Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rosenpass Protocol Version 2 #145

Open
wants to merge 22 commits into
base: main
Choose a base branch
from
Open

Rosenpass Protocol Version 2 #145

wants to merge 22 commits into from

Conversation

koraa
Copy link
Member

@koraa koraa commented Nov 5, 2023

TODOs (Karolin):

Blockers:

Todo Marei (please do not work on those yet):

  • Make sure the "References" section appears in the toc
  • "Version history" chapter should not get its own number
  • Move Fig1 to front page, page 2 shared between TOC and Fig 2?
  • The list in "Cryptographic building blocks" might need some work to look decent. Maybe the acronym on the left, name of the scheme right and flushed right ref to the spec, Version of the scheme, description?

Todo Mullana (please do not work on these yet):

  • Add a abort_initiator_handshake() call as ICR8 in the protocol steps graphic

  • Figure 2: Add a note to the bottom saying "All numeric values are in little-endian format"

  • Figure 3: Add short codes from Fig 4; IHI1/IHR1 etc

  • Figure 3: Add a note pointing people to fig 4 for details about security levels achieved and for the code to use this tree

  • Figure 3: Introduce a special symbol for the mix, then value sequence and maybe a "zoomed in" explanation.

  • Figure 4: Get rid of semicolons

  • Figure 4: ct1 with sctr in IHR5

  • Figure 4: Add a step RHI8 to erase the ephemeral secret keys

    Initiator line Initiator code Responder Line Responder code Comment
    RHI8 erase(eski) RHR8 Erase the ephemeral secret key to achieve forward secrecy. Implementations may defer execution of RHR8 until completion of the handshake (after ICI7) before transmission of InitConf.

  • Figure 4: Add a box with a table indicating when security properties are reached:

    Property Reached after Comment
    Secrecy IHI5/IHR5 Based on sskr/spkr (the responder's static key pair)
    Responder authentication RHI7 Responder authentication is reached after the initiator processes the complete RespHello message. The crucial step is proving that the responder was able to decapsulate the secret encrypted with their static public key (IHR5). This confirmation is produced by the responder in RHR7 and checked in RHI7.
    Initiator authentication ICR5 This works similar to responder authentication. In RHI5 the initiator decapsulates a secret with their static secret key; they provide a confirmation in ICI4, this confirmation is checked in ICI5. Final confirmation is achieved after biscuit replay detection in ICI5.
    Forward secrecy RHI8 The initiator generates a fresh ephemeral keypair before the handhshake; the responder encapsulates a random secret in RHR4 and the initiator decapsulates it in RHI4. Forward secrecy is achieved after the ephemeral secret key is securely erased in RHR8.

/cc @stv0g

Fixes: #68

@koraa
feat(whitepaper): Clarify how protocol roles are determined and race …
6b33848 
…condition handling
@koraa
fix(whitepaper): Use the PROTOCOL string from the whitepaper
7deab6b
@koraa
feat(whitepaper): Clarify that these are protocol versions – not soft…
5bfa02e 
…ware versions
@koraa
feat(whitepaper): Explicitly handle erasure of eski to achieve forwar…
6c04070 
…d secrecy

This is a minor security fix: Before this change the specification left erasing the secret key to the implementation. The reference implementation did erase `eski` but only after receiving the responder confirmation package (EmptyData at the time) instructing the initiator to stop retransmission of the InitConf package. With this change, `eski` is erased before transmission of the InitConf package.
@koraa
feat(whitepaper): Detailed info about when security properties are ac…
448ce6b 
…hieved
@koraa
feat(whitepaper): Mandate little-endian format for numbers
5a2202d
@koraa
feat(whitepaper): Biscuit rotation interval is not mandatory and ever…
f94ba3b 
…y five min
@koraa
feat(whitepaper): Add an extra session for information about timers
6e1c1df
@koraa
feat(whitepaper): Typo ct1 -> sctr in IHR5
ec2c30f
@koraa
feat(whitepaper): Rename variable: index -> sessions
5689990
@koraa
feat(whitepaper): Typo in biscuit counter comparison in load_biscuit
5d4ecd7
@koraa
chore(whitepaper): Changelog entry for 303c5a5
594786c 
 Fix a typo "key chaining extract" -> "chaining key extract"; "key chaining init" -> "chaining key init"
@koraa
fix: Typo in ini_enc and res_enc labels
ace2e82 
Issue: #68 (#68)

initiator handshake encryption -> initiator session encryption
responder handshake encryption -> responder session encryption
@koraa
fix(whitepaper): Mixing order in encaps/decaps_and_mix
cdcdb50 
Issue: #68 (#68 (comment))

pk, shk, ct -> pk, ct, shk
@koraa
fix: Swap auth and biscuit fields in RespHello
70cc51e 
Issue: #68 (#68 (comment))
@koraa
feat: Use NIST Round 4 Submission Classic McEliece
031f1b1 
Issue: #91 (#91)

Add version info to whitepaper

This uses an release candidate of liboqs and a patched version of the
oqs-sys rust crate. We should wait until a proper release is done.
@koraa
feat(whitepaper): Add a chart with the cryptographic building blocks
f2b1e3c
@koraa
chore(whitepaper): Typos
9658687
@koraa
feat(whitepaper): Format list of crypto primitives using a table
2fc18eb
@koraa
stash: KMAC as the PRF
acece7d
@koraa
stash
d3834d4
@koraa
stash
87cbd1e
@koraa koraa force-pushed the dev/karo/protocol-version-2 branch from cb79849 to 87cbd1e Compare November 16, 2023 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Whitepaper proof read
1 participant
@koraa