]> Cleverbase

mail@sanderdijkhuis.nl

IRTF Crypto Forum KDF Hierarchical Deterministic Keys enables managing large sets of keys bound to a secure cryptographic device that protects a single key. This enables the development of secure digital identity wallets providing many one-time-use public keys. Some instantiations can be implemented in such a way that the secure cryptographic device does not need to support key blinding, enabling the use of devices that already are widely deployed. About This Document Status information for this document may be found at . Source for this draft and an issue tracker can be found at .

Introduction This document specifies the algorithms to apply Hierarchical Deterministic Keys (HDKeys). The purpose of an HDK architecture is to manage large sets of keys bound to a secure cryptographic device that protects a single key. This enables the development of secure digital identity wallets providing many one-time-use public keys. The core idea has been introduced in to create multiple cryptocurrency addresses in a manageable way. The present document extends the idea towards devices commonly used for digital wallets, and towards common interaction patterns for document issuance and authentication. To store many HDKeys, only a seed string needs to be stored confidentially, associated with a device private key. Each HDK is then deterministically defined by a path of indices, optionally alternated by key handles provided by another party. Such a path can efficiently be stored and requires less confidentiality than the seed. To prove possession of many HDKeys, the secure cryptographic device only needs to perform common cryptographic operations on a single private key. The HDK acts as a blinding factor that enables blinding the device public key. In several instantiations, such as those using ECDH shared secrets and those using EC-SDSA signatures, the secure cryptographic device does not need to support key blinding natively, and the application can pre-process the input or post-process the output from the device to compute the blinded device authentication data. This enables the application of HDK on devices that are already deployed without native support for HDK. This document provides a specification of the generic HDK function, generic HDK instantiations, and fully specified concrete HDK instantiations. An HDK instantiation is expected to be applied in a solution deployed as (wallet) units. One unit can have multiple HDK instantiations, for example to manage multiple identities or multiple cryptographic algorithms or key protection mechanisms. This document represents the consensus of the authors, based on working group input and feedback. It is not a standard. It does not include security or privacy proofs.

Conventions and definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The following notation is used throughout the document.

• byte: A sequence of eight bits.
• I2OSP(n, w): Convert non-negative integer n to a w-length, big-endian byte string, as described in .

The Hierarchical Deterministic Key function An HDK instantiation enables local key derivation to create many key pairs from a single seed value. It enables remote parties to generate key handles from which both parties can derive more key pairs asynchronously. Additionally, an HDK instantiation enables securely proving possession of the private keys, such as required in , either in a centralised or in a distributed manner. Solutions MAY omit application of the remote functionality. In this case, a unit can only derive keys locally.

Introductory examples

Local deterministic key derivation The following example illustrates the use of local key derivation. An HDK tree is associated with a device key pair and initiated using confidential static data: a seed value, which is a byte array containing sufficient entropy. Now tree nodes are constructed as follows. The unit computes a Level 0 HDK at the root node using a deterministic function, taking the device public key pk and the seed as input: (pk0, salt0, bf0) = hdk0 = HDK(0, pk, seed). The HDK consists of a first blinded public key pk0, a first byte string salt0 to derive next-level keys, and a first blinding factor bf0. Using bf0 and the device key pair, the unit can compute blinded private keys and proofs of possession. The unit computes any Level n > 0 HDK from any other HDK (pk, salt, bf) using the same deterministic function: (pk', salt', bf') = hdk' = HDK(index, pk, salt, bf). The function takes as input the index starting at 0, an the previous-level HDK. The function returns a new HDK as output, which can be used in the same way as the root HDK.

Remote deterministic key derivation Instead of local derivation, an HDK salt can also be derived using a key handle that is generated remotely. Using the derived salt, the local and remote parties can derive the same new HDKeys. The remote party can use these to derive public keys. The local party can use these to derive associated private keys for proof of possession. This approach is similar to Asynchronous Remote Key Generation (ARKG) when considered at a single level. However, ARKG does not enable distributed proof of possession with deterministic hierarchies. Such hierarchies can be used for example to enable remote parties to derive keys from previously derived keys. Secure cryptographic devices that support ARKG may therefore not support all features of HDK. To enable remote derivation of child HDKeys, the unit uses the parent HDK to derive the parent public key and a second public key for key encapsulation. The issuer returns a key handle, using which both parties can derive a sequence of child HDKeys. Key encapsulation prevents other parties from discovering a link between the public keys of the parent and the children, even if the other party knows the parent HDK or can eavesdrop communications. Locally derived parents can have remotely derived children. Remotely derived parents can have locally derived children.

Blinded proof of possession The next concept to illustrate is blinded proof of possession. This enables a unit to prove possession of a (device) private key without disclosing the directly associated public key. This way, solutions can avoid linkability across readers of a digital document that is released with proof of possession. In this example, a document is issued with binding to a public key pk', which is a blinding public key pk blinded with the blinding factor bf in some HDK hdk = (pk', salt, bf). The unit can present the document with a proof of possession of the corresponding blinded private key, which is the blinding private key sk blinded with bf. The unit applies some authentication function device_data = authenticate(sk, reader_data, bf) to the blinding private key, reader-provided data and the blinding factor. The unit can subsequently use the output device_data to prove possession to the reader using common algorithms. | | | | +-----------+ | | | Document | | | | | | | | +---+ | | | | |pk'| | | | | +---+ | | | | | | +-----------+ ]]> The reader does not need to be aware that an HDK function or key blinding was used, since for common algorithms, the blinded public key and the proof are indistinguishable from non-blinded keys and proofs. When applied on HDK level n, the blinding private key sk is the device private key blinded with a combination of n blinding factors. These can either be combined within the secure cryptographic device, by subsequent computation of the blinded private key starting with the device private key, or outside of the secure cryptographic device, by combining the blinding factors outside of the secure cryptographic device. Blinding methods can be constructed such that the secure cryptographic device does not need to be designed for key blinding. In such cases, the computation of device_data is distributed between two parties: the secure cryptographic device using common cryptographic operations, and the unit component invoking these operations. Some blinded proof of possession algorithms can only be centralised.

Instantiation parameters The parameters of an HDK instantiation are:

• Ns: The amount of bytes of a salt value with sufficient entropy.
• H: A cryptographic hash function.
  • H(msg): Outputs Ns bytes.
• BL: A key blinding scheme with opaque blinding factors and algebraic properties, consisting of the functions:
  • DeriveBlindKey(ikm): Outputs a blind key bk based on input keying material ikm.
  • DeriveBlindingFactor(bk, ctx): Outputs a blinding factor bf based on a blind key bk and an application context byte string ctx.
  • BlindPublicKey(pk, bk, ctx): Outputs the result public key pk' of blinding public key pk with blind key bk and application context byte string ctx.
  • BlindPrivateKey(sk, bf): Outputs the result private key sk' of blinding private key sk with blinding factor bf. This result sk' is such that if bf = DeriveBlindingFactor(bk, ctx) for some bk and ctx, (sk', pk') forms a key pair for pk' = BlindPublicKey(pk, bk, ctx).
  • Combine(bf1, bf2): Outputs a blinding factor bf such that for all key pairs (sk, pk):
• KEM: A key encapsulation mechanism , consisting of the functions:
  • DeriveKeyPair(ikm): Outputs a key encapsulation key pair (sk, pk).
  • Encap(pk): Outputs (k, c) consisting of a shared secret k and a ciphertext c, taking key encapsulation public key pk.
  • Decap(c, sk): Outputs shared secret k, taking ciphertext c and key encapsulation private key sk.

An HDK instantiation MUST specify the instantiation of each of the above functions and values. Note that by design of BL, when a document is issued using HDK, the reader does not need to know that HDK was applied: the public key will look like any other public key used for proofs of possession. An HDK implementation MAY leave BlindPrivateKey implicit in cases where the blinding method is constructed in a distributed way. In those cases, the secure cryptographic device holding the private key does not need to support key blinding, and the value of the blinded private key is never available during computation.

The HDK context A local unit or remote party creates an HDK context from an index. This context byte string is used as input for DeriveBlindingFactor, BlindPublicKey, and DeriveSalt.

The HDK salt A local unit or remote party derives a next-level HDK salt from within an HDK context. Salt values are used as input for DeriveBlindKey, DeriveKeyPair, and DeriveSalt. Salt values, including the original seed value, MUST NOT be reused outside of HDK.

The HDK function A local unit or a remote party deterministically computes an HDK from an index, a parent public key, a salt, and an optional parent blinding factor. The salt can be an initial seed value of Ns bytes or it can be taken from another parent HDK. The secure generation of the seed is out of scope for this specification. A unit MUST NOT persist a blinded private key. Instead, if persistence is needed, a unit can persist either the blinding factor of each HDK, or a path consisting of the seed salt, indices and key handles. In both cases, the application of Combine in the HDK function enables reconstruction of the blinding factor with respect to the original private key, enabling application of for example BlindPrivateKey. If the unit uses the blinded private key directly, the unit MUST use it within the secure cryptographic device protecting the device private key. If the unit uses the blinded private key directly, the unit MUST ensure the secure cryptographic device deletes it securely from memory after usage. When presenting multiple documents, a reader can require a proof that multiple keys are associated to a single device. Several protocols for a cryptographic proof of association are possible, such as . For example, a unit could prove in a zero-knowledge protocol knowledge of the association between two elliptic curve keys B1 = [bf1]D and B2 = [bf2]D, where bf1 and bf2 are multiplicative blinding factors for a common blinding public key D. In this protocol, the association is known by the discrete logarithm of B2 = [bf2/bf1]B1 with respect to generator B1. The unit can apply Combine to obtain values to compute this association.

The local HDK procedure This is a procedure executed locally by a unit. To begin, the unit securely generates a seed salt of Ns bytes and a device key pair: The unit MUST generate skD within a secure cryptographic device. Whenever the unit requires the HDK with some index at level 0, the unit computes: Now the unit can use the blinded key pair (sk, pk) or derive child HDKeys. Whenever the unit requires the HDK with some index at level n > 0 based on a parent HDK hdk = (pk, salt, bf) with blinded key pair (sk, pk) at level n, the unit computes: Now the unit can use the blinded key pair (sk', pk') or derive child HDKeys.

The remote HDK protocol This is a protocol between a local unit and a remote issuer. As a prerequisite, the unit possesses a salt of Ns bytes associated with a parent key pair (sk, pk) generated using the local HDK procedure. After step 7, the unit can use the value of salt' to derive next-level HDKeys. Step 4 MAY be postponed to be combined with step 6. Steps 5 to 8 MAY be combined in concurrent execution for multiple indices.

The HDK key alias format An HDK can be represented canonically using the following string format, in augmented Backus-Naur form (ABNF) and applying non-padded base64url encoding for key handles: A unit MAY use the HDK key alias format to represent keys internally. A unit MUST NOT directly include the device private key in the origin-alias. A unit MUST NOT directly include the seed in the origin-alias. When taking input in the HDK key alias format:

• a unit MAY pose further limitations on the value of origin-alias;
• a unit MUST limit either the amount of hdk-edge instances or the total length of the hdk-key-alias;
• a unit MUST verify that the byte strings represented by hdk-key-handle has the size of ciphertext in KEM.

Example key handles:

Generic HDK instantiations

Using digital signatures Instantiations of HDK using digital signatures require:

• DSA: A digital signature algorithm, consisting of the functions:
  • GenerateKeyPair(): Outputs a new key pair (sk, pk) consisting of private key sk and public key pk.
  • Sign(sk, msg): Outputs the signature created using private signing key sk over byte string msg.
  • Verify(signature, pk, msg): Outputs whether signature is a signature over msg using public verification key pk.

Using these constructs, an example proof of possession protocol is: Instantiations of HDK using digital signatures provide:

• BL: A cryptographic construct that extends DSA as specified in , implementing the interface from Instantiation parameters.

While does not expose blinding factors, it provides public algorithms to compute these. In HDK, the computed blinding factors are applied in BL as follows: By design of BL, the same proof of possession protocol can be used with blinded key pairs and BlindSign, in such a way that the reader does not recognise that key blinding was used. In the default implementation, BlindSign requires support from the secure cryptographic device protecting sk. In some cases, BlindSign can be implemented in an alternative, distributed way. An example will be provided below. Applications MUST bind the message to be signed to the blinded public key. This mitigates attacks based on signature malleability. Several proof of possession protocols require including document data in the message, which includes the blinded public key indeed.

Using prime-order groups Instantiations of HDK using prime-order groups require:

• G: A prime-order group as defined in with elements of type Element and scalars of type Scalar, consisting of the functions:
  • RandomScalar(): Outputs a random Scalar k.
  • Add(A, B): Outputs the sum between Elements A and B.
  • ScalarMult(A, k): Outputs the scalar multiplication between Element A and Scalar k.
  • ScalarBaseMult(k): Outputs the scalar multiplication between the base Element and Scalar k.
  • Order(): Outputs the order of the base Element.
  • SerializeElement(A): Outputs a byte string representing Element A.
  • SerializeScalar(k): Outputs a byte string representing Scalar k.`
  • HashToScalar(msg): Outputs the result of deterministically mapping a byte string msg to an element in the scalar field of the prime order subgroup of G, using the hash_to_field function from a hash-to-curve suite .

Instantiations of HDK using prime-order groups provide: Note that DeriveBlindingFactor is compatible with the definitions in . The function is almost compatible with the definitions in : only in AKRG, the context string needs to be prefixed with 0x00.

Using additive blinding Instantiations of HDK using additive blinding use:

• prime-order groups

Instantiations of HDK using additive blinding provide: Note that all algorithms in use additive blinding.

Using multiplicative blinding Instantiations of HDK using multiplicative blinding use:

• prime-order groups

Instantiations of HDK using multiplicative blinding provide: Note that all algorithms in use multiplicative blinding.

Using elliptic curves Instantiations of HDK using elliptic curves use:

• prime-order groups

Instantiations of HDK using elliptic curves require:

• DST: A domain separation tag for use with HashToScalar.
• H2C: A hash-to-curve suite .

Instantiations of HDK using elliptic curves provide:

• H: H from H2C.
• Ns: The output size of H.

Using ECDH shared secrets Instantiations of HDK using ECDH shared secrets use:

• elliptic curves
• multiplicative blinding

Instantiations of HDK using ECDH shared secrets provide:

• DH: The Elliptic Curve Key Agreement Algorithm - Diffie-Hellman (ECKA-DH) with elliptic curve G, consisting of the functions:
  • CreateSharedSecret(skX, pkY): Outputs a shared secret byte string Z_AB representing the x-coordinate of the Element ScalarMult(pkY, skX).

Note that DH enables an alternative way of authenticating a key pair (sk, pk) without creation or verification of a signature: Now with the shared secret Z_AB, the unit and the reader can compute a secret shared key. The unit can convince the reader that it possesses sk for example by sharing a message authentication code created using this key. The reader can verify this by recomputing the code using its value of Z_AB. This is for example used in ECDH-MAC authentication defined in . In this example, step 1 can be postponed in the interactions between the unit and the reader if a trustworthy earlier commitment to pk is available, for example in a sealed document. Similarly, ECDH enables authentication of key pair (sk', pk') blinded from an original key pair (sk, pk) using a blinding factor bf such that: In this case, the computation in step 4 can be performed as such: Note that the value of ScalarMult(pkR, bf) does not need to be computed within the secure cryptographic device that protects sk.

Using EC-SDSA signatures Instantiations of HDK using EC-SDSA (Schnorr) signatures use:

• additive blinding
• digital signatures
• elliptic curves

Instantiations of HDK using EC-SDSA signatures provide:

• DSA: An EC-SDSA digital signature algorithm , representing signatures as pairs (c, s).

Note that in this case, the following definition is equivalent to the original definition of BlindSign:

Using P-256 Instantiations of HDK using P-256 use:

• elliptic curves

Instantiations of HDK using P-256 provide:

• G: The NIST curve secp256r1 (P-256) .
• H2C: P256XMD:SHA-256_SSWU_RO , which uses SHA-256 as H.
• KEM: DHKEM(P-256, HKDF-SHA256) .

Concrete HDK instantiations The RECOMMENDED instantiation is the HDK-ECDH-P256. This avoids the risk of having the holder unknowingly producing a potentially non-repudiable signature over reader-provided data. Secure cryptographic devices that enable a high level of assurance typically support managing ECDH keys with the P-256 elliptic curve.

HDK-ECDH-P256 The HDK-ECDH-P256 instantiation of HDK uses:

• P-256
• ECDH shared secrets

The HDK-ECDH-P256 instantiation defines:

• DST: "ECDH Key Blind"

HDK-ECDSA-P256add The HDK-ECDSA-P256add instantiation of HDK uses:

• digital signatures
• P-256
• additive blinding

The HDK-ECDSA-P256add instantiation of HDK defines:

• DST: "ARKG-BL-EC.ARKG-P256ADD-ECDH" for interoperability with .
• DSA: ECDSA with curve G.

HDK-ECDSA-P256mul The HDK-ECDSA-P256mul instantiation of HDK uses:

• digital signatures
• P-256
• multiplicative blinding

The HDK-ECDSA-P256mul instantiation of HDK defines:

• DST: "ECDSA Key Blind" for interoperability with .
• DSA: ECDSA with curve G.

HDK-ECSDSA-P256 The HDK-ECSDSA-P256 instantiation of HDK uses:

• EC-SDSA signatures
• P-256

The HDK-ECSDSA-P256 instantiation of HDK defines:

• DST: "EC-SDSA Key Blind"

Application considerations

Secure cryptographic device The HDK approach assumes that the holder controls a secure cryptographic device that protects the device key pair (sk_device, pk_device). The device key is under sole control of the holder. In the context of , this device is typically called a Wallet Secure Cryptographic Device (WSCD), running a personalised Wallet Secure Cryptographic Application (WSCA) that exposes a Secure Cryptographic Interface (SCI) to a Wallet Instance (WI) running on a User Device (UD). The WSCD is certified to protect access to the device private key with high attack potential resistance to achieve high level of assurance authentication as per . This typically means that the key is associated with a strong possession factor and with a rate-limited Personal Identification Number (PIN) check as a knowledge factor, and the verification of both factors actively involve the WSCD. An example deployment of HDK in this context is illustrated below. The WSCA could be a single program or could be deployed in a distributed architecture, as illustrated below. In the case of a distributed WSCA, the UD contains a local component, here called WSCA agent, accessing an external and possibly remote WSCA service from one or more components over a WSCA protocol. For example, the WSCA agent may be a local web API client and the WSCA service may be provided at a remote web API server. In such cases, typically the WSCA service receives a high-assurance security evaluation, while the WSCA agent is assessed to not be able to compromise the system's security guarantees. The internal registry can be managed by the WSCA agent, by the WSCA service, or by the combination. When the user device is a natural person’s mobile phone, WSCA agent management could provide better confidentiality protection against compromised WSCA service providers. When the user device is a cloud server used by a legal person, and the legal person deploys its own WSCD, WSCA service management could provide better confidentiality protection against compromised Wallet Instance cloud providers. In a distributed WSCA architecture, the WSCA could internally apply distributed key generation. A description of this is out of scope for the current document. The solution proposal discussed herein works in all any WSCD architecture that supports the required cryptographic primitives:

• In the case of HDK-ECDH-P256 (see ):
  • P-256 ECDH key pair generation
  • P-256 ECDH key agreement
• In the case of HDK-ECDSA-P256mul (see ):
  • P-256 ECDSA blinding key pair generation
  • P-256 ECDSA blinded signature creation
• In the case of HDK-ECSDSA-P256 (see ):
  • P-256 EC-SDSA key pair generation
  • P-256 EC-SDSA signature creation

The other HDK operations can be performed in a WSCA or WSCA agent running on any UD, including hostile ones with limited sandboxing capabilities, such as in a smartphone's rich execution environment or in a personal computer web browser.

Trust evidence Some issuers could require evidence from a solution provider of the security of the holder's cryptographic device. This evidence can in the context of be divided into initial "Wallet Trust Evidence" and related "Issuer Trust Evidence". Each is a protected document that contains a trust evidence public key associated with a private key that is protected in the secure cryptographic device. With HDK, these public keys are specified as follows.

Wallet Trust Evidence The Wallet Trust Evidence public key is the first level 0 HDK public key. To achieve reader unlinkability, the wallet SHOULD limit access to a trusted person identification document provider only. To prevent association across identities, the solution provider MUST before issuing Wallet Trust Evidence ensure that (a) a newly generated device key pair is used and (b) the wallet follows the protocol so that the HDK output is bound to exactly this key. For (a), the solution provider could rely on freshness of a key attestation and ensure that each device public key is attested only once. For (b), the wallet could proof knowledge of the blinding factor bf with a Schnorr non-interactive zero-knowledge proof with base point pk_device. This would ensure that the root blinding key bf is not shared with the solution provider to reduce the risk of the solution provider unblinding future derived keys.

Issuer Trust Evidence The Issuer Trust Evidence public key can be any other HDK public key. The solution provider MUST verify that the wallet knows the associated private key before issuing Issuer Trust Evidence. The solution provider MUST ensure that sk_device is under sole control of the unit holder. To achieve reader unlinkability, the unit MUST limit access of Issuer Trust Evidence to a single issuer. Subsequent issuers within the same HDK tree do not need to receive any Issuer Trust Evidence, since they can derive equally secure keys by applying the remote HDK protocol to presented keys attested by trusted (other) issuers.

Applying HDK in OpenID for Verifiable Credential Issuance In , the following terminology applies:

OpenID4VCI	HDK
Credential	document
Credential Issuer	issuer
Verifier	reader
Wallet	unit

HDK enables unit and issuers cooperatively to establish the cryptographic key material that issued documents will be bound to. For the remote HDK protocol, HDK proposes an update to the OpenID4VCI endpoints. This proposal is under discussion in openid/OpenID4VCI#359. In the update, the unit shares a key encapsulation public key with the issuer, and the issuer returns a key handle. Then documents can be re-issued, potentially in batches, using synchronised indices. Alternatively, re-issued documents can have their own key handles.

Security considerations

Confidentiality of key handles The key handles MUST be considered confidential, since they provide knowledge about the blinding factors. Compromise of this knowledge could introduce undesired linkability. In HDK, both the holder and the issuer know the key handle during issuance. In an alternative to HDK, the holder independently generates blinded key pairs and proofs of association, providing the issuer with zero knowledge about the blinding factors. However, this moves the problem: the proofs of association would now need to be considered confidential.

References Normative References National Institute of Standards and Technology (NIST) ISO/IEC This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] Internet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK] This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes. This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF. This document also obsoletes RFC 3447. This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. This document specifies a number of algorithms for encoding or hashing an arbitrary string to a point on an elliptic curve. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. An Oblivious Pseudorandom Function (OPRF) is a two-party protocol between a client and a server for computing the output of a Pseudorandom Function (PRF). The server provides the PRF private key, and the client provides the PRF input. At the end of the protocol, the client learns the PRF output without learning anything about the PRF private key, and the server learns neither the PRF input nor output. An OPRF can also satisfy a notion of 'verifiability', called a VOPRF. A VOPRF ensures clients can verify that the server used a specific private key during the execution of the protocol. A VOPRF can also be partially oblivious, called a POPRF. A POPRF allows clients and servers to provide public input to the PRF computation. This document specifies an OPRF, VOPRF, and POPRF instantiated within standard prime-order groups, including elliptic curves. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. Certicom Research Federal Office for Information Security (BSI) In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References European Commission The European Parliament and the Council of the European Union Yubico Yubico Asynchronous Remote Key Generation (ARKG) is an abstract algorithm that enables delegation of asymmetric public key generation without giving access to the corresponding private keys. This capability enables a variety of applications: a user agent can generate pseudonymous public keys to prevent tracking; a message sender can generate ephemeral recipient public keys to enhance forward secrecy; two paired authentication devices can each have their own private keys while each can register public keys on behalf of the other. This document provides three main contributions: a specification of the generic ARKG algorithm using abstract primitives; a set of formulae for instantiating the abstract primitives using concrete primitives; and an initial set of fully specified concrete ARKG instances. We expect that additional instances will be defined in the future. Fastly Inc. University of Waterloo Cloudflare, Inc. This document describes extensions to existing digital signature schemes for key blinding. The core property of signing with key blinding is that a blinded public key and all signatures produced using the blinded key pair are independent of the unblinded key pair. Moreover, signatures produced using blinded key pairs are indistinguishable from signatures produced using unblinded key pairs. This functionality has a variety of applications, including Tor onion services and privacy-preserving airdrop for bootstrapping cryptocurrency systems. This specification describes how to declare in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular proof-of- possession key and how the recipient can cryptographically confirm proof of possession of the key by the presenter. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. This document describes the Schnorr non-interactive zero-knowledge (NIZK) proof, a non-interactive variant of the three-pass Schnorr identification scheme. The Schnorr NIZK proof allows one to prove the knowledge of a discrete logarithm without leaking any information about its value. It can serve as a useful building block for many cryptographic protocols to ensure that participants follow the protocol specification honestly. This document specifies the Schnorr NIZK proof in both the finite field and the elliptic curve settings.

Acknowledgements This design is based on ideas introduced to the EU Digital Identity domain by Peter Lee Altmann. Helpful feedback came from Emil Lundberg, John Bradley and Remco Schaar.

Contributors