[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lsd0007] branch master updated: rename
|
From: |
gnunet |
|
Subject: |
[lsd0007] branch master updated: rename |
|
Date: |
Wed, 10 Jul 2024 16:09:01 +0200 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository lsd0007.
The following commit(s) were added to refs/heads/master by this push:
new f21096e rename
f21096e is described below
commit f21096e8a401a70999101e73799f1f979996143f
Author: Martin Schanzenbach <schanzen@gnunet.org>
AuthorDate: Wed Jul 10 16:07:57 2024 +0200
rename
---
draft-gnunet-communicators.xml | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/draft-gnunet-communicators.xml b/draft-gnunet-communicators.xml
index 0905565..8644e2d 100644
--- a/draft-gnunet-communicators.xml
+++ b/draft-gnunet-communicators.xml
@@ -227,9 +227,9 @@
<t>
The general idea when generating an Elligator key pair is is to create both a
random high-order curve point and a low-order curve point.
Adding them together results in a curve point
-that is evenly distributed on the whole Curve25519. Not all Curve25519 points
are eligible to be used with Elligator for a key exchange. In
-particular, not all points will have the property that the encoding and
subsequent decoding result in the original point. The mathematical
-reasoning is elaborated in <xref target="security_elligator"/>.
+that is evenly distributed on the whole Curve25519.
+Not all Curve25519 points are eligible to be used with Elligator for a key
exchange. In
+particular, not all points will have the property that the encoding and
subsequent decoding result in the original point. The mathematical reasoning is
elaborated in <xref target="security_elligator"/>.
To create a valid Curve25519 point that can be used as an
ephemeral key, one needs to generate as many curve points until the desired
property holds.
Let G be the generator of the prime order group of Ed25519, H the generator of
the low order subgroup of Ed25519 and EdToCurve() a function
@@ -245,12 +245,14 @@ KeyGenElligator():
ED_low := (x mod 8) * H
ED := ED_high + ED_low
X := EdToCurve(ED)
- if Dec(Enc(X)) == X:
+ if ElligatorDec(ElligatorEnc(X)) == X:
VALID := 1
return (x, X)
]]></artwork>
- <t>
- Let A and P be the are parameters for Curve25519 as specified in
section 4.1 of <xref target="RFC7748"/>.
+ <t>
+ The required encoding and decoding functions are defined in the following.
+
+ Let A be the parameter for Curve25519 as specified in section 4.1 of
<xref target="RFC7748"/>.
Further, let X be a valid x-coordinate of a Curve25519 point, sqrt() a
function which calculates the square root of the finite field element, U the
number
sqrt(-1) which is a non-quadratic number in the finite field, and
legendre() a function which computes the legendre symbol of a field element.
As each of the field elements have two roots, we need to define the
notion of negative and non-negative numbers. This is especially important for
the
@@ -258,7 +260,7 @@ KeyGenElligator():
The encoding function used by the elligator encapsulation function in
<xref target="encaps"/> can be defined as follows:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-Enc(X):
+ElligatorEnc(X):
B := rand(1)
if B == 1:
REPR := sqrt(-X / ((X + A) * U))
@@ -271,7 +273,7 @@ Enc(X):
x-coordinate from the representative is defined below:
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[
-Dec(REPR):
+ElligatorDec(REPR):
V := -A / (1 + U * REPR^2)
E := legendre(V^3 + A * V^2 + V)
X := E * V - (1 - E)(A / 2)
@@ -322,8 +324,8 @@ KDF(A,Z):
</t>
<t>
Let G be the basepoint of Curve25519, EdToCurve() a function which
converts Ed25519 points to their corresponding Curve25519 points,
- Enc() Elligator's encoding function,
- Dec() Elligator's decoding function, "X" the receiver's peer identity
(a 256-bit EdDSA public key),
+ ElligatorEnc() Elligator's encoding function,
+ ElligatorDec() Elligator's decoding function, "X" the receiver's peer
identity (a 256-bit EdDSA public key),
"x" the corresponding secret key,
"A" an ephemeral public key (256-bit Curve25519 public key) and
"a" the corresponding 256-bit ephemeral secret key. Observe that:
@@ -339,7 +341,7 @@ Z := X25519(a, EdToCurve(X)) = X25519(x, A)
<artwork anchor="encaps" name="" type="" align="left" alt=""><![CDATA[
EncapsElligator(X):
A,MSK := Encaps(X)
- REPR := Enc(A, rand)
+ REPR := ElligatorEnc(A, rand)
return REPR, MSK
Encaps(X):
@@ -350,7 +352,7 @@ Encaps(X):
]]></artwork>
<artwork anchor="decaps" name="" type="" align="left" alt=""><![CDATA[
DecapsElligator(x, REPR):
- A := Dec(REPR)
+ A := ElligatorDec(REPR)
return Decaps(x, A)
Decaps(x, A):
@@ -1444,7 +1446,7 @@ SetupCipher(REC_ID, MSK):
random number. By observing multiple communication attempts, an
attacker can be certain that curve points are being sent if the property
consistently holds.
To circumvent this attack, curve points should be encoded into
property-less numbers, making valid and invalid curve points indistinguishable
to an outside observer.
- The Elligator encoding function "Enc" (also known as the "inverse map")
and decoding function "Dec" (also known as the "direct map") implement this
feature.
+ The Elligator encoding function "ElligatorEnc" (also known as the
"inverse map") and decoding function "ElligatorDec" (also known as the "direct
map") implement this feature.
</t>
<t>
The encoding function is defined for the entire Curve25519. Most modern
implementations of Curve25519 only generate points from its prime
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lsd0007] branch master updated: rename,
gnunet <=