commit b88b6d52fca3252d7866e8e74a0edeb60b44065c
parent 290a0ad25a20aa7abe278cd2892623d327c343ad
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 16 Apr 2025 13:53:59 +0200
minor editorial updates
Diffstat:
1 file changed, 20 insertions(+), 15 deletions(-)
diff --git a/draft-schanzen-hpke-elligator-kem.xml b/draft-schanzen-hpke-elligator-kem.xml
@@ -12,7 +12,6 @@
<!ENTITY RFC4033 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4033.xml">
<!ENTITY RFC5237 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5237.xml">
<!--<!ENTITY RFC3912 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3912.xml">-->
-<!ENTITY RFC5869 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5869.xml">
<!ENTITY RFC5890 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5890.xml">
<!ENTITY RFC5895 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5895.xml">
<!ENTITY RFC6066 PUBLIC '' "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6066.xml">
@@ -65,7 +64,7 @@
</address>
</author>
<author fullname="Pedram Fardzadeh" initials="P." surname="Fardzadeh">
- <organization>Technischen Universität München</organization>
+ <organization>Technische Universität München</organization>
<address>
<postal>
<street>Boltzmannstrasse 3</street>
@@ -220,8 +219,9 @@
<name>SerializePublicKey()</name>
<t>
The serialization functions incorporate the Elligator inverse and direct map functions to obfuscate a curve
- point, which are defined in the following.
- The Elligator literature calls the obfuscated curve point a "representative".
+ point.
+ The Elligator literature calls the obfuscated curve point a "representative". In the following, the "representative"
+ is named pkXm, where X stands for any of the roles defined in <xref target="RFC9180"/>.
</t>
<t>
Let <tt>A</tt> and <tt>P</tt> be the parameters for Curve25519 as specified in section 4.1 of <xref target="RFC7748"/>.
@@ -232,8 +232,8 @@
elements. For this Elligator, we follow the recommendations of the paper in section 5.1 of <xref target="BHKL13"/> and
choose <tt>{0,..., (P-1)/2}</tt> as the set of positive numbers, and consequently <tt>{(P-1)/2 + 1,...,P-1}</tt> as the
set of the negative numbers. Both Elligator's inverse and direct map require us to define a constant non-square number
- of the finite field. Let <tt>U := sqrt(-1)</tt> be this number. The resulting serialization algorithm for the KEM can then be
- described as:
+ of the finite field. Let <tt>U := sqrt(-1)</tt> be this number.
+ The resulting serialization algorithm for the HPKE KEM can then be described as:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
SerializeElligatorPublicKey(pkX):
@@ -247,6 +247,13 @@
pkXm[31] |= 64
return pkXm
]]></artwork>
+ <t>
+ Note that SerializeElligatorPublicKey(pkX) represents Elligator's inverse map
+ with a slight modification: The resulting representative of the inverse map is strictly smaller than 2^254 - 9. Therefore,
+ the most and second most significant bits are always zero, an obvious property an attacker could observe. We avoid this
+ problem by randomly flipping both bits. The target peer will ignore these bits after reception by setting those bits back to zero.
+ Similarly, as there are always two roots for each square number, we randomly select one or the other upon each serialization.
+ </t>
</section>
<section anchor="elligator_dhkem_deserialize" numbered="true" toc="default">
<name>DeserializePublicKey()</name>
@@ -259,11 +266,10 @@
return pkX
]]></artwork>
<t>
- Note that SerializeElligatorPublicKey(pkX) represents Elligator's inverse map and DeserializeElligatorPublicKey(pkXm) Elligator's
- direct map with a slight modification: The resulting representative of the inverse map is strictly smaller than 2^254 - 9. Therefore,
- the most and second most significant bits are always zero, an obvious property an attacker could observe. We avoid this
- problem by randomly flipping both bits. The target peer will ignore these bits after reception by setting those bits back to zero.
- </t>
+ Note that DeserializeElligatorPublicKey(pkX) represents Elligator's direct map.
+ We must, and can safely, clear the most and second most significant bits that were set randomly as
+ elaborated above before reconstructing the square root.
+ </t>
</section>
</section>
<section anchor="security" numbered="true" toc="default">
@@ -336,7 +342,7 @@
the values from <xref target="kemid-values"/>.
This section may be removed on publication as an RFC.
</t>
- <table anchor="kemid-values" align="center" pn="table-2">
+ <table anchor="kemid-values" align="center">
<name slugifiedName="name-kem-ids">KEM IDs</name>
<thead>
<tr>
@@ -387,7 +393,6 @@
<references>
<name>Normative References</name>
&RFC2119;
- &RFC5869;
&RFC7748;
&RFC8174;
&RFC9180;
@@ -413,7 +418,7 @@
<date month="August" year="2013" />
</front>
</reference>
- <reference anchor="LSD0007" target="https://lsd.gnunet.org/lsd0007">
+ <!--<reference anchor="LSD0007" target="https://lsd.gnunet.org/lsd0007">
<front>
<title>The GNUnet communicators</title>
<author initials="M" surname="Schanzenbach"
@@ -427,7 +432,7 @@
</author>
<date month="July" year="2024" />
</front>
- </reference>
+ </reference>-->
<reference anchor="GNUnet" target="https://git.gnunet.org/gnunet.git">
<front>
<title>gnunet.git - GNUnet core repository</title>
