commit f755dc219c51341dd2acaa136666d4b633fa8b63
parent fca456e2749b296d7c9d1cf5de1d7795e97ac163
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 19 Jun 2024 05:41:58 +0200
update tcp
Diffstat:
1 file changed, 55 insertions(+), 29 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
@@ -210,15 +210,6 @@
phase and SHA-256 <xref target="RFC6234"/> for the expansion phase.
</t>
<t>
- Communicators use a modified version of the standard X25519 key exchange described in
- section 6.1 of <xref target="RFC7748"/>.
- We refer to the the ephemeral key pair as "a" and "A := a*G" where G is the generator of
- the curve.
- It deviates in that we use the Ed25519 key pair "x","X = x*G" of the peer identity as X25519 scalars
- and curve points, respectively.
- This use of a KEM and its safety has been investigated by <xref target="T21"/>.
- </t>
- <t>
We define the key derivation function (KDF) used to derive a uniform symmetric key
from the X25519 result "Z" and the ephemeral public key "A":
</t>
@@ -236,6 +227,7 @@ KDF(A,Z):
described in Section 5 of <xref target="BHKL13"/>.
</t>
<t>
+<<<<<<< HEAD
Let G be the basepoint of Curve25519, EdToCurve() a function which converts Ed25519 points to their corresponding Curve25519
points, Enc() Elligator's encoding function, Dec() Elligator's decoding function, REC_ID the receiver's peer identity (a 256-bit EdDSA public key),
REC_SK the corresponding secret key, EPH_PUB the ephemeral Curve25519 public key and EPH_SK the corresponding secret key. Observe that:
@@ -244,31 +236,58 @@ KDF(A,Z):
(REC_SK, REC_ID) := KeyGenEd25519()
(EPH_SK, EPH_PUB) := KeyGenCurve25519()
Z := X25519(EPH_SK, EdToCurve25519(REC_ID)) = X25519(REC_SK, EPH_PUB)
+=======
+ Communicators use a modified version of the standard X25519 key exchange described in
+ section 6.1 of <xref target="RFC7748"/>.
+ We refer to the the ephemeral key pair as "a" and "A := a*G" where G is the generator of
+ the curve.
+ It deviates in that we use the Ed25519 key pair "x","X = x*G" of the peer identity as X25519 scalars
+ and curve points, respectively.
+ This use of a KEM and its safety has been investigated by <xref target="T21"/>.
+ </t>
+ <t>
+ Let G be the basepoint of Curve25519, EdToCurve() a function which converts Ed25519 points to their corresponding Curve25519 points,
+ Enc() Elligator's encoding function,
+ Dec() Elligator's decoding function, "X" the receiver's peer identity (a 256-bit EdDSA public key),
+ "x" the corresponding secret key, "a" a 256-bit ephemeral secret key. Observe that:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+(x, X) := KeyGenEd25519()
+(a, A) := KeyGenX25519()
+Z := X25519(a, EdToCurve(X)) = X25519(x, A)
+>>>>>>> 75d0591 (update tcp)
]]></artwork>
<t>
We can then define the KEM:
</t>
<artwork anchor="encaps" name="" type="" align="left" alt=""><![CDATA[
-EncapsElligator(REC_ID):
- A,MSK := Encaps(REC_ID)
+EncapsElligator(X):
+ A,MSK := Encaps(X)
REPR := Enc(A, rand)
return REPR, MSK
+<<<<<<< HEAD
Encaps(REC_ID):
(EPH_SK, EPH_PUB) := KeyGenCurve25519()
Z := X25519(EPH_SK, EdToCurve25519(REC_ID))
MSK := KDF(EPH_PUB,Z)
return EPH_PUB, MSK
+=======
+Encaps(X):
+ (a, A) := KeyGenX25519()
+ Z := X25519(a, EdToCurve(X))
+ MSK := KDF(A,Z)
+ return A, MSK
+>>>>>>> 75d0591 (update tcp)
]]></artwork>
<artwork anchor="decaps" name="" type="" align="left" alt=""><![CDATA[
-DecapsElligator(REC_SK, REPR):
- EPH_PUB := Dec(REPR)
- return Decaps(REC_SK, EPH_PUB)
+DecapsElligator(x, REPR):
+ A := Dec(REPR)
+ return Decaps(x, A)
-Decaps(REC_SK, REPR):
- EPH_PUB := Dec(REPR)
- Z := X25519(REC_SK, EPH_PUB)
- MSK := KDF(EPH_PUB,Z)
+Decaps(x, A):
+ Z := X25519(x, A)
+ MSK := KDF(A,Z)
return MSK
]]></artwork>
<t>
@@ -1053,18 +1072,25 @@ DeriveKID(MSK,SEQ):
For more information about elligator and its usage, please refer to <xref target="Elligator"/>.
</t>
<t>
- The UDP communicator utilizes the Elligator KEM described in <xref target="primitives"/>. The KEM is performed for each
- communication direction. Note that the exchange of the receiver peer identity is not within the scope of the TCP
- communicator's key exchange and is already assumed to be known to the sending peer. One way to exchange peer identites is
- through the means of UDP BROADCAST messages as described in <xref target="udp_bc"/>.
- </t>
- <t>
- Once the shared secret MSK is established, the initial key material for the usage of AES-CTR and HMAC is setup. While AES-CTR
- just needs to be setup once for encrypting an arbitrary amount of data, new HMAC key material is generated through ratcheting.
- The setup process for establishing the initial key material from the MSK looks as follows:
- </t>
+ Let G be the basepoint of Curve25519, Ed_To_Curve() a function which converts Ed25519 points to their corresponding
+ Curve25519 points, Enc() Elligator's encoding function, Dec() Elligator's decoding function, REC_ID the receiver's peer
+ identity (a 256-bit EdDSA public key), REC_SK the corresponding secret key, EPH_SK a 256-bit ephemeral secret key and
+ SetupCipher() the HKDF defined in <xref target="setup_cipher_tcp"/>. We can then define the TCP communicator’s key
+ exchange as a KEM:
+ </t>
+ <artwork name="" type="" align="left" alt=""><![CDATA[
+ (REC_SK, REC_ID) := KeyGenEd25519()
+ # Sender calls
+ REPR, MSK := EncapsElligator(REC_ID)
+ # Receiver calls
+ MSK := DecapsElligator(REC_SK, REPR)
+ # Key derivation
+ (K,IV,M_mac) := SetupCipher(REC_ID,MSK)
+ ]]></artwork>
+ <t>
+ </t>
<artwork anchor="setup_cipher_tcp" name="" type="" align="left" alt=""><