commit 2546015ffee2d100ab481ddf9af042ee94ff3e3a
parent b88b6d52fca3252d7866e8e74a0edeb60b44065c
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 16 Apr 2025 13:59:30 +0200
intro update
Diffstat:
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/draft-schanzen-hpke-elligator-kem.xml b/draft-schanzen-hpke-elligator-kem.xml
@@ -104,9 +104,19 @@
<section anchor="introduction" numbered="true" toc="default">
<name>Introduction</name>
<t>
- This document defines the normative wire format of resource
- records, resolution processes, cryptographic routines and
- security considerations for use by implementers.
+ In the case of Montgomery curves, such as Curve25519, a point [X, Y] on that curve (e.g., the ephemeral public key) follows the equation
+ <tt>Y^2 = X^3 + A * X^2 + X mod P</tt>, where A and P are parameters for Curve25519 specified in Section 4.1 of <xref target="RFC7748"/>. For any
+ valid x-coordinate, the left side of the equation is always a quadratic number. An attacker could read the x-coordinate
+ and verify if this property holds. While this property holds for any valid Curve25519 point, it only holds for a
+ random number in about 50% of the cases. By observing multiple communication attempts, an attacker can be sure that curve points are being sent if the property consistently holds.
+ To circumvent this attack, curve points should be encoded into property-less numbers, making valid and invalid curve points indistinguishable
+ to an outside observer.
+ The Elligator encoding function (also known as the "inverse map") and decoding function (also known as the "direct map") implement this feature.
+ </t>
+ <t>
+ This document defines an Elligator Key Encapsulation Mechanims (KEM) for use
+ in HPKE <xref target="RFC9180"/>
+ and its security considerations for use by implementers.
</t>
<t>
This specification was developed outside the IETF and does not have
@@ -277,16 +287,6 @@
<section anchor="security_elligator" numbered="true" toc="default">
<name>Elligator</name>
<t>
- In the case of Montgomery curves, such as Curve25519, a point [X, Y] on that curve (e.g., the ephemeral public key) follows the equation
- <tt>Y^2 = X^3 + A * X^2 + X mod P</tt>, where A and P are parameters for Curve25519 specified in Section 4.1 of <xref target="RFC7748"/>. For any
- valid x-coordinate, the left side of the equation is always a quadratic number. An attacker could read the x-coordinate
- and verify if this property holds. While this property holds for any valid Curve25519 point, it only holds for a
- random number in about 50% of the cases. By observing multiple communication attempts, an attacker can be sure that curve points are being sent if the property consistently holds.
- To circumvent this attack, curve points should be encoded into property-less numbers, making valid and invalid curve points indistinguishable
- to an outside observer.
- The Elligator encoding function (also known as the "inverse map") and decoding function (also known as the "direct map") implement this feature.
- </t>
- <t>
The encoding function is defined for the entire Curve25519. Most modern implementations of Curve25519 only generate points from its prime
subgroup to circumvent known attacks for which points not within the prime subgroup are susceptible. Those attacks are not an
issue in our case as we use the ephemeral secret key only once for computing key material. The exclusive use of the prime subgroup is a recognizable
