commit 553eb971be704e447810243a4155c62eed3ef1b5
parent 5e6398b779d58ff1fb4d85f7ed8a39714c18c4c1
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 23 Oct 2024 13:21:17 +0200
draft handshake
Diffstat:
1 file changed, 82 insertions(+), 0 deletions(-)
diff --git a/developers/apis/cong.rst b/developers/apis/cong.rst
@@ -67,6 +67,88 @@ HMAC use in ``gnunet-service-core_kx.c`` including the respective keys and IVs.
TODO Maybe we want to use KEMTLS at some point: https://thomwiggers.nl/publication/thesis/thesis.pdf
+Next Steps (Draft)
+^^^^^^^^^^^^^^^^^^
+
+We assume that the peers have semi-*static* (as opposed to ephemeral) key pairs.
+Let (pk\ :sub:`I`,sk\ :sub:`I`) be the key pair of the initiator ``I`` and (pk\ :sub:`R`,sk\ :sub:`R`) the
+key pair of the receiver ``R``.
+We assume that the initiator knows pk\ :sub:`R` (pre-distributed through HELLO, for example).
+
+
+``I`` calculates:
+
+ * (pk\ :sub:`e`,sk\ :sub:`e`) <- KeyGen()
+ * (ss\ :sub:`R`,c\ :sub:`R`) <- Encaps(pk\ :sub:`S`)
+ * ES <- HKDF-Extract(ss\ :sub:`R`, 0)
+ * ETS <- HKDF-Expand(ES, "early data", ``InitiatorHello``)
+
+``I`` sends to ``R`` (0.5 RTT):
+
+ * ``InitiatorHello``:
+
+ * pk\ :sub:`e`
+ * c\ :sub:`R`
+ * H(pk\ :sub:`R`) ?
+ * Supported algs/services?
+ * r\ :sub:`I`?
+ * ``InitiatorCert``:
+
+ * AEAD(ETS, cert [pk\ :sub:`I`])
+
+``R`` calculates:
+
+ * (ss\ :sub:`R`) <- Decaps(sk\ :sub:`R`, c\ :sub:`R`)
+ * ES <- HKDF-Extract(ss\ :sub:`R`, 0)
+ * ETS <- HKDF-Expand(ES, "early data", ``InitiatorHello``)
+ * dES <- HKDF-Expand(ES, "derived", NULL)
+ * (ss\ :sub:`e`,c\ :sub:`e`) <- Encaps(pk\ :sub:`e`)
+ * HS <- HKDF-Extract(ss\ :sub:`e`, dES)
+ * CHTS <- HKDF-Expand(HS, "i hs traffic", ``InitiatorHello``||``ReceiverHello``)
+ * SHTS <- HKDF-Expand(HS, "r hs traffic", ``InitiatorHello``||``ReceiverHello``)
+ * dHS <- HKDF-Expand(HS, "derived", NULL)
+ * (ss\ :sub:`I`,c\ :sub:`I`) <- Encaps(pk\ :sub:`I`)
+ * MS <- HKDF-Extract(ss\ :sub:`I`, dHS)
+ * fk\ :sub:`I` <- HKDF-Expand(MS, "i finished", NULL)
+ * fk\ :sub:`R` <- HKDF-Expand(MS, "r finished", NULL)
+ * SF <- HMAC(fk\ :sub:`R`, ``InitiatorHello``||``ReceiverKemCiphertext``)
+ * SATS <- HKDF-Expand(MS, "r ap traffic", ``InitiatorHello``||SF)
+
+``R`` sends to ``I`` (0.5 RTT):
+
+ * ``ReceiverHello``
+
+ * c\ :sub:`e` to ``I``
+ * r\ :sub:`R`?
+ * Selected algs here?
+ * EncryptedExtensions
+
+ * AEAD(SHTS, SupportedAlgs/Services?)
+ * ``ReceiverKemCiphertext``
+
+ * AEAD(SHTS, c\ :sub:`I`)
+ * ``ReceiverFinished``
+
+ * AEAD(SHTS, SF) (TLS1.3-style explicit authentication of receiver after 1RTT!)
+
+ * Payload:
+
+ * AEAD(KDF(SATS), ...)
+
+``I`` computes:
+
+ * (ss\ :sub:`e`) <- Decaps(sk\ :sub:`e`, c\ :sub:`e`)
+ * K\ :sub:`1` <- KDF(ss\ :sub:`e` || ss\ :sub:`R`)
+ * K\ :sub:`2`,K\ :sub:`2`\ :sup:`´`,K\ :sub:`2`\ :sup:`´´`,K\ :sub:`2`\ :sup:`´´´` <- KDF(ss\ :sub:`e` || ss\ :sub:`R` || ss\ :sub:`I`)
+
+``I`` sends to ``R`` (1.5 RTT):
+
+ * AEAD(K\ :sub:`2`, ``key confirmation``)
+ * AEAD(K\ :sub:`2`\ :sup:`´`, ``payload/application data``)
+
+
+``key confirmation`` and ``cert`` must be defined.
+
Unified Address Format for L2O and libp2p
-----------------------------------------
