commit 2422b8b2e026165f33eb4f06d2e7dad0f95a5bdd
parent ac9cdfe50e89fb7f87edc69d2bbff57aadaaa921
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 16 Apr 2025 07:55:26 +0200
Notes on protocols and KEM challenge
Diffstat:
1 file changed, 20 insertions(+), 13 deletions(-)
diff --git a/draft-schanzen-cake.xml b/draft-schanzen-cake.xml
@@ -244,22 +244,22 @@ MS | |
The Initiator creates the InitiatorHello message which includes the encrypted tuple (pk<sub>I</sub>,ServicesInfo).
The fields are encrypted using a key derived from the ETS according to <xref target="figure_swimlane"/>
and <xref target="figure_key_schedule"/>.
- The so-called receiver kem challenge c<sub>R</sub> and the nonce r<sub>I</sub> are computed as:
+ The so-called Receiver KEM Challenge c<sub>R</sub> and the nonce r<sub>I</sub> are computed as:
</t>
<ol>
- <li>(ss<sub>R</sub>,c<sub>R</sub>) <- Encaps(pk<sub>R</sub>)</li>
- <li>r<sub>I</sub> <- RandomUInt64()</li>
+ <li>(ss<sub>R</sub>,c<sub>R</sub>) <- Encaps(pk<sub>R</sub>). Reciver KEM Challenge.</li>
+ <li>r<sub>I</sub> <- RandomUInt64(). Initiator nonce.</li>
</ol>
<t>
R processes the InitiatorHello as follows:
</t>
<ol>
- <li>Verify that the message type is CORE_INITIATOR_HELLO</li>
+ <li>Verify that the message type is CORE_INITIATOR_HELLO. See Message Header.</li>
<li>Verify that H(pk_R) matches R's pk_R.</li>
- <li>(ss<sub>R</sub>,c<sub>R</sub>) <- Decaps(sk<sub>R</sub>, c<sub>R</sub>)</li>
- <li>(ss<sub>e</sub>,c<sub>e</sub>) <- Encaps(pk<sub>e</sub>)</li>
- <li>Generate ETS from <xref target="key_schedule"/> and decrypt pk<sub>I</sub>.</li>
- <li>(ss<sub>I</sub>,c<sub>I</sub>) <- Encaps(pk<sub>I</sub>)</li>
+ <li>(ss<sub>R</sub>,c<sub>R</sub>) <- Decaps(sk<sub>R</sub>, c<sub>R</sub>). Response to Receiver KEM Challenge.</li>
+ <li>(ss<sub>e</sub>,c<sub>e</sub>) <- Encaps(pk<sub>e</sub>). Ephemeral shared secret.</li>
+ <li>Generate ETS from <xref target="key_schedule"/> and decrypt pk<sub>I</sub>. pk<sub>I</sub> and ServicesInfo may be processed now.</li>
+ <li>(ss<sub>I</sub>,c<sub>I</sub>) <- Encaps(pk<sub>I</sub>). Initiator KEM Challenge.</li>
<li>Generate RHTS and RATS from <xref target="key_schedule"/>.</li>
</ol>
<t>
@@ -268,8 +268,8 @@ MS | |
R may now generate its ReceiverHello message:
</t>
<ol>
- <li>r<sub>R</sub> <- RandomUInt64()</li>
- <li>Encrypt ServicesInfo and c<sub>I</sub> the key derived from RHTS.</li>
+ <li>r<sub>R</sub> <- RandomUInt64(). Receiver nonce.</li>
+ <li>Encrypt ServicesInfo and c<sub>I</sub> (Initiator KEM Challenge) using RHTS.</li>
<li>Create RFinished as per <xref target="cake_hs_proto"/>.</li>
<li>Encrypt RFinished with RHTS.</li>
<li>Optionally, R may now already send application data encrypted with RATS.</li>
@@ -278,10 +278,10 @@ MS | |
I processes the message received by R:
</t>
<ol>
- <li>Verify that the message type is CORE_RECEIVER_HELLO</li>
- <li>ss<sub>e</sub> <- Decaps(sk<sub>e</sub>,c<sub>e</sub>)</li>
+ <li>Verify that the message type is CORE_RECEIVER_HELLO. See Message Header</li>
+ <li>ss<sub>e</sub> <- Decaps(sk<sub>e</sub>,c<sub>e</sub>). Ephemeral shared secret.</li>
<li>Generate IHTS and RHTS from <xref target="key_schedule"/> and decrypt ServicesInfo, c<sub>I</sub> and RFinished.</li>
- <li>ss<sub>I</sub> <- Decaps(sk<sub>I</sub>,c<sub>I</sub>).</li>
+ <li>ss<sub>I</sub> <- Decaps(sk<sub>I</sub>,c<sub>I</sub>). Response to KEM Challenge</li>
<li>Create RFinished as per <xref target="cake_hs_proto"/> and check against decrypted payload.</li>
<li>Create IFinished as per <xref target="cake_hs_proto"/>.</li>
<li>Send IFinished message encrypted with the key derived from IHTS to R</li>
@@ -351,6 +351,13 @@ HKDF-Extract(ss_I,.) = Master Secret (MS)
up until that point.
</t>
<t>
+ Notice that from the very beginning ss<sub>R</sub> is required for the key schedule.
+ This means that R must be able to solve the Receiver KEM Challenge c<sub>R</sub>.
+ Similarly, the master secret (MS) requires knowledge of ss<sub>I</sub>.
+ This means that I must be able to solve the Initiator KEM Challenge c<sub>I</sub>.
+ The KEM Challenges provide the underlying public key authentication mechanism.
+ </t>
+ <t>
When a traffic secret ([I,R][A,H]TS) is used to encrypt data, the respective
encryption key and starting nonce is generated as follows:
</t>
