From 818d8b68d185a99603e720a1ef9e5f7e91a7d9dc Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 13:14:53 +0100 Subject: [PATCH 1/6] Fix section nesting levels --- draft-bradleylundberg-cfrg-arkg.md | 40 +++++++++++++++--------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 650c5eb..e4d62e9 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -200,7 +200,7 @@ Some motivating use cases of ARKG include: {::boilerplate bcp14-tagged} -## The Asynchronous Remote Key Generation (ARKG) algorithm +# The Asynchronous Remote Key Generation (ARKG) algorithm The ARKG algorithm consists of three functions, each performed by one of two participants: the _delegating party_ or the _subordinate party_. @@ -214,7 +214,7 @@ the abstract instance parameters used to construct the three ARKG functions, followed by the definitions of the three ARKG functions. -### Notation +## Notation The following notation is used throughout this document: @@ -232,7 +232,7 @@ The following notation is used throughout this document: greater than or equal to `min_inc` and strictly less than `max_exc`. -### Instance parameters +## Instance parameters ARKG is composed of a suite of other algorithms. The parameters of an ARKG instance are: @@ -356,7 +356,7 @@ Concrete ARKG instances MUST always be identified by lookup in a registry of ful This is to prevent usage of algorithm combinations that may be incompatible or insecure. -### The function ARKG-Generate-Seed +## The function ARKG-Generate-Seed This function is performed by the delegating party. The delegating party generates the ARKG seed pair `(pk, sk)` @@ -383,7 +383,7 @@ ARKG-Generate-Seed() -> (pk, sk) ``` -### The function ARKG-Derive-Public-Key +## The function ARKG-Derive-Public-Key This function is performed by the subordinate party, which holds the ARKG public seed `pk = (pk_kem, pk_bl)`. The resulting public key `pk'` can be provided to external parties to use in asymmetric cryptography protocols, @@ -429,7 +429,7 @@ for example because `KDF` returns an invalid `tau` or `mk`, the procedure can safely be retried with the same arguments. -### The function ARKG-Derive-Secret-Key +## The function ARKG-Derive-Secret-Key This function is performed by the delegating party, which holds the ARKG private seed `(sk_kem, sk_bl)`. The resulting secret key `sk'` can be used in asymmetric cryptography protocols @@ -481,7 +481,7 @@ of a correct and honest implementation of `ARKG-Derive-Secret-Key`. See also section [Design Rationale: Using a MAC]. -## Generic ARKG instantiations +# Generic ARKG instantiations This section defines generic formulae for instantiating the individual ARKG parameters, which can be used to define concrete ARKG instantiations. @@ -489,7 +489,7 @@ which can be used to define concrete ARKG instantiations. TODO: IANA registry? COSE/JOSE? -### Using elliptic curve arithmetic for key blinding +## Using elliptic curve arithmetic for key blinding Instantiations of ARKG whose output keys are elliptic curve keys can use elliptic curve arithmetic as the key blinding scheme `BL`. [Frymann2020] [Wilson] @@ -539,7 +539,7 @@ BL-Blind-Secret-Key(sk, tau) -> sk_tau ``` -### Using ECDH as the KEM +## Using ECDH as the KEM Instantiations of ARKG can use ECDH [RFC6090] as the key encapsulation mechanism. This section defines a general formula for such instantiations of `KEM`. @@ -587,7 +587,7 @@ KEM-Decaps(sk, c) -> k ``` -### Using both elliptic curve arithmetic for key blinding and ECDH as the KEM +## Using both elliptic curve arithmetic for key blinding and ECDH as the KEM If elliptic curve arithmetic is used for key blinding and ECDH is used as the KEM, as described in the previous sections, @@ -598,7 +598,7 @@ as both the key blinding public key and the KEM public key. [Frymann2020] TODO: Caveats? I think I read in some paper or thesis about specific drawbacks of using the same key for both. -### Using HMAC as the MAC +## Using HMAC as the MAC Let `Hash` be a cryptographic hash function. Then the `MAC` parameter of ARKG may be instantiated using HMAC [RFC2104] as follows: @@ -619,7 +619,7 @@ MAC-Verify(k, m, t) -> { 0, 1 } ``` -### Using HKDF as the KDF +## Using HKDF as the KDF Let `Hash` be a cryptographic hash function. Then the `KDF` parameter of ARKG may be instantiated using HKDF [RFC5869] as follows: @@ -640,14 +640,14 @@ KDF(info, ikm, L) -> okm ``` -## Concrete ARKG instantiations +# Concrete ARKG instantiations This section defines an initial set of concrete ARKG instantiations. TODO: IANA registry? COSE/JOSE? -#### ARKG-P256-ECDH-P256-HMAC-SHA256-HKDF-SHA256 +## ARKG-P256-ECDH-P256-HMAC-SHA256-HKDF-SHA256 The identifier `ARKG-P256-ECDH-P256-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instantiation: @@ -663,7 +663,7 @@ The identifier `ARKG-P256-ECDH-P256-HMAC-SHA256-HKDF-SHA256` represents the foll - `L_mac`: 32 -#### ARKG-P384-ECDH-P384-HMAC-SHA384-HKDF-SHA384 +## ARKG-P384-ECDH-P384-HMAC-SHA384-HKDF-SHA384 The identifier `ARKG-P384-ECDH-P384-HMAC-SHA384-HKDF-SHA384` represents the following ARKG instantiation: @@ -679,7 +679,7 @@ The identifier `ARKG-P384-ECDH-P384-HMAC-SHA384-HKDF-SHA384` represents the foll - `L_mac`: 48 -#### ARKG-P521-ECDH-P521-HMAC-SHA512-HKDF-SHA512 +## ARKG-P521-ECDH-P521-HMAC-SHA512-HKDF-SHA512 The identifier `ARKG-P521-ECDH-P521-HMAC-SHA512-HKDF-SHA512` represents the following ARKG instantiation: @@ -695,7 +695,7 @@ The identifier `ARKG-P521-ECDH-P521-HMAC-SHA512-HKDF-SHA512` represents the foll - `L_mac`: 64 -#### ARKG-P256k-ECDH-P256k-HMAC-SHA256-HKDF-SHA256 +## ARKG-P256k-ECDH-P256k-HMAC-SHA256-HKDF-SHA256 The identifier `ARKG-P256k-ECDH-P256k-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instantiation: @@ -711,7 +711,7 @@ The identifier `ARKG-P256k-ECDH-P256k-HMAC-SHA256-HKDF-SHA256` represents the fo - `L_mac`: 32 -#### ARKG-Ed25519-X25519-HMAC-SHA256-HKDF-SHA256 +## ARKG-Ed25519-X25519-HMAC-SHA256-HKDF-SHA256 The identifier `ARKG-Ed25519-X25519-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instantiation: @@ -727,7 +727,7 @@ The identifier `ARKG-Ed25519-X25519-HMAC-SHA256-HKDF-SHA256` represents the foll - `L_mac`: 32 -#### ARKG-X25519-X25519-HMAC-SHA256-HKDF-SHA256 +## ARKG-X25519-X25519-HMAC-SHA256-HKDF-SHA256 The identifier `ARKG-X25519-X25519-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instantiation: @@ -743,7 +743,7 @@ The identifier `ARKG-X25519-X25519-HMAC-SHA256-HKDF-SHA256` represents the follo - `L_mac`: 32 -## COSE bindings +# COSE bindings TODO?: Define COSE representations for interoperability: - ARKG public seed (for interoperability between different implementers of `ARKG-Generate-Seed` and `ARKG-Derive-Public-Key`) From 0a6fd6b975992356a51d6c211e326ab95e281146 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 13:15:50 +0100 Subject: [PATCH 2/6] Move Notation subsection to Introduction section --- draft-bradleylundberg-cfrg-arkg.md | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index e4d62e9..e1858c8 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -200,20 +200,6 @@ Some motivating use cases of ARKG include: {::boilerplate bcp14-tagged} -# The Asynchronous Remote Key Generation (ARKG) algorithm - -The ARKG algorithm consists of three functions, each performed by one of two participants: -the _delegating party_ or the _subordinate party_. -The delegating party generates an ARKG _seed pair_ and emits the _public seed_ to the subordinate party -while keeping the _private seed_ secret. -The subordinate party can then use the public seed to generate derived public keys and _key handles_, -and the delegating party can use the private seed and a key handle to derive the corresponding private key. - -The following subsections define some notation and -the abstract instance parameters used to construct the three ARKG functions, -followed by the definitions of the three ARKG functions. - - ## Notation The following notation is used throughout this document: @@ -232,6 +218,19 @@ The following notation is used throughout this document: greater than or equal to `min_inc` and strictly less than `max_exc`. +# The Asynchronous Remote Key Generation (ARKG) algorithm + +The ARKG algorithm consists of three functions, each performed by one of two participants: +the _delegating party_ or the _subordinate party_. +The delegating party generates an ARKG _seed pair_ and emits the _public seed_ to the subordinate party +while keeping the _private seed_ secret. +The subordinate party can then use the public seed to generate derived public keys and _key handles_, +and the delegating party can use the private seed and a key handle to derive the corresponding private key. + +The following subsections define the abstract instance parameters used to construct the three ARKG functions, +followed by the definitions of the three ARKG functions. + + ## Instance parameters ARKG is composed of a suite of other algorithms. From fcde4e108fea5faa7cfaa76f838313fee0d24802 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 14:18:20 +0100 Subject: [PATCH 3/6] Describe point exponentiation more explicitly --- draft-bradleylundberg-cfrg-arkg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index e1858c8..8028f8d 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -211,7 +211,7 @@ The following notation is used throughout this document: - Elliptic curve operations are written in multiplicative notation: `*` denotes point multiplication, i.e., the curve group operation; - `^` denotes point exponentiation, i.e., repeated point multiplication; + `^` denotes point exponentiation, i.e., repeated point multiplication of the base with itself; and `+` denotes scalar addition modulo the curve order. - `Random(min_inc, max_exc)` represents a cryptographically secure random integer From 6f1fe79023f46d3d828796991b8ea9f7bfb2c6a6 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 15:29:51 +0100 Subject: [PATCH 4/6] Realize internal section references --- draft-bradleylundberg-cfrg-arkg.md | 66 +++++++++++++++--------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 8028f8d..77fcf90 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -338,14 +338,14 @@ Instantiations MUST satisfy the following compatibility criteria: It is permissible for some `KDF` outputs to not be valid blinding factors, as long as this happens with negligible probability - - see section [Design Rationale: Using a MAC]. + see {{design-rationale-mac}}. - Output key material `okm` of length `L_mac` of `KDF` is a valid input MAC key `k` of `MAC-Tag(k, m)` and `MAC-Verify(k, m, t)`. It is permissible for some `KDF` outputs to not be valid MAC keys, as long as this happens with negligible probability - - see section [Design Rationale: Using a MAC]. + see {{design-rationale-mac}}. We denote a concrete ARKG instance by the pattern `ARKG-BL-KEM-MAC-KDF`, substituting the chosen instantiation for the `BL`, `KEM`, `MAC` and `KDF` parts. @@ -477,7 +477,7 @@ ARKG instantiations SHOULD be chosen in a way that such errors are impossible if `kh` was generated by an honest and correct implementation of `ARKG-Derive-Public-Key`. Incorrect or malicious implementations of `ARKG-Derive-Public-Key` do not degrade the security of a correct and honest implementation of `ARKG-Derive-Secret-Key`. -See also section [Design Rationale: Using a MAC]. +See also {{design-rationale-mac}}. # Generic ARKG instantiations @@ -488,7 +488,7 @@ which can be used to define concrete ARKG instantiations. TODO: IANA registry? COSE/JOSE? -## Using elliptic curve arithmetic for key blinding +## Using elliptic curve arithmetic for key blinding {#blinding-ec} Instantiations of ARKG whose output keys are elliptic curve keys can use elliptic curve arithmetic as the key blinding scheme `BL`. [Frymann2020] [Wilson] @@ -538,7 +538,7 @@ BL-Blind-Secret-Key(sk, tau) -> sk_tau ``` -## Using ECDH as the KEM +## Using ECDH as the KEM {#kem-ecdh} Instantiations of ARKG can use ECDH [RFC6090] as the key encapsulation mechanism. This section defines a general formula for such instantiations of `KEM`. @@ -586,7 +586,7 @@ KEM-Decaps(sk, c) -> k ``` -## Using both elliptic curve arithmetic for key blinding and ECDH as the KEM +## Using both elliptic curve arithmetic for key blinding and ECDH as the KEM {#blinding-kem-ecdh} If elliptic curve arithmetic is used for key blinding and ECDH is used as the KEM, as described in the previous sections, @@ -597,7 +597,7 @@ as both the key blinding public key and the KEM public key. [Frymann2020] TODO: Caveats? I think I read in some paper or thesis about specific drawbacks of using the same key for both. -## Using HMAC as the MAC +## Using HMAC as the MAC {#mac-hmac} Let `Hash` be a cryptographic hash function. Then the `MAC` parameter of ARKG may be instantiated using HMAC [RFC2104] as follows: @@ -618,7 +618,7 @@ MAC-Verify(k, m, t) -> { 0, 1 } ``` -## Using HKDF as the KDF +## Using HKDF as the KDF {#kdf-hkdf} Let `Hash` be a cryptographic hash function. Then the `KDF` parameter of ARKG may be instantiated using HKDF [RFC5869] as follows: @@ -650,13 +650,13 @@ TODO: IANA registry? COSE/JOSE? The identifier `ARKG-P256-ECDH-P256-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instantiation: -- `BL`: Elliptic curve arithmetic as described in section [Using elliptic curve arithmetic for key blinding] with the parameter: +- `BL`: Elliptic curve arithmetic as described in {{blinding-ec}} with the parameter: - `crv`: The NIST curve `secp256r1` [SEC2]. -- `KEM`: ECDH [RFC6090] as described in section [Using ECDH as the KEM] with the parameter: +- `KEM`: ECDH as described in {{kem-ecdh}} with the parameter: - `crv`: The NIST curve `secp256r1` [SEC2]. -- `MAC`: HMAC as described in section [Using HMAC as the MAC] with the parameter: +- `MAC`: HMAC as described in {{mac-hmac}} with the parameter: - `Hash`: SHA-256 [FIPS 180-4]. -- `KDF`: HKDF as described in section [Using HKDF as the KDF] with the parameter: +- `KDF`: HKDF as described in {{kdf-hkdf}} with the parameter: - `Hash`: SHA-256 [FIPS 180-4]. - `L_bl`: 32 - `L_mac`: 32 @@ -666,13 +666,13 @@ The identifier `ARKG-P256-ECDH-P256-HMAC-SHA256-HKDF-SHA256` represents the foll The identifier `ARKG-P384-ECDH-P384-HMAC-SHA384-HKDF-SHA384` represents the following ARKG instantiation: -- `BL`: Elliptic curve arithmetic as described in section [Using elliptic curve arithmetic for key blinding] with the parameter: +- `BL`: Elliptic curve arithmetic as described in {{blinding-ec}} with the parameter: - `crv`: The NIST curve `secp384r1` [SEC2]. -- `KEM`: ECDH [RFC6090] as described in section [Using ECDH as the KEM] with the parameter: +- `KEM`: ECDH as described in {{kem-ecdh}} with the parameter: - `crv`: The NIST curve `secp384r1` [SEC2]. -- `MAC`: HMAC as described in section [Using HMAC as the MAC] with the parameter: +- `MAC`: HMAC as described in {{mac-hmac}} with the parameter: - `Hash`: SHA-384 [FIPS 180-4]. -- `KDF`: HKDF as described in section [Using HKDF as the KDF] with the parameter: +- `KDF`: HKDF as described in {{kdf-hkdf}} with the parameter: - `Hash`: SHA-384 [FIPS 180-4]. - `L_bl`: 48 - `L_mac`: 48 @@ -682,13 +682,13 @@ The identifier `ARKG-P384-ECDH-P384-HMAC-SHA384-HKDF-SHA384` represents the foll The identifier `ARKG-P521-ECDH-P521-HMAC-SHA512-HKDF-SHA512` represents the following ARKG instantiation: -- `BL`: Elliptic curve arithmetic as described in section [Using elliptic curve arithmetic for key blinding] with the parameter: +- `BL`: Elliptic curve arithmetic as described in {{blinding-ec}} with the parameter: - `crv`: The NIST curve `secp521r1` [SEC2]. -- `KEM`: ECDH [RFC6090] as described in section [Using ECDH as the KEM] with the parameter: +- `KEM`: ECDH as described in {{kem-ecdh}} with the parameter: - `crv`: The NIST curve `secp521r1` [SEC2]. -- `MAC`: HMAC as described in section [Using HMAC as the MAC] with the parameter: +- `MAC`: HMAC as described in {{mac-hmac}} with the parameter: - `Hash`: SHA-512 [FIPS 180-4]. -- `KDF`: HKDF as described in section [Using HKDF as the KDF] with the parameter: +- `KDF`: HKDF as described in {{kdf-hkdf}} with the parameter: - `Hash`: SHA-512 [FIPS 180-4]. - `L_bl`: 64 - `L_mac`: 64 @@ -698,13 +698,13 @@ The identifier `ARKG-P521-ECDH-P521-HMAC-SHA512-HKDF-SHA512` represents the foll The identifier `ARKG-P256k-ECDH-P256k-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instantiation: -- `BL`: Elliptic curve arithmetic as described in section [Using elliptic curve arithmetic for key blinding] with the parameter: +- `BL`: Elliptic curve arithmetic as described in {{blinding-ec}} with the parameter: - `crv`: The SECG curve `secp256k1` [SEC2]. -- `KEM`: ECDH [RFC6090] as described in section [Using ECDH as the KEM] with the parameter: +- `KEM`: ECDH as described in {{kem-ecdh}} with the parameter: - `crv`: The SECG curve `secp256k1` [SEC2]. -- `MAC`: HMAC as described in section [Using HMAC as the MAC] with the parameter: +- `MAC`: HMAC as described in {{mac-hmac}} with the parameter: - `Hash`: SHA-256 [FIPS 180-4]. -- `KDF`: HKDF as described in section [Using HKDF as the KDF] with the parameter: +- `KDF`: HKDF as described in {{kdf-hkdf}} with the parameter: - `Hash`: SHA-256 [FIPS 180-4]. - `L_bl`: 32 - `L_mac`: 32 @@ -714,13 +714,13 @@ The identifier `ARKG-P256k-ECDH-P256k-HMAC-SHA256-HKDF-SHA256` represents the fo The identifier `ARKG-Ed25519-X25519-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instantiation: -- `BL`: Elliptic curve arithmetic as described in section [Using elliptic curve arithmetic for key blinding] with the parameter: +- `BL`: Elliptic curve arithmetic as described in {{blinding-ec}} with the parameter: - `crv`: The curve `Ed25519` [REF?]. -- `KEM`: ECDH [RFC6090] as described in section [Using ECDH as the KEM] with the parameter: +- `KEM`: ECDH as described in {{kem-ecdh}} with the parameter: - `crv`: The curve `X25519` [REF?]. -- `MAC`: HMAC as described in section [Using HMAC as the MAC] with the parameter: +- `MAC`: HMAC as described in {{mac-hmac}} with the parameter: - `Hash`: SHA-256 [FIPS 180-4]. -- `KDF`: HKDF as described in section [Using HKDF as the KDF] with the parameter: +- `KDF`: HKDF as described in {{kdf-hkdf}} with the parameter: - `Hash`: SHA-256 [FIPS 180-4]. - `L_bl`: 32 - `L_mac`: 32 @@ -730,13 +730,13 @@ The identifier `ARKG-Ed25519-X25519-HMAC-SHA256-HKDF-SHA256` represents the foll The identifier `ARKG-X25519-X25519-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instantiation: -- `BL`: Elliptic curve arithmetic as described in section [Using elliptic curve arithmetic for key blinding] with the parameter: +- `BL`: Elliptic curve arithmetic as described in {{blinding-ec}} with the parameter: - `crv`: The curve `X25519` [REF?]. -- `KEM`: ECDH [RFC6090] as described in section [Using ECDH as the KEM] with the parameter: +- `KEM`: ECDH [RFC6090] as described in {{kem-ecdh}} with the parameter: - `crv`: The curve `X25519` [REF?]. -- `MAC`: HMAC as described in section [Using HMAC as the MAC] with the parameter: +- `MAC`: HMAC as described in {{mac-hmac}} with the parameter: - `Hash`: SHA-256 [FIPS 180-4]. -- `KDF`: HKDF as described in section [Using HKDF as the KDF] with the parameter: +- `KDF`: HKDF as described in {{kdf-hkdf}} with the parameter: - `Hash`: SHA-256 [FIPS 180-4]. - `L_bl`: 32 - `L_mac`: 32 @@ -766,7 +766,7 @@ TODO # Design rationale -## Using a MAC +## Using a MAC {#design-rationale-mac} The ARKG construction by Wilson [Wilson] omits the MAC and instead encodes application context in the PRF labels, arguing this leads to invalid keys/signatures in cases that would have a bad MAC. From 56669f939328f39823357a9361e0a48823601d06 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 15:33:27 +0100 Subject: [PATCH 5/6] Remove a TODO --- draft-bradleylundberg-cfrg-arkg.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 77fcf90..0f52991 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -485,8 +485,6 @@ See also {{design-rationale-mac}}. This section defines generic formulae for instantiating the individual ARKG parameters, which can be used to define concrete ARKG instantiations. -TODO: IANA registry? COSE/JOSE? - ## Using elliptic curve arithmetic for key blinding {#blinding-ec} From b25487c0bc81007bea55ed56639bc9011053d68b Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 17:37:59 +0100 Subject: [PATCH 6/6] s/instantiation/instance/ in some places --- draft-bradleylundberg-cfrg-arkg.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 0f52991..9317de0 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -646,7 +646,7 @@ TODO: IANA registry? COSE/JOSE? ## ARKG-P256-ECDH-P256-HMAC-SHA256-HKDF-SHA256 -The identifier `ARKG-P256-ECDH-P256-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instantiation: +The identifier `ARKG-P256-ECDH-P256-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instance: - `BL`: Elliptic curve arithmetic as described in {{blinding-ec}} with the parameter: - `crv`: The NIST curve `secp256r1` [SEC2]. @@ -662,7 +662,7 @@ The identifier `ARKG-P256-ECDH-P256-HMAC-SHA256-HKDF-SHA256` represents the foll ## ARKG-P384-ECDH-P384-HMAC-SHA384-HKDF-SHA384 -The identifier `ARKG-P384-ECDH-P384-HMAC-SHA384-HKDF-SHA384` represents the following ARKG instantiation: +The identifier `ARKG-P384-ECDH-P384-HMAC-SHA384-HKDF-SHA384` represents the following ARKG instance: - `BL`: Elliptic curve arithmetic as described in {{blinding-ec}} with the parameter: - `crv`: The NIST curve `secp384r1` [SEC2]. @@ -678,7 +678,7 @@ The identifier `ARKG-P384-ECDH-P384-HMAC-SHA384-HKDF-SHA384` represents the foll ## ARKG-P521-ECDH-P521-HMAC-SHA512-HKDF-SHA512 -The identifier `ARKG-P521-ECDH-P521-HMAC-SHA512-HKDF-SHA512` represents the following ARKG instantiation: +The identifier `ARKG-P521-ECDH-P521-HMAC-SHA512-HKDF-SHA512` represents the following ARKG instance: - `BL`: Elliptic curve arithmetic as described in {{blinding-ec}} with the parameter: - `crv`: The NIST curve `secp521r1` [SEC2]. @@ -694,7 +694,7 @@ The identifier `ARKG-P521-ECDH-P521-HMAC-SHA512-HKDF-SHA512` represents the foll ## ARKG-P256k-ECDH-P256k-HMAC-SHA256-HKDF-SHA256 -The identifier `ARKG-P256k-ECDH-P256k-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instantiation: +The identifier `ARKG-P256k-ECDH-P256k-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instance: - `BL`: Elliptic curve arithmetic as described in {{blinding-ec}} with the parameter: - `crv`: The SECG curve `secp256k1` [SEC2]. @@ -710,7 +710,7 @@ The identifier `ARKG-P256k-ECDH-P256k-HMAC-SHA256-HKDF-SHA256` represents the fo ## ARKG-Ed25519-X25519-HMAC-SHA256-HKDF-SHA256 -The identifier `ARKG-Ed25519-X25519-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instantiation: +The identifier `ARKG-Ed25519-X25519-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instance: - `BL`: Elliptic curve arithmetic as described in {{blinding-ec}} with the parameter: - `crv`: The curve `Ed25519` [REF?]. @@ -726,7 +726,7 @@ The identifier `ARKG-Ed25519-X25519-HMAC-SHA256-HKDF-SHA256` represents the foll ## ARKG-X25519-X25519-HMAC-SHA256-HKDF-SHA256 -The identifier `ARKG-X25519-X25519-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instantiation: +The identifier `ARKG-X25519-X25519-HMAC-SHA256-HKDF-SHA256` represents the following ARKG instance: - `BL`: Elliptic curve arithmetic as described in {{blinding-ec}} with the parameter: - `crv`: The curve `X25519` [REF?].