70/eth secpm #626
70/eth secpm #626
Conversation
ETHCHAT.md
Outdated
| @@ -0,0 +1,178 @@ | |||
| --- | |||
| slug: 70 | |||
| title: 70/WAKU2-ETHCHAT | |||
There was a problem hiding this comment.
This would not be specific to Waku. It should be transport agnostic.
We could name it 70/ETH-SECPM. Wdyt?
ETHCHAT.md
Outdated
|
|
||
| ## 1-to-1 version | ||
|
|
||
| In order to extend the protocol to a group chat, one uses an ADKG to replace the X3DH step in the previous combination X3DH + Double Ratchet. |
There was a problem hiding this comment.
since this is the first reference of ADKG, maybe an expansion would be good here!
ETHCHAT.md
Outdated
| The shared key can be then used in any symmetric encryption scheme, such as AES256. | ||
|
|
||
|
|
||
| # Implementation Suggestions |
There was a problem hiding this comment.
Can we also have a section on privacy/security considerations?
ETHCHAT.md
Outdated
|
|
||
| ## Considerations on the X3DH initialization | ||
| This scheme requires working on specific elliptic curves which differ from those used by Ethereum. | ||
| To be precise, Ethereum makes use of the curve secp256k1, whereas X3DH requires either X25519 or X448. For the sake of simplicity we will assume the selected curve is X25519. |
There was a problem hiding this comment.
In this specification we should chose a specific curve (not assume), or explicitly allow for negotiation / leave the curve generic. I'd choose a fixed curve to avoid the negotiation overhead (in noise fashion).
There was a problem hiding this comment.
Yes, I also prefer specifying the curve.
ETHCHAT.md
Outdated
|
|
||
| $$ IK = ik \cdot G $$ | ||
|
|
||
| The scheme X3DH will also require the generation of a public key SPK which will be generated repeating the above process: one takes $spk \in \mathbb{Z}_p$ a secret random integer and computes: |
There was a problem hiding this comment.
Why the S in SPK. Should briefly mention that here.
There was a problem hiding this comment.
I added a few more lines on that.
ETHCHAT.md
Outdated
| SPK is a public key generated and stored at medium-term. It is called a signed prekey because Bob also needs to store a public key certificate of SPK using IK. | ||
| Both signed prekey and the certificate must undergo periodic replacement, a process that entails the generation of a fresh signed prekey. | ||
| After replacing the key, Bob keeps the old private key of SPK for a short time, in order to be able to decrypt delayed messages. | ||
| It is important that he deletes the old keys after that short period of time. This action is pivotal for ensuring forward secrecy, as these keys are integral for recalculating the shared secret employed in decrypting historical messages. |
There was a problem hiding this comment.
| It is important that he deletes the old keys after that short period of time. This action is pivotal for ensuring forward secrecy, as these keys are integral for recalculating the shared secret employed in decrypting historical messages. | |
| It is important that he deletes the old keys after that short period of time. | |
| This action is pivotal for ensuring forward secrecy, | |
| as these keys are integral for recalculating the shared secret employed in decrypting historical messages. |
Are we specifying the "short period of time" in recommendations somewhere?
There was a problem hiding this comment.
Nope to be honest. Let me have a thought on that.
There was a problem hiding this comment.
Made some amendments on this topic. Signal's documentation requires "frequent updating" of SPKs, so I assume that it depends on the implementation. The most important fact, and I included it in the RFC, is that one should not reuse SPK.
ETHCHAT.md
Outdated
| @@ -0,0 +1,201 @@ | |||
| --- | |||
There was a problem hiding this comment.
this file should go into content/docs/rfcs/70 as README.md, and create a corresponding index in content/menu/index.md
ETHCHAT.md
Outdated
|
|
||
| ## Using X3DH in Double Ratchet | ||
|
|
||
| According to the specifications [https://signal.org/docs/specifications/doubleratchet/](https://signal.org/docs/specifications/doubleratchet/) |
There was a problem hiding this comment.
| According to the specifications [https://signal.org/docs/specifications/doubleratchet/](https://signal.org/docs/specifications/doubleratchet/) | |
| According to the [signal specifications](https://signal.org/docs/specifications/doubleratchet/) |
There was a problem hiding this comment.
All links should be like this: showing an expressive name, hiding the URL.
You can check other RFCs for that. We can also go over this in the upcoming meeting.
ETHCHAT.md
Outdated
|
|
||
| Once this initialization has been set, Alice and Bob can start exchanging messages with forward secrecy and authentication. | ||
|
|
||
| ## Considerations with regards to the Noise protocol |
There was a problem hiding this comment.
| ## Considerations with regards to the Noise protocol | |
| ## Specification as a Noise protocol |
ETHCHAT.md
Outdated
|
|
||
| When it comes to the KDF ratchet, | ||
| and the associated encryption process does not correspond exactly to any particular Noise pattern, | ||
| but one observes that KDF and encryption/decryption functions considered by the double ratchet protocol are included in Noise: |
There was a problem hiding this comment.
This sentence is gramatically odd. It is not obvious what is meant here.
Please rephrase 🙏
There was a problem hiding this comment.
I simplified the explanations.
ETHCHAT.md
Outdated
|
|
||
| Using the above approach leads to a situation where a group of users can set a group for 1-to-1 messages, meaning that any group member external to a communication between any other two members will not be able to read the contents of the messages. | ||
|
|
||
| An approach to generalize this situation to the setting of a group of users exchanging messages without any kind of restriction is using asynchornous ratcheting trees such ([https://eprint.iacr.org/2017/666](https://eprint.iacr.org/2017/666)) where a group of people can derive a shared secret key even in the event of if no two users are ever online at the same time. |
There was a problem hiding this comment.
| An approach to generalize this situation to the setting of a group of users exchanging messages without any kind of restriction is using asynchornous ratcheting trees such ([https://eprint.iacr.org/2017/666](https://eprint.iacr.org/2017/666)) where a group of people can derive a shared secret key even in the event of if no two users are ever online at the same time. | |
| An approach to generalize this situation to the setting of a group of users exchanging messages without any kind of restriction is using asynchornous ratcheting trees such as ([https://eprint.iacr.org/2017/666](https://eprint.iacr.org/2017/666)) where a group of people can derive a shared secret key even in the event of if no two users are ever online at the same time. |
ETHCHAT.md
Outdated
| - The DKG suggested makes assumes the existence of a PKI. In case of requiring removing such assumption, one can replace the VSS scheme with the Alhaddad, Varia, and Zhang’s proposal ([https://eprint.iacr.org/2021/118](https://eprint.iacr.org/2021/118)) at the price of increasing the complexity. | ||
| - The output of the DKG may be an integer (modulo a prime), meaning that one should apply a KDF to that output in order to obtain a result which could be used as an input for the double ratchet. | ||
| - This approach share similarities with Farcaster’s point of view ([https://github.com/farcasterxyz/protocol/discussions/99](https://github.com/farcasterxyz/protocol/discussions/99)). | ||
|
|
There was a problem hiding this comment.
This are not really implementation considerations and should be part of the spec above.
ETHCHAT.md
Outdated
| - https://github.com/sourav1547/htadkg | ||
| - https://github.com/farcasterxyz/protocol/discussions/99 | ||
|
|
||
|
|
There was a problem hiding this comment.
All links should be of the format:
20/TOY-ETH-PM
see comment above.
ETHCHAT.md
Outdated
| - XEdDSA for digital signatures involved in the X3DH key generation. | ||
| - SHA256 for hashing and the generation of HMACs. | ||
| - AES256-CBC for the encryption/decryption of messages. | ||
|
|
There was a problem hiding this comment.
Are these algorithms strict, or is it possible to choose one like a cipher suite like in TLS?
There was a problem hiding this comment.
They would be fixed.
Noise allows you to instantiate specific handshake protocols, with a fixed cipher suite.
The choosing happens in the design phase of the respective protocol.
ETHCHAT.md
Outdated
|
|
||
| Before sending an initial message to Bob, Alice will generate an AD vector as described in the documentation: | ||
|
|
||
| $$ AD = Encode(IK_A)|| Encode(IK_B) $$ |
There was a problem hiding this comment.
Should we specify what is the Encoding function?
ETHCHAT.md
Outdated
|
|
||
| $$ AD = Encode(IK_A)|| Encode(IK_B) $$ | ||
|
|
||
| Alice will also need to generate ephemeral key pairs (ek, EK) following the above mechanisms, that is: ek is a random integer modulo p, and EK is the associated public key obtained from the produc |
There was a problem hiding this comment.
Do we need to explain that modulo p is the modulo of X448?
There was a problem hiding this comment.
Would be even better to make that explicit :). Yes.
ETHCHAT.md
Outdated
|
|
||
| $$ AD = Encode(IK_A)|| Encode(IK_B) $$ | ||
|
|
||
| Alice will also need to generate ephemeral key pairs (ek, EK) following the above mechanisms, that is: ek is a random integer modulo p, and EK is the associated public key obtained from the produc |
There was a problem hiding this comment.
| Alice will also need to generate ephemeral key pairs (ek, EK) following the above mechanisms, that is: ek is a random integer modulo p, and EK is the associated public key obtained from the produc | |
| Alice will also need to generate ephemeral key pairs (ek, EK) following the above mechanisms, that is: ek is a random integer modulo p, and EK is the associated public key obtained from the product |
ETHCHAT.md
Outdated
| This function will have inputs the secret key of the user running the function, and the public key of the external user. | ||
| Receiver and sender MUST generate valid key pairs, i.e. points of the X448, using the Noise function GENERATE_KEYPAIR(). | ||
|
|
||
| The KDF ratchet and the associated encryption protocols used by the double ratchet are also included by the Noise framework: |
There was a problem hiding this comment.
Do we need to write the long form of KDF as a Key Derivation Function?
|
@ramsesfv Currently, this PR adds a file names ETHCHAT.md to the root folder. You can look at the other RFCs as an example. (Please move the file within this pull request and do not open a new one.) |
There was a problem hiding this comment.
Thank you for the continued work on this RFC :).
There is still a lot to develop here, in specific going more towards a Noise protocol useing the proper noise primitives as discussed.
However, for a first raw version, this is good to merge (the commits have to be signed for that to work),
and can serve as a basis for discussion.
Let's open a follow up draft PR right away to continue improving this spec.
Raw version of the RFC on the Ethereum messaging service
Co-authored-by: kaiserd <1684595+kaiserd@users.noreply.github.com>
Co-authored-by: kaiserd <1684595+kaiserd@users.noreply.github.com>
Co-authored-by: kaiserd <1684595+kaiserd@users.noreply.github.com>
Co-authored-by: kaiserd <1684595+kaiserd@users.noreply.github.com>
Co-authored-by: kaiserd <1684595+kaiserd@users.noreply.github.com>
Co-authored-by: kaiserd <1684595+kaiserd@users.noreply.github.com>
Co-authored-by: kaiserd <1684595+kaiserd@users.noreply.github.com>
Co-authored-by: kaiserd <1684595+kaiserd@users.noreply.github.com>
Co-authored-by: kaiserd <1684595+kaiserd@users.noreply.github.com>
Co-authored-by: Aaryamann Challani <43716372+rymnc@users.noreply.github.com>
Co-authored-by: Aaryamann Challani <43716372+rymnc@users.noreply.github.com>
Co-authored-by: Aaryamann Challani <43716372+rymnc@users.noreply.github.com>
Co-authored-by: Aaryamann Challani <43716372+rymnc@users.noreply.github.com>
Co-authored-by: seugu <99656002+seugu@users.noreply.github.com>
Co-authored-by: seugu <99656002+seugu@users.noreply.github.com>
Co-authored-by: seugu <99656002+seugu@users.noreply.github.com>
Co-authored-by: seugu <99656002+seugu@users.noreply.github.com>
Co-authored-by: seugu <99656002+seugu@users.noreply.github.com>
Co-authored-by: kaiserd <1684595+kaiserd@users.noreply.github.com>
Signed-off-by: ksr <kaiserd@users.noreply.github.com>
| --- | ||
| slug: 70 | ||
| title: 70/ETH-SECPM | ||
| name: Private 1:1 messages over Ethereum |
There was a problem hiding this comment.
The aim of the RFC is not to "Send message over Ethereum" but to setup a secure channel based on the cryptographic data available to Ethereum users right?
I'd recommend to change the title to:
Secure channel setup using Ethereum account
Or
Private 1:1 messages for Ethereum users
or anything in this domain.
|
|
||
| Alice wants to send an encrypted message to Bob. | ||
| Here Bob is the only individual able to decrypt the message. | ||
| Alice has access to Bob’s Ethereum address. |
There was a problem hiding this comment.
would change has access to knows as some could misinterpret it.
|
|
||
| ## Considerations on the X3DH initialization | ||
| This scheme requires working on specific elliptic curves which differ from those used by Ethereum. | ||
| To be precise, Ethereum makes use of the curve secp256k1, whereas X3DH requires either X25519 or X448. For security reasons one must work on the curve X448. |
There was a problem hiding this comment.
For security reasons one must work on the curve X448.
What are these reasons?
| Bob will not be able to use his Ethereum public key during this stage due to incompatibilities with the involved elliptic curves, therefore it will be required to generate new keys. | ||
| This can be done using the basepoint $G$ for X448 and $ik \in \mathbb{Z}_p$ a random integer: | ||
|
|
||
| $$ IK = ik \cdot G $$ |
There was a problem hiding this comment.
Math rendering does not work. @jinhojang6 can you assist?
| This scheme requires working on specific elliptic curves which differ from those used by Ethereum. | ||
| To be precise, Ethereum makes use of the curve secp256k1, whereas X3DH requires either X25519 or X448. For security reasons one must work on the curve X448. | ||
|
|
||
| Bob and Alice must define a key pair (ik, IK) where: |
There was a problem hiding this comment.
We use RFC 2119 ("MUST"): https://rfc.vac.dev/spec/1/#language
| This scheme requires working on specific elliptic curves which differ from those used by Ethereum. | ||
| To be precise, Ethereum makes use of the curve secp256k1, whereas X3DH requires either X25519 or X448. For security reasons one must work on the curve X448. | ||
|
|
||
| Bob and Alice must define a key pair (ik, IK) where: |
There was a problem hiding this comment.
do they need to define a key pair together or a key pair each?
|
|
||
| X3DH has three phases: | ||
|
|
||
| 1. Bob publishes his identity key and prekeys to a server, or dedicated smart contract. |
There was a problem hiding this comment.
or network
Maybe we can define the terminlogy "location" and specific that it may refer to a server, a smart contract or a decentralized system that enable storage and retrieval of data.
| 2. Alice fetches a "prekey bundle" from the server, and uses it to send an initial message to Bob. | ||
| 3. Bob receives and processes Alice's initial message. | ||
|
|
||
| One observes that, at the beginning of the protocol, the receiver gets the public key through a server, a smart contract in our situation, together with an encrypted ephemeral key. |
There was a problem hiding this comment.
Not sure what is referred to here "in our situation"
|
|
||
| ## Ephemeral data | ||
|
|
||
| Storing ephemeral data on Ethereum can be done using a combination of on-chain and off-chain solutions. |
There was a problem hiding this comment.
How ephemeral we are talking? is that the prekey bundle? could Waku be used?
|
|
||
| ## Interaction with Ethereum | ||
|
|
||
| Storing static data is done using a dedicated smart contract *PublicKeyStorage* which associates the Ethereum wallet address of a user with his public key. |
There was a problem hiding this comment.
While this what is done with Status, using ENS. I am not convinced this is the only viable solution.
I'd recommend to have a more agnostic approach. Similar to what is done in the "static data" paragraph where several solutions are proposed.
| - https://signal.org/docs/specifications/doubleratchet/ | ||
| - https://eprint.iacr.org/2022/1389 | ||
| - https://github.com/sourav1547/htadkg | ||
| - https://github.com/farcasterxyz/protocol/discussions/99 |
There was a problem hiding this comment.
How was the work here used? I don't think it was explicitly mentioned in the doc.
No description provided.