The GNU Taler Protocol

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶

This Internet-Draft will expire on 29 September 2024.¶

Copyright Notice

Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶

Table of Contents

1. Introduction

[ TBW ]¶

Beware that this document is still work-in-progress and may contain errors. Use at your own risk!¶

2. Notation

• a | b denotes the concatenation of a with b¶

3. Cryptographic Primitives

HKDF(salt, IKM, info, L) -> OKM

Inputs:
    salt     optional salt value (a non-secret random value);
              if not provided, it is set to a string of 64 zeros.
    IKM      input keying material
    info     optional context and application specific information
              (can be a zero-length string)
    L        length of output keying material in octets
              (<= 255*32 = 8160)

Output:
    OKM      output keying material (of L octets)

PRK = HKDF-Extract(salt, IKM) with Hash = SHA-512, HashLen = 64
OKM = HKDF-Expand(PRK, info, L) with Hash = SHA-256, HashLen = 32

HKDF-Mod(N, salt, IKM, info) -> OKM

Inputs:
    N        big number; Nbits denotes the length of N in bits
    salt     optional salt value (a non-secret random value);
              if not provided, it is set to a string of 64 zeros.
    IKM      input keying material
    info     optional context and application specific information
              (can be a zero-length string)

Output:
    OKM      output keying material (smaller than N)

Nlen = ceil(Nbits / 8)
while true:
    counter = 0
    c = 2 least significant octets of counter in network-byte order
    x = HKDF(salt, IKM, info | c, NLen)
    reset all but lower Nbits bits in x
    if x < N:
        OKM = x
        break
    counter += 1

4. The Taler Crypto Protocol

5. Security Considerations

[ TBD ]¶

6. IANA Considerations

None.¶

7. Normative References

[HKDF]

Krawczyk, H., "Cryptographic Extraction and Key Derivation: The HKDF Scheme", Springer Berlin Heidelberg, Advances in Cryptology – CRYPTO 2010 pp. 631-648, DOI 10.1007/978-3-642-14623-7_34, ISBN ["9783642146220", "9783642146237"], 2010, <https://doi.org/10.1007/978-3-642-14623-7_34>.

[RFC2104]

Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, <https://www.rfc-editor.org/rfc/rfc2104>.

[RFC5869]

Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, <https://www.rfc-editor.org/rfc/rfc5869>.

[RFC6234]

Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, May 2011, <https://www.rfc-editor.org/rfc/rfc6234>.

Appendix A. Change log

Acknowledgments

[ TBD ]¶

This work was supported in part by the German Federal Ministry of Education and Research (BMBF) within the project Concrete Contracts.¶

Author's Address