commit ef8e3b26b9af4ec404d71449cbc8fc576d13d550
parent 246138fd03fa47f611850b2ceb2ee7e9177c5ecc
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Wed, 2 Apr 2025 20:21:24 +0200
clarifications
Diffstat:
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/draft-schanzen-cake.xml b/draft-schanzen-cake.xml
@@ -188,10 +188,10 @@ sk_e | |
ES,ETS | |
| |
| InitiatorHello: |
- | EphemeralKey |
- | ReceiverKemChallenge |
- | InitiatorNonce |
- | InitiatorPkHash |
+ | pk_e |
+ | c_R |
+ | r_I |
+ | H(pk_R) |
| {pk_I} |
| {ServicesInfo} |
+---------------------------------------------->|
@@ -203,10 +203,10 @@ ES,ETS | |
| | [I,R]HTS
| | RATS
| ReceiverHello: |
- | HandshakeKemCiphertext |
- | ReceiverNonce |
+ | c_e |
+ | r_R |
| {ServicesInfo} |
- | {InitiatorKemChallenge} |
+ | {c_I} |
| {ReceiverFinished} |
| *[Application Payload] |
|<----------------------------------------------+
@@ -238,15 +238,18 @@ MS | |
The reason why this works is because CAKE groups the messages in row 3 of Table 1 in <xref target="RFC9147" section="5.7"/> into a single message (ReceiverHello).
Hence the only message that is sent without any expected response (and consequently requiring an explicit
ACK) is InitiatorFinished (and KeyUpdate).
+ N<sub>I</sub> is a nonce generated by the initiator.
+ N<sub>R</sub> is a nonce generated by the receiver.
</t>
<t>
The Initiator creates the InitiatorHello message which includes the encrypted tuple (pk<sub>I</sub>,ServicesInfo).
The fields are encrypted using a key derived from the ETS according to <xref target="figure_swimlane"/>
and <xref target="figure_key_schedule"/>.
- The ReceiverKemChallenge is computed as:
+ The so-called receiver kem challenge c<sub>R</sub> and the nonce r<sub>I</sub> are computed as:
</t>
<ol>
<li>(ss<sub>R</sub>,c<sub>R</sub>) <- Encaps(pk<sub>R</sub>)</li>
+ <li>r<sub>R</sub> <- RandomUInt64()</li>
</ol>
<t>
R processes the InitiatorHello as follows:
@@ -466,26 +469,26 @@ nonce = HKDF-Expand ([I,R][A,H]TS, "iv", 12)
<artwork name="" type="" align="left" alt=""><![CDATA[
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
- | EphemeralKey |
+ | pk_e |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
- | InitiatorKemChallenge |
+ | c_R |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
- | ReceiverPeerID Hash (512 bit) |
+ | H(pk_R) (512 bit) |
/ /
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
- | Nonce |
+ | r_I |
+-----+-----+-----+-----+-----+-----+-----+-----+
/ {pk_I,ServicesInfo} /
]]></artwork>
</figure>
<t>
- The InitiatorKemChallenge is generated according to <xref target="figure_key_schedule"/> using:
+ The initiator kem challenge c<sub>R</sub>is generated according to <xref target="figure_key_schedule"/> using:
</t>
<ol>
<li>(ss<sub>R</sub>,c<sub>R</sub>) <- Encaps(pk<sub>R</sub>)</li>
@@ -505,14 +508,14 @@ nonce = HKDF-Expand ([I,R][A,H]TS, "iv", 12)
<artwork name="" type="" align="left" alt=""><![CDATA[
0 8 16 24 32 40 48 56
+-----+-----+-----+-----+-----+-----+-----+-----+
- | HandshakeKemCiphertext |
+ | c_e |
| |
| |
| |
+-----+-----+-----+-----+-----+-----+-----+-----+
- | Nonce |
+ | r_R |
+-----+-----+-----+-----+-----+-----+-----+-----+
- / {ServicesInfo,ReceiverKemCiphertext,Finished} /
+ / {ServicesInfo,c_I,Finished} /
]]></artwork>
</figure>
<t>
