commit f21096e8a401a70999101e73799f1f979996143f
parent 023029d45df8e3d5a4607008c6eda454479d3fec
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 10 Jul 2024 16:07:57 +0200
rename
Diffstat:
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -227,9 +227,9 @@
<t>
The general idea when generating an Elligator key pair is is to create both a random high-order curve point and a low-order curve point.
Adding them together results in a curve point
-that is evenly distributed on the whole Curve25519. Not all Curve25519 points are eligible to be used with Elligator for a key exchange. In
-particular, not all points will have the property that the encoding and subsequent decoding result in the original point. The mathematical
-reasoning is elaborated in <xref target="security_elligator"/>.
+that is evenly distributed on the whole Curve25519.
+Not all Curve25519 points are eligible to be used with Elligator for a key exchange. In
+particular, not all points will have the property that the encoding and subsequent decoding result in the original point. The mathematical reasoning is elaborated in <xref target="security_elligator"/>.
To create a valid Curve25519 point that can be used as an
ephemeral key, one needs to generate as many curve points until the desired property holds.
Let G be the generator of the prime order group of Ed25519, H the generator of the low order subgroup of Ed25519 and EdToCurve() a function
@@ -245,12 +245,14 @@ KeyGenElligator():
ED_low := (x mod 8) * H
ED := ED_high + ED_low
X := EdToCurve(ED)
- if Dec(Enc(X)) == X:
+ if ElligatorDec(ElligatorEnc(X)) == X:
VALID := 1
return (x, X)
]]></artwork>
- <t>
- Let A and P be the are parameters for Curve25519 as specified in section 4.1 of <xref target="RFC7748"/>.
+ <t>
+ The required encoding and decoding functions are defined in the following.
+
+ Let A be the parameter for Curve25519 as specified in section 4.1 of <xref target="RFC7748"/>.
Further, let X be a valid x-coordinate of a Curve25519 point, sqrt() a function which calculates the square root of the finite field element, U the number
sqrt(-1) which is a non-quadratic number in the finite field, and legendre() a function which computes the legendre symbol of a field element.
As each of the field elements have two roots, we need to define the notion of negative and non-negative numbers. This is especially important for the
@@ -258,7 +260,7 @@ KeyGenElligator():
The encoding function used by the elligator encapsulation function in <xref target="encaps"/> can be defined as follows:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-Enc(X):
+ElligatorEnc(X):
B := rand(1)
if B == 1:
REPR := sqrt(-X / ((X + A) * U))
@@ -271,7 +273,7 @@ Enc(X):
x-coordinate from the representative is defined below:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-Dec(REPR):
+ElligatorDec(REPR):
V := -A / (1 + U * REPR^2)
E := legendre(V^3 + A * V^2 + V)
X := E * V - (1 - E)(A / 2)
@@ -322,8 +324,8 @@ KDF(A,Z):
</t>
<t>
Let G be the basepoint of Curve25519, EdToCurve() a function which converts Ed25519 points to their corresponding Curve25519 points,
- Enc() Elligator's encoding function,
- Dec() Elligator's decoding function, "X" the receiver's peer identity (a 256-bit EdDSA public key),
+ ElligatorEnc() Elligator's encoding function,
+ ElligatorDec() Elligator's decoding function, "X" the receiver's peer identity (a 256-bit EdDSA public key),
"x" the corresponding secret key,
"A" an ephemeral public key (256-bit Curve25519 public key) and
"a" the corresponding 256-bit ephemeral secret key. Observe that:
@@ -339,7 +341,7 @@ Z := X25519(a, EdToCurve(X)) = X25519(x, A)
<artwork anchor="encaps" name="" type="" align="left" alt=""><![CDATA[
EncapsElligator(X):
A,MSK := Encaps(X)
- REPR := Enc(A, rand)
+ REPR := ElligatorEnc(A, rand)
return REPR, MSK
Encaps(X):
@@ -350,7 +352,7 @@ Encaps(X):
]]></artwork>
<artwork anchor="decaps" name="" type="" align="left" alt=""><