commit b4499efce78c0f85acb29cd712b7255f6a38766b
parent 887899997635009b3fbc0a8ad7bdf887561b1a6a
Author: Pedram Fardzadeh <p.fardzadeh@protonmail.com>
Date: Mon, 27 May 2024 12:49:56 +0200
Adjustments UDP Communicator Key Exchange
Diffstat:
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -242,8 +242,7 @@
</t>
<t>
While the standard approach securely establishes a secret between both entities, an observer can easily detect a key exchange
- due to the transmission of an ephemeral public key from the sending peer to the receiving peer. Without additional measures,
- an observer can recognize this transmission and deduce that an ECC-based key exchange is occurring. In a censored environment,
+ due to the transmission of an ephemeral public key from the sending peer to the receiving peer. In a censored environment,
this could lead to packet interception, preventing communication between peers. The UDP communicator addresses this by encoding
the ephemeral public key into a random-looking byte stream (referred to as the "representative") before sending it. Since the
GCM tag and the encrypted data in the key exchange (KX) packet also appear random, the entire packet is indistinguishable from a
@@ -279,9 +278,6 @@ Decap(R) := (K,IV) = SetupCipher(X25519(RECEIVER_SK, Dec(R)), 0)
<section anchor="Elligator" numbered="true" toc="default">
<name>Elligator</name>
<t>
- This is due to the structure of ECC public keys, which are not equally distributed with respect to the underlying group of the curve and
- therefore distinguishable from random.
-
In case of Montgomery curves such as Curve25519, a point [X,Y] on that curve (e.g. the ephemeral public key) follows the equation
Y^2 = X^3 + AX^2 + X mod Q, whereas A and Q are parameters for Curve25519 specified in <xref target="RFC7748"/>. For any valid x-coordinate the left
side of the equation is therefore always a quadratic number. An attacker could thus read the x-coordinate from the KX Header and check if
