commit 37313deba2984c313bd2207211702384e32fa51a
parent 3fadd25e466069e141174376c0ec9b74a9028c22
Author: Pedram Fardzadeh <p.fardzadeh@protonmail.com>
Date: Wed, 22 May 2024 11:13:44 +0200
Added TODOs
Diffstat:
1 file changed, 3 insertions(+), 0 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -242,6 +242,7 @@
To hide the fact that a key exchange is being performed, the sender peer projects the ephemeral public key into a random-looking
byte stream (later referenced as the representative) before sending it to the receiver peer. The receiver peer can then recover
the ephemeral public key of the sender peer and calculate the same shared secret with its own private key.
+ (TODO) Motivation for hiding key exchange
</t>
<t>
The projection of the ephemeral public key is necessary if one wants to hide the fact that an ECC-based key exchange is being performed.
@@ -262,11 +263,13 @@ Encap() := (R, MSK) = (Enc(G.EPH_SK, rand), X25519(EPH_SK, Ed25519_To_Curve25519
Decap(R) := (MSK) = X25519(RECEIVER_SK, Dec(R))
]]></artwork>
<t>
+ (TODO) KDF is mising
Note that the exchange of the receiver peer identity is not within the scope of UDP Communicator's key exchange and is already assumed to
be known to the sender peer. It is also important to mention that the ephemeral public key which is depicted in the KEM as G.EPH_SK is a
point on the whole Curve25519 and not restricted to its prime subgroup. This is due to the fact that Elligator's encoding function is defined
on the whole Curve25519. The exclusive usage of the prime subgroup would restrict the set of potential representatives which in turn
an outside observer can trivially recognize.
+ (TODO) Explaination why KEM secure
</t>
</section>
<section anchor="Elligator" numbered="true" toc="default">
