commit 5e43654c913963bba0c4e924e0d17a597f553f1a
parent 1f84685cb24e13a28800d4197a4f57739ec9a766
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 16 Jul 2024 12:05:57 +0200
udate for KEM changes
Diffstat:
1 file changed, 25 insertions(+), 21 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -225,6 +225,7 @@
<name>Key generation</name>
<t>
Let "KeyGenEd25519() -> (x,X)" denote a function that produces an Ed25519 key pair as defined in <xref target="RFC8032"/>.
+ Let "KeyGenX25519() -> (x,X)" denote a function that produces an X25519 key pair as defined in <xref target="RFC7748"/>.
Let "KeyGenElligator() -> (x,X)" denote a function that produces a Curve25519 key pair suitable for Elligator obfuscations which we will define in the following.
</t>
<t>
@@ -280,17 +281,17 @@ KeyGenElligator():
ElligatorEnc(X):
B := random(1)
if B == 1:
- REPR := sqrt(-X / ((X + A) * U))
+ R := sqrt(-X / ((X + A) * U))
else:
- REPR := sqrt(-(X + A) / (U * X))
- return REPR
+ R := sqrt(-(X + A) / (U * X))
+ return R
]]></artwork>
<t>
The corresponding decoding agorithm is:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-ElligatorDec(REPR):
- V := -A / (1 + U * REPR^2)
+ElligatorDec(R):
+ V := -A / (1 + U * R^2)
E := L(V^3 + A * V^2 + V)
X := E * V - (1 - E)(A / 2)
return X
@@ -306,9 +307,9 @@ ElligatorDec(REPR):
from the X25519 result "Z" and the ephemeral public key "A":
</t>
<artwork anchor="kdf" name="" type="" align="left" alt=""><![CDATA[
-KDF(A,Z):
+KDF(A,Z,info):
PRK_h := HKDF-Extract (0, A||Z)
- MSK := HKDF-Expand (PRK_h, "gnunet-ed25519-x25519-ecdh", (512) / 8)
+ MSK := HKDF-Expand (PRK_h, info, 64)
return MSK
]]></artwork>
</section>
@@ -338,28 +339,32 @@ KDF(A,Z):
Z := X25519(a, EdToCurve(X)) = X25519(x, A)
]]></artwork>
<t>
- We can then define the KEM:
+ We can then define the KEMs:
</t>
<artwork anchor="encaps" name="" type="" align="left" alt=""><![CDATA[
EncapsElligator(X):
- A,MSK := Encaps(X)
- REPR := ElligatorEnc(A)
- return REPR, MSK
+ (a, A) := KeyGenElligator()
+ R := ElligatorEnc(A)
+ Z := X25519(a, EdToCurve(X))
+ MSK := KDF(R,Z,"gnunet-ed25519-x25519-elligator-ecdh")
+ return R, MSK
Encaps(X):
- (a, A) := KeyGenElligator()
+ (a, A) := KeyGenX25519()
Z := X25519(a, EdToCurve(X))
- MSK := KDF(A,Z)
+ MSK := KDF(R,Z,"gnunet-ed25519-x25519-ecdh")
return A, MSK
]]></artwork>
<artwork anchor="decaps" name="" type="" align="left" alt=""><![CDATA[
-DecapsElligator(x, REPR):
- A := ElligatorDec(REPR)
- return Decaps(x, A)
+DecapsElligator(x, R):
+ A := ElligatorDec(R)
+ Z := X25519(x, A)
+ MSK := KDF(R,Z,"gnunet-ed25519-x25519-elligator-ecdh")
+ return MSK
Decaps(x, A):
Z := X25519(x, A)
- MSK := KDF(A,Z)
+ MSK := KDF(A,Z,"gnunet-ed25519-x25519-ecdh")
return MSK
]]></artwork>
<t>
@@ -1539,7 +1544,7 @@ SetupCipher(REC_ID, MSK):
this attack, we need to choose the ephemeral key pair randomly from the whole curve as defined in "KeyGenElligator".
</t>
<t>
- Note that both for a value REPR and its negative counterpart -REPR (in the finite field), the decoding function will result in the same
+ Note that both for a value R and its negative counterpart -R (in the finite field), the decoding function will result in the same
x-coordinate. Moreover, for two different valid x-coordinates, the resulting representatives of the corresponding encoding calls are
different. Conversely, this means that we can't decode both representatives back to their original x-coordinate. This is why the sender
eventually tries a number of random key pairs in KeyGenElligator() in order to create a valid public key that can be used
@@ -1646,7 +1651,7 @@ SetupCipher(REC_ID, MSK):
<t>
This section provides test vectors for the different Elligator functions and should aid in verifying implementations.
Note that Elligator has two parameters: the set of positive and negative numbers, and a non-square number U
- within the finite field, as described in <xref target=""/>. The displayed test vectors assume that the set of positive
+ within the finite field, as described in FIXME. The displayed test vectors assume that the set of positive
numbers is defined as {0,...,(P-1)/2}, the set of negative numbers as {(P-1)/2 + 1,...,P−1} and U is the non-square number
sqrt(-1). Unless indicated otherwise, the test vectors are provided as little-endian hexadecimal byte arrays.
</t>
@@ -1701,4 +1706,4 @@ SetupCipher(REC_ID, MSK):
</section>
</section>
</back>
-</rfc>
-\ No newline at end of file
+</rfc>
