commit c9ca0ccd45c8a866a3bbad0cb15c53c8a66beab8
parent f21096e8a401a70999101e73799f1f979996143f
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 10 Jul 2024 17:51:18 +0200
pass crypto
Diffstat:
1 file changed, 45 insertions(+), 44 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -223,19 +223,25 @@
<name>Cryptographic primitives</name>
<section anchor="KeyGen" numbered="true" toc="default">
<name>Key generation</name>
- <t> TODO FIXME define "standard" KeyGens</t>
-<t>
-The general idea when generating an Elligator key pair is is to create both a random high-order curve point and a low-order curve point.
-Adding them together results in a curve point
-that is evenly distributed on the whole Curve25519.
-Not all Curve25519 points are eligible to be used with Elligator for a key exchange. In
-particular, not all points will have the property that the encoding and subsequent decoding result in the original point. The mathematical reasoning is elaborated in <xref target="security_elligator"/>.
-To create a valid Curve25519 point that can be used as an
-ephemeral key, one needs to generate as many curve points until the desired property holds.
-Let G be the generator of the prime order group of Ed25519, H the generator of the low order subgroup of Ed25519 and EdToCurve() a function
- which converts Ed25519 points to their corresponding Curve25519 points, we define:
-An Elligator key pair is generated as follows.
-</t>
+ <t>
+ Let "KeyGenEd25519() -> (x,X)" be a function that produces an Ed25519 key pair as defined in <xref target="RFC8032"/>.
+ </t>
+ <t>
+ GNUnet communicators utilize Elligator for the encoding and decoding of the ephemeral public keys
+ described in Section 5 of <xref target="BHKL13"/>.
+ Accordingly, let "KeyGenElligator() -> (x,X)" denote a function that produce a Curve25519 key pair suitable for Elligator obfuscations which we
+ will define in the following.
+ The general idea when generating an Elligator key pair is is to create both a random high-order curve point and a low-order curve point.
+ Adding them together results in a curve point
+ that is evenly distributed on the whole Curve25519.
+ Not all Curve25519 points are eligible to be used with Elligator for a key exchange. In
+ particular, not all points will have the property that the encoding and subsequent decoding result in the original point. The mathematical reasoning is elaborated in <xref target="security_elligator"/>.
+ To create a valid Curve25519 point that can be used as an
+ ephemeral key, one needs to generate as many curve points until the desired property holds.
+ Let G be the generator of the prime order group of Ed25519, H the generator of the low order subgroup of Ed25519 and EdToCurve() a function
+ which converts Ed25519 points to their corresponding Curve25519 points, we define:
+ An Elligator key pair is generated as follows.
+ </t>
<artwork name="" type="" align="left" alt=""><![CDATA[
KeyGenElligator():
VALID := 0
@@ -250,15 +256,14 @@ KeyGenElligator():
return (x, X)
]]></artwork>
<t>
- The required encoding and decoding functions are defined in the following.
-
- Let A be the parameter for Curve25519 as specified in section 4.1 of <xref target="RFC7748"/>.
- Further, let X be a valid x-coordinate of a Curve25519 point, sqrt() a function which calculates the square root of the finite field element, U the number
- sqrt(-1) which is a non-quadratic number in the finite field, and legendre() a function which computes the legendre symbol of a field element.
- As each of the field elements have two roots, we need to define the notion of negative and non-negative numbers. This is especially important for the
- sqrt() function. A straightforward choice is to define the set {0,..., (P - 1) / 2} as set of all non-negative numbers.
- The encoding function used by the elligator encapsulation function in <xref target="encaps"/> can be defined as follows:
- </t>
+ "Enc" and "Dec" are the required encoding and decoding functions to obfuscate the public key and are are defined as follows:
+ Let A be the parameter for Curve25519 as specified in section 4.1 of <xref target="RFC7748"/>.
+ Further, let X be a valid x-coordinate of a Curve25519 point, sqrt() a function which calculates the square root of the finite field element, U the number
+ sqrt(-1) which is a non-quadratic number in the finite field, and legendre() a function which computes the legendre symbol of a field element.
+ As each of the field elements have two roots, we need to define the notion of negative and non-negative numbers. This is especially important for the
+ sqrt() function. A straightforward choice is to define the set {0,..., (P - 1) / 2} as set of all non-negative numbers.
+ The encoding function algorithm is:
+ </t>
<artwork name="" type="" align="left" alt=""><![CDATA[
ElligatorEnc(X):
B := rand(1)
@@ -269,8 +274,7 @@ ElligatorEnc(X):
return REPR
]]></artwork>
<t>
- The corresponding decoding function which is used by the elligator decapsulation function in <xref target="decaps"/> to recover the
- x-coordinate from the representative is defined below:
+ The corresponding decoding agorithm is:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
ElligatorDec(REPR):
@@ -279,7 +283,6 @@ ElligatorDec(REPR):
X := E * V - (1 - E)(A / 2)
return X
]]></artwork>
-
</section>
<section anchor="key_derivation" numbered="true" toc="default">
<name>Key derivation</name>
@@ -299,37 +302,24 @@ KDF(A,Z):
</section>
<section anchor="elligator_kem" numbered="true" toc="default">
<name>Key encapsulation</name>
- <t>
- GNUnet utilizes Elligator for the encoding and decoding of the ephemeral public keys
- described in Section 5 of <xref target="BHKL13"/>.
- </t>
- <t>
- Communicators use a modified version of the standard X25519 key exchange described in
- section 6.1 of <xref target="RFC7748"/>.
- We refer to the the ephemeral key pair as "a" and "A := a*G" where G is the generator of
- the curve.
- It deviates in that we use the Ed25519 key pair "x","X = x*G" of the peer identity as X25519 scalars
- and curve points, respectively.
- This use of a KEM and its safety has been investigated by <xref target="T21"/>.
- </t>
- <t>
+ <t>
While standard Diffie-Hellman-based KEMs securely establish a secret between two parties, an observer can easily identify
the encapsulation as a public key.
In the presence of an active attacker this could lead to packet dropping based on this information,
preventing communication between peers.
- The communicators <bcp14>MAY</bcp14> use the Elligator KEM defined in the following to produce random-looking
+ The UDP and TCP communicators use the Elligator KEM defined in the following to produce random-looking
encapsulations (referred to as a "representative").
This leaves the attacker with the option to either do nothing or intercept all random-looking packets,
thereby potentially disrupting a large part of today's internet communication.
- </t>
- <t>
+ </t>
+ <t>
Let G be the basepoint of Curve25519, EdToCurve() a function which converts Ed25519 points to their corresponding Curve25519 points,
ElligatorEnc() Elligator's encoding function,
ElligatorDec() Elligator's decoding function, "X" the receiver's peer identity (a 256-bit EdDSA public key),
"x" the corresponding secret key,
"A" an ephemeral public key (256-bit Curve25519 public key) and
"a" the corresponding 256-bit ephemeral secret key. Observe that:
- </t>
+ </t>
<artwork name="" type="" align="left" alt=""><