commit 9ca2823171093a53c692682b56e5804b9f3740f7
parent b3adf51462cc3c452aabad7b0b5ed69926c1106d
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 16 Jul 2024 23:09:59 +0200
move to rfc9180 kem
Diffstat:
1 file changed, 29 insertions(+), 30 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -31,6 +31,7 @@
<!ENTITY RFC8499 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8499.xml">
<!ENTITY RFC9000 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9000.xml">
<!ENTITY RFC9106 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9106.xml">
+<!ENTITY RFC9180 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9180.xml">
<!ENTITY I-D.ietf-dnsop-alt-tld PUBLIC '' "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-dnsop-alt-tld.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
@@ -246,7 +247,7 @@
We define "KeyGenElligator" as follows:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-KeyGenElligator():
+GenerateElligatorKeyPair():
VALID := 0
while(!VALID):
x := random(256)
@@ -278,7 +279,7 @@ KeyGenElligator():
The encoding function algorithm is:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-ElligatorEnc(X):
+SerializeElligatorPublicKey(X):
B := random(1)
if B == 1:
R := sqrt(-X / ((X + A) * U))
@@ -290,7 +291,7 @@ ElligatorEnc(X):
The corresponding decoding agorithm is:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-ElligatorDec(R):
+DeserializeElligatorPublicKey(R):
V := -A / (1 + U * R^2)
E := L(V^3 + A * V^2 + V)
X := E * V - (1 - E)(A / 2)
@@ -321,6 +322,26 @@ ElligatorDec(R):
thereby potentially disrupting a large part of today's internet communication.
</t>
<t>
+ We define our KEMs analoguous to <xref target="RFC9180"/> Section 4 with modified static labels for domain separation from
+ the HPKE use case:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+def LabeledExtract(salt, label, ikm):
+ labeled_ikm = concat("gnunet-kem-v1", suite_id, label, ikm)
+ return Extract(salt, labeled_ikm)
+
+def LabeledExpand(prk, label, info, L):
+ labeled_info = concat(I2OSP(L, 2), "gnunet-kem-v1", suite_id,
+ label, info)
+ return Expand(prk, labeled_info, L)
+ ]]></artwork>
+ <t>
+ The value of <tt>suite_id</tt> depends on the KEM used. The <tt>ExtractAndExpand()</tt>, <tt>Encap()</tt>
+ and <tt>Decap()</tt> functions are used as defined in <xref target="RFC9180"/> for standard DHKEMs.
+ The communicators use the standard <tt>DHKEM(X25519, HKDF-SHA256)</tt> and a special Elligator-based KEM
+ defined below.
+ </t>
+ <t>
Let G be the basepoint of Curve25519, EdToCurve() a function which converts Ed25519 points to their corresponding Curve25519 points,
ElligatorEnc() Elligator's encoding function,
ElligatorDec() Elligator's decoding function, "X" the receiver's peer identity (a 256-bit EdDSA public key),
@@ -334,34 +355,11 @@ ElligatorDec(R):
Z := X25519(a, EdToCurve(X)) = X25519(x, A)
]]></artwork>
<t>
- We can then define the KEMs:
+ The only changes required in an Elligator-based KEM are that drop-in replacements of
+ <tt>GenerateKeyPair() -> GenerateElligatorKeyPair()</tt>,
+ <tt>SerializePublicKey() -> SerializeElligatorPublicKey()</tt>
+ and <tt>DeserializePublicKey() -> DeserializeElligatorPublicKey</tt> functions.
</t>
- <artwork anchor="encaps" name="" type="" align="left" alt=""><![CDATA[
-EncapsElligator(X):
- (a, A) := KeyGenElligator()
- R := ElligatorEnc(A)
- Z := X25519(a, EdToCurve(X))
- MSK := HKDF-Extract (0, R||Z)
- return R, MSK
-
-Encaps(X):
- (a, A) := KeyGenX25519()
- Z := X25519(a, EdToCurve(X))
- MSK := HKDF-Extract (0, A||Z)
- return A, MSK
- ]]></artwork>
- <artwork anchor="decaps" name="" type="" align="left" alt=""><![CDATA[
-DecapsElligator(x, R):
- A := ElligatorDec(R)
- Z := X25519(x, A)
- MSK := HKDF-Extract (0, R||Z)
- return MSK
-
-Decaps(x, A):
- Z := X25519(x, A)
- MSK := HKDF-Extract (0, A||Z)
- return MSK
- ]]></artwork>
<t>
More details about the construction of the representative and Elligator's
usage can be found in <xref target="KeyGen"/>.
@@ -1605,6 +1603,7 @@ SetupCipher(REC_ID, MSK):
&RFC8032;
&RFC8174;
&RFC9000;
+ &RFC9180;
</references>
<references>
