deletions
 diff --git a/doc/system/taler/implementation.tex b/doc/system/taler/implementation.texindex 973e9789..4b095b77 100644--- a/doc/system/taler/implementation.tex+++ b/doc/system/taler/implementation.tex@@ -1536,9 +1536,30 @@ We write $\mathbb{Z}^*_N$ for the multiplicative group of integers modulo $N$. Given an $r \in \mathbb{Z}^*_N$, we write $r^{-1}$ for the multiplicative inverse modulo $N$ of $r$. -We write $H(m)$ for the SHA-512 hash of a bit string,-and $\FDH(N,m)$ for the full domain hash that maps the bit string $m$ to an element-of $\mathbb{Z}^*_N$.+We write $H(m)$ for the SHA-512 hash of a bit string.++We write $\FDH(N,m)$ for the full domain hash that maps the bit string $m$ to+an element of $\mathbb{Z}^*_N$. Specifically, $\FDH(N,m)$ is computed by+first computing $H(m)$. Let $b := \lceil \log_2 N\rceil$. The full domain+hash is then computed by iteratively computing a HKDF to obtain $b$ bits of+output until the $b$-bit value is below $N$. The inputs to the HKDF are a+secret key'', a fixed context plus a 16-bit counter (in big endian) as a+context chunk that is incremented until the computation succeeds. For the+source key material, we use a binary encoding of the public RSA key with+modulus $N$.\footnote{So technically, it is $\FDH(N,e,m)$, but we use the+ simplified notation $\FDH(N,m)$.} Here, the public RSA key is encoded by+first expressing the number of bits of the modulus and the public exponent as+16-bit numbers in big endian, followed by the two numbers (again in unsigned+big endian encoding).\footnote{See+ \texttt{GNUNET\_CRYPTO\_rsa\_public\_key\_encode()}.} For the context, the+C-string RSA-FDA FTpsW!'' (without 0-termination) is used. For the KDF, we+instantiate the HKDF described in RFC 5869~\cite{rfc5869} using HMAC-SHA512 as+XTR and HMAC-SHA256 as PRF*.\footnote{As suggested in+ \url{http://eprint.iacr.org/2010/264.pdf}} Let the result of the first+successful iteration of the HKDF function be $r$ with $0 \le r < N$. Then, to+protect against a malicious exchange when blinding values, the $FDH(N,m)$+function checks that $\gcd(r,n) = 1$. If not, the $\FDH(n,m)$ calculation+fails because $n$ is determined to be malicious. The expression $x \randsel X$ denotes uniform random selection of an element $x$ from set $X$. We use $\algo{SelectSeeded}(s, X) \mapsto x$ for pseudo-random uniform