commit ac71a57ca7682e9bc46f85c6c2deb4ec7e9581c7
parent f69117c621243da005d1c1474e5aa6002680c846
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 18 Jun 2024 16:36:43 +0200
reorder
Diffstat:
1 file changed, 49 insertions(+), 43 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -200,7 +200,7 @@
not attempt to retransmit them.
</t>
</section>
- <section anchor="Primitives" numbered="true" toc="default">
+ <section anchor="primitives" numbered="true" toc="default">
<name>General purpose primitives</name>
<t>
We use a hash-based key derivation function (HKDF) as defined in
@@ -226,6 +226,50 @@ KDF(A,Z):
MSK := HKDF-Expand (PRK_h, "gnunet-ed25519-x25519-ecdh", (512) / 8)
return MSK
]]></artwork>
+ <t>
+ GNUnet utilizes Elligator for the encoding and decoding of the ephemeral public keys
+ described in Section 5 of <xref target="BHKL13"/>.
+ </t>
+ <t>
+ Let G be the basepoint of Curve25519, Ed_To_Curve() a function which converts Ed25519 points to their corresponding Curve25519
+ points, Enc() Elligator's encoding function, Dec() Elligator's decoding function, REC_ID the receiver's peer identity (a 256-bit EdDSA public key),
+ REC_SK the corresponding secret key, EPH_SK a 256-bit ephemeral secret key and SetupCipher() the HKDF defined in <xref target="setup_cipher"/>. Observe that:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+(REC_SK, REC_ID) := KeyGenEd25519()
+(EPH_SK, EPH_PUB) := KeyGenX25519()
+Z := X25519(EPH_SK, EdToCurve25519(REC_ID)) = X25519(REC_SK, EPH_PUB)
+ ]]></artwork>
+ <t>
+ We can then define the UDP communicator’s key exchange for the first message as a KEM:
+ </t>
+ <artwork anchor="encaps" name="" type="" align="left" alt=""><![CDATA[
+EncapsElligator(REC_ID):
+ A,MSK := Encaps(REC_ID)
+ REPR := Enc(A, rand)
+ return REPR, MSK
+
+Encaps(REC_ID):
+ (EPH_SK, EPH_PUB) := KeyGenX25519()
+ Z := X25519(EPH_SK, EdToCurve25519(REC_ID))
+ MSK := KDF(EPH_PUB,Z)
+ return EPH_PUB, MSK
+ ]]></artwork>
+ <artwork anchor="decaps" name="" type="" align="left" alt=""><![CDATA[
+DecapsElligator(REC_SK, REPR):
+ EPH_PUB := Dec(REPR)
+ return Decaps(REC_SK, EPH_PUB)
+
+Decaps(REC_SK, REPR):
+ EPH_PUB := Dec(REPR)
+ Z := X25519(REC_SK, EPH_PUB)
+ MSK := KDF(EPH_PUB,Z)
+ return MSK
+ ]]></artwork>
+ <t>
+ More details about the construction of the representative and Elligator's
+ usage can be found in <xref target="Elligator"/>.
+ </t>
</section>
<section anchor="udp_comm" numbered="true" toc="default">
<name>UDP communicator</name>
@@ -442,49 +486,11 @@ KDF(A,Z):
FIXME.
</dd>
</dl>
- <t>
+ <t>
Upon receiving a KX message, the receiving peer decodes the representative into the original ephemeral public key and subsequently
- computes the shared secret. The UDP communicator utilizes Elligator for the encoding and decoding of the ephemeral public key
- described in section 5 of <xref target="BHKL13"/>. More details about the construction of the representative and Elligator's
- usage can be found in <xref target="Elligator"/>.
- </t>
- <t>
- Let G be the basepoint of Curve25519, Ed_To_Curve() a function which converts Ed25519 points to their corresponding Curve25519
- points, Enc() Elligator's encoding function, Dec() Elligator's decoding function, REC_ID the receiver's peer identity (a 256-bit EdDSA public key),
- REC_SK the corresponding secret key, EPH_SK a 256-bit ephemeral secret key and SetupCipher() the HKDF defined in <xref target="setup_cipher"/>. Observe that:
+ computes the shared secret. The UDP communicator utilizes the Elligator KEM described in <xref target="primitives"/>.
</t>
- <artwork name="" type="" align="left" alt=""><![CDATA[
- (REC_SK, REC_ID) := KeyGenEd25519()
- (EPH_SK, EPH_PUB) := KeyGenX25519()
- Z := X25519(EPH_SK, EdToCurve25519(REC_ID)) = X25519(REC_SK, EPH_PUB)
- ]]></artwork>
- <t>
- We can then define the UDP communicator’s key exchange for the first message as a KEM:
- </t>
- <artwork anchor="encaps" name="" type="" align="left" alt=""><![CDATA[
-EncapsElligator(REC_ID):
- A,MSK := Encaps(REC_ID)
- REPR := Enc(A, rand)
- return REPR, MSK
-
-Encaps(REC_ID):
- (EPH_SK, EPH_PUB) := KeyGenX25519()
- Z := X25519(EPH_SK, EdToCurve25519(REC_ID))
- MSK := KDF(EPH_PUB,Z)
- return EPH_PUB, MSK
- ]]></artwork>
- <artwork anchor="decaps" name="" type="" align="left" alt=""><![CDATA[
-DecapsElligator(REC_SK, REPR):
- EPH_PUB := Dec(REPR)
- return Decaps(REC_SK, EPH_PUB)
-
-Decaps(REC_SK, REPR):
- EPH_PUB := Dec(REPR)
- Z := X25519(REC_SK, EPH_PUB)
- MSK := KDF(EPH_PUB,Z)
- return MSK
- ]]></artwork>
- <t>
+ <t>
The resulting MSK is used to derive symmetric encryption key K and initialization vector IV using SetupCipher(MSQ,SEQ).
Both the sending and the receiving peer <bcp14>SHOULD</bcp14> store the master shared secret MSK and attribute it to the corresponding peer.
In case of an acknowledgment from the receiving peer, the established MSK can be reused by iterativly increasing the sequence number SEQ for SetupCipher(MSK, SEQ).
@@ -519,7 +525,7 @@ Decaps(REC_SK, REPR):
<artwork anchor="setup_cipher" name="" type="" align="left" alt=""><![CDATA[
SetupCipher(MSK,SEQ):
PRK_h := HKDF-Extract (SEQ, MSK)
- K,IV := HKDF-Expand (PRK_h, "gnunet-communicator-udp-key-iv", (256 + 96) / 8)
+ K,IV := HKDF-Expand (PRK_h, "gnunet-communicator-udp-key-iv", 32 + 12)
return K,IV
]]></artwork>
<t>
