commit ee37fecf58232e8d949b40172f353034b4dad8be
parent 662a5466c2e6b1978af3a4b9ba01797eba024824
Author: Pedram Fardzadeh <p.fardzadeh@protonmail.com>
Date: Mon, 27 May 2024 15:13:26 +0200
Included Elligator paper
Diffstat:
1 file changed, 24 insertions(+), 5 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -251,8 +251,9 @@
</t>
<t>
Upon receiving a KX packet, the receiving peer decodes the representative into the original ephemeral public key and subsequently
- calculates the shared secret. The UDP communicator utilizes Elligator for the encoding and decoding of the ephemeral
- public key. More details about the construction of the representative and Elligator can be found in <xref target="Elligator"/>.
+ computes the shared secret. The UDP communicator utilizes Elligator for the encoding and decoding of the ephemeral public key
+ described in Section 5. <xref target="BHKL13"/>. More details about the construction of the representative and Elligator's
+ usage within the UDP communicator can be found in <xref target="Elligator"/>.
</t>
<t>
Let G be the basepoint of Curve25519, Ed_To_Curve() a function which converts Ed25519 points to their corresponding Curve25519
@@ -274,14 +275,14 @@ Decap(REPR) := (K,IV) = SetupCipher(X25519(REC_SK, Dec(REPR)), 0)
</t>
<t>
The use of the peer identities for both Ed25519 signatures and X25519-based KEM has been proven to be safe. For further details, refer to the
- paper <xref target="E21"/>.
+ paper <xref target="T21"/>.
</t>
</section>
<section anchor="Elligator" numbered="true" toc="default">
<name>Elligator</name>
<t>
In case of Montgomery curves, such as Curve25519, a point [X, Y] on that curve (e.g. the ephemeral public key) follows the equation
- Y^2 = X^3 + AX^2 + X mod P, where A and P are parameters for Curve25519 specified in Section 4.1 of <xref target="RFC7748"/>. For any
+ Y^2 = X^3 + A * X^2 + X mod P, where A and P are parameters for Curve25519 specified in Section 4.1 of <xref target="RFC7748"/>. For any
valid x-coordinate, the left side of the equation is always a quadratic number. An attacker could read the x-coordinate from the KX Header
and verify if this property holds. While this property holds for any valid Curve25519 point, it only holds in about 50% of the cases for a
random number. By observing multiple KX packets, an attacker can be certain that curve points are being sent if the property consistently holds.
@@ -1010,7 +1011,7 @@ SetupCipher(MSK):
</references>
<references>
<name>Informative References</name>
- <reference anchor="E21" target="https://eprint.iacr.org/2021/509.pdf">
+ <reference anchor="T21" target="https://eprint.iacr.org/2021/509.pdf">
<front>
<title>On using the same key pair for Ed25519 and an X25519 based KEM</title>
<author initials="E." surname="Thormaker"
@@ -1019,6 +1020,24 @@ SetupCipher(MSK):
<date month="April" year="2021" />
</front>
</reference>
+ <reference anchor="BHKL13" target="https://eprint.iacr.org/2013/325.pdf">
+ <front>
+ <title>Elligator: Elliptic-curve points indistinguishable from uniform random strings</title>
+ <author initials="D.J" surname="Bernstein"
+ fullname="Daniel J. Bernstein">
+ </author>
+ <author initials="M." surname="Hamburg"
+ fullname="Mike Hamburg">
+ </author>
+ <author initials="A." surname="Krasnova"
+ fullname="Anna Krasnova">
+ </author>
+ <author initials="T." surname="Lange"
+ fullname="Tanja Lange">
+ </author>
+ <date month="August" year="2013" />
+ </front>
+ </reference>
</references>
</back>
</rfc>
