commit e44d200e5c166d7fbb73a450caabe3029dca2752
parent 1a689942fc8ee6398b7ae73a5409863f9edf21bc
Author: Pedram Fardzadeh <p.fardzadeh@protonmail.com>
Date: Tue, 18 Jun 2024 00:42:14 +0200
Updated KEM formulas
Diffstat:
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -430,8 +430,8 @@
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
Key_Gen() := (REC_SK, REC_ID)
-Encap(REC_ID) := (REPR, (K,IV)) = (REPR, SetupCipher(MSK, 0)) = (Enc(G.EPH_SK, rand), SetupCipher(X25519(EPH_SK, Ed_To_Curve(REC_ID)), 0))
-Decap(REPR) := (K,IV) = SetupCipher(MSK, 0) = SetupCipher(X25519(REC_SK, Dec(REPR)), 0)
+Encap(REC_ID) := (REPR, (K,IV)) = (REPR, SetupCipher(MSK, 0)) = (Enc(G.EPH_SK, rand), SetupCipher(SHA512(X25519(EPH_SK, Ed_To_Curve(REC_ID)))[0:256], 0))
+Decap(REPR) := (K,IV) = SetupCipher(MSK, 0) = SetupCipher(SHA512(X25519(REC_SK, Dec(REPR)))[0:256], 0)
]]></artwork>
<t>
Both the sending and the receiving peer <bcp14>SHOULD</bcp14> store the master shared secret MSK and attribute it to the corresponding peer.
@@ -1007,8 +1007,8 @@ DeriveKID(MSK,SEQ):
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
Key_Gen() := (REC_SK, REC_ID)
-Encap(REC_ID) := (REPR, (K,IV,K_mac)) = (Enc(G.EPH_SK, rand), SetupCipher(X25519(EPH_SK, Ed_To_Curve(REC_ID))))
-Decap(REPR) := (K,IV, K_mac) = SetupCipher(X25519(REC_SK, Dec(REPR)))
+Encap(REC_ID) := (REPR, (K,IV,K_mac)) = (Enc(G.EPH_SK, rand), SetupCipher(SHA512(X25519(EPH_SK, Ed_To_Curve(REC_ID)))[0:256]))
+Decap(REPR) := (K,IV, K_mac) = SetupCipher(SHA512(X25519(REC_SK, Dec(REPR)))[0:255])
]]></artwork>
<t>
</t>
@@ -1337,26 +1337,27 @@ SetupCipher(MSK):
</t>
<t>
The Elligators encoding function (also known as the "inverse map") and decoding function (also known as the "direct map") implements this feature.
- Let X be a valid x-coordinate of a Curve25519 point, U the number (-1)^(1/2) which is a non-quadratic number in the finite field of order P and
- legendre() a function which computes the legendre symbol of a field element.
+ Let X be a valid x-coordinate of a Curve25519 point, sqrt() a function which calculates the square root of the finite field element, U the number
+ sqrt(-1) which is a non-quadratic number in the finite field, and legendre() a function which computes the legendre symbol of a field element.
+ As each of the field elements have two roots, we need to define the notion of negative and non-negative numbers. This is especially important for the
+ sqrt() function. A straightforward choice is to define the set {0,..., (P - 1) / 2} as set of all non-negative numbers.
The encoding function used by both the UDP and TCP communicator can be defined as follows:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
Enc(X):
B := rand(1)
if B == 1:
- REPR := (-X / ((X + A) * U)^(1/2)
+ REPR := sqrt(-X / ((X + A) * U))
else:
- REPR := (-(X + A) / (U * X))^(1/2)
+ REPR := sqrt(-(X + A) / (U * X))
return REPR
]]></artwork>
<t>
The encoding function is defined for the entire Curve25519. In modern cryptoghraphic systems, mostly public keys from the prime
subgroup of Curve25519 are used. The exclusive use of the prime subgroup is a recognizable property that an outside observer can
- easily detect. To circumvent this issue, we need to randomly choose an curve point from the whole curve. Two methods to achieve
- this are described in (FIXME: include source). By ensuring that the x-coordinate is from a randomly chosen curve point on the entire
- curve, the resulting representatives do not possess any properties that could be used by an attacker to identify them as curve point
- coordinates anymore.
+ easily detect. To circumvent this issue, we need to randomly choose an curve point from the whole curve. (FIXME: Include our implementation).
+ By ensuring that the x-coordinate is from a randomly chosen curve point on the entire curve, the resulting representatives do not possess any
+ properties that could be used by an attacker to identify them as curve point coordinates anymore.
</t>
<t>
The x-coordinate of the encoded Curve25519 point can be recovered via the decoding function below:
