commit b3adf51462cc3c452aabad7b0b5ed69926c1106d
parent 5e43654c913963bba0c4e924e0d17a597f553f1a
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 16 Jul 2024 15:06:55 +0200
update with current implementation
Diffstat:
1 file changed, 14 insertions(+), 21 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -303,16 +303,11 @@ ElligatorDec(R):
We use a hash-based key derivation function (HKDF) as defined in
<xref target="RFC5869" />, using SHA-256 <xref target="RFC6234"/> for the extraction
phase and SHA-256 <xref target="RFC6234"/> for the expansion phase.
- We define the key derivation function (KDF) used to derive a uniform symmetric key
- from the X25519 result "Z" and the ephemeral public key "A":
+ We derive the master secret as a uniform symmetric key
+ from the X25519 result "Z" and the ephemeral public key "A" in a
+ "HKDF-Extract" step and then derive context-specific keys through "HKDF-Expand" as needed.
</t>
- <artwork anchor="kdf" name="" type="" align="left" alt=""><![CDATA[
-KDF(A,Z,info):
- PRK_h := HKDF-Extract (0, A||Z)
- MSK := HKDF-Expand (PRK_h, info, 64)
- return MSK
- ]]></artwork>
- </section>
+ </section>
<section anchor="elligator_kem" numbered="true" toc="default">
<name>Key encapsulation</name>
<t>
@@ -346,25 +341,25 @@ EncapsElligator(X):
(a, A) := KeyGenElligator()
R := ElligatorEnc(A)
Z := X25519(a, EdToCurve(X))
- MSK := KDF(R,Z,"gnunet-ed25519-x25519-elligator-ecdh")
+ MSK := HKDF-Extract (0, R||Z)
return R, MSK
Encaps(X):
(a, A) := KeyGenX25519()
Z := X25519(a, EdToCurve(X))
- MSK := KDF(R,Z,"gnunet-ed25519-x25519-ecdh")
+ MSK := HKDF-Extract (0, A||Z)
return A, MSK
]]></artwork>
<artwork anchor="decaps" name="" type="" align="left" alt=""><![CDATA[
DecapsElligator(x, R):
A := ElligatorDec(R)
Z := X25519(x, A)
- MSK := KDF(R,Z,"gnunet-ed25519-x25519-elligator-ecdh")
+ MSK := HKDF-Extract (0, R||Z)
return MSK
Decaps(x, A):
Z := X25519(x, A)
- MSK := KDF(A,Z,"gnunet-ed25519-x25519-ecdh")
+ MSK := HKDF-Extract (0, A||Z)
return MSK
]]></artwork>
<t>
@@ -620,8 +615,8 @@ Decaps(x, A):
</t>
<artwork anchor="setup_cipher" name="" type="" align="left" alt=""><![CDATA[
SetupCipher(MSK,SEQ):
- PRK := HKDF-Extract (SEQ, MSK)
- K,IV := HKDF-Expand (PRK, "gnunet-communicator-udp-key-iv", 44)
+ K := HKDF-Expand (MSK, "gnunet-communicator-udp-key"||SEQ, 32)
+ IV := HKDF-Expand (MSK, "gnunet-communicator-udp-iv"||SEQ, 12)
return K,IV
]]></artwork>
<t>
@@ -633,8 +628,7 @@ SetupCipher(MSK,SEQ):
</t>
<artwork anchor="derive_kid" name="" type="" align="left" alt=""><![CDATA[
DeriveKID(MSK,SEQ):
- PRK := HKDF-Extract (SEQ, MSK)
- KID := HKDF-Expand (PRK, "gnunet-communicator-udp-kid", 256 / 8)
+ KID := HKDF-Expand (MSK, "gnunet-communicator-udp-kid"||SEQ, 32)
return KID
]]></artwork>
<t>
@@ -1214,10 +1208,9 @@ DeriveKID(MSK,SEQ):
</t>
<artwork anchor="setup_cipher_tcp" name="" type="" align="left" alt=""><![CDATA[
SetupCipher(REC_ID, MSK):
- PRK := HKDF-Extract (0, REC_ID||MSK)
- K := HKDF-Expand (PRK, "gnunet-communicator-tcp-key", 32)
- IV := HKDF-Expand (PRK, "gnunet-communicator-tcp-ctr, 16)
- K_mac := HKDF-Expand (PRK, "gnunet-communicator-tcp-hmac, 64)
+ K := HKDF-Expand (MSK, "gnunet-communicator-tcp-key", 32)
+ IV := HKDF-Expand (MSK, "gnunet-communicator-tcp-ctr, 16)
+ K_mac := HKDF-Expand (MSK, "gnunet-communicator-tcp-hmac, 64)
return K,IV,K_mac
]]></artwork>
<t>
