Comments (8)
ROM-based DRE
Random Oracle Model based Dual Receiver Encryption (hereinafter referred to DRE) is a hybrid public key encryption scheme which enables a ciphertext to be decrypted by two independent
receivers. Anyone who has the public keys can verify the plaintext equivalence without any of the secret keys.
The DRE scheme consists of three functions:
- pk, sk = DRGen(), a key generation function
- γ = DREnc(pk1, pk2, m), an encryption function
- m = DRDec(pk1, pk2, sk_i, γ), a decryption function
DRE in OTRv4 consists of the Cramer-Shoup cryptosystem and a NIZKPK.
from otrv4.
Setup
In the Cramer-Shoup scheme, we have a group G
with prime order q
. In OTRv4, we choose Ed25519 as our group G
.
We select the following two element (in bytes encode of ed25519) as generators from G
:
g1 = 662e951dcd1ed163d4b75e8206a34f5fbdfe0c5f394d35b63f7855bdeb938a46
g2 = e11ef81fc08128bf0965b3b9ea00d17f751d1dca18170432144661f4aca4f0fd
Regarding Ed25519 group operations, we use *
to represent PointAddition, and ^
to represent ScalarMultiplication in the following definitions.
from otrv4.
Dual Receiver Key Generation: DRGen()
As in Creamer Shoup scheme.
- Randomly choose
x1, x2, y1, y2, z
inZq
. - Compute group elements
c = g1^x1 * g2^x2
,d = g1^y1 * g2^y2
,h = g1^z
. - The public key is
pk = {c, d, h}
and the secret key issk = {x1, x2, y1, y2, z}
.
from otrv4.
Dual Receiver Encryption: DREnc(pk_1, pk_2, m)
pk_1
and pk_2
are the Cramer-Shoup public key of two receivers.
m
is the message to be encrypted using a random AES-OCB key K
.
K
is itself encrypted twice using Cramer-Shoup (once for each public key).
NIZKPK of plaintext equality ensures that both Cramer-Shoup ciphertexts are encryptions of the same K
.
To do the DREnc, we need to:
- Choose
K
,k_1
,k_2
randomly fromZq
- For
i ∈ {1,2}
encryptK
withk_i
andpk_i
, use CramerShoup:pk_i
is interpreted as{c_i,d_i,h_i}
- Compute
u_1i = g1^k_i
,u_2i = g2^k_i
,e_i = (h_i^k_i) * K
- Compute
α_i = decodeIntEd25519_big-endian(SHA-3_256(u_1i, u_2i, e_i))
- Compute
v_i = (c_i^k_i) * (d_i^(k_i * α_i))
- The message
m
is encrypted usingφ = AEncK(m)
, whereAEncK
denotes an encryption under keyK
using an implementation-defined cryptosystem with IND-CCA2 security (ciphertext indistinguishability-adaptive chosen cipher text security), such as crypto secretbox from the NaCl library, or AES-256 in OCB or an equivalent unpatented mode. // TODO: find out which one is the best. - The NIZKPK is produced by:
- For
i ∈ {1,2}
, generate random valuet_i
inZq
. ComputeT_1i = g1^t_i
,T_2i = g2^t_i
,T_3i = (c_i * (d_i^α_i))^t_i
andT_4 = (h_1^t_1) / (h_2^t_2)
// TODO: how to do division - Compute
L = SHA-3_256(g1 ∥ g2 ∥ q ∥ pk_1 ∥ pk_2 ∥ u_11 ∥ u_21 ∥ e_1 ∥ v_1 ∥ α_1 ∥ u_12 ∥ u_22 ∥ e_2 ∥ v_2 ∥ α_2 ∥ T_11 ∥ T_21 ∥ T_31 ∥ T_12 ∥ T_22 ∥ T_32 ∥ T_4 ∥ Φ)
. Φ is any session-specific protocol state available to both parties in the higher-level protocol, and H2 is a cryptographic hash function modeled by a random oracle. // TODO: find out the session-specific protocol state. - For
i ∈ {1,2}
computen_i = t_i - L * k_i (mod q)
// TODO: how to do subtraction
- For
Result: γ = (u_11, u_21, e_1, v_1, u_12, u_22, e_2, v_2, L, n_1, n_2, φ)
.
from otrv4.
Dual Receiver Decryption: DRDec(pk_1, pk_2, sk_i, γ):
- Parse
γ
to retrieve componentsγ = (u_11, u_21, e_1, v_1, u_12, u_22, e_2, v_2, L, n_1, n_2, φ)
. - Verify NIZKPK,
- for
j ∈ {1,2}
:α'_j = SHA256(u1_j ∥ u_2j ∥ e_j)
T'_1j = (g1^n_j) * (u_1j^L)
T'_2j = (g2^n_j) * (u_2j^L)
T'_3j = (c_j * (d_j^a'_j))^n_j * (v_j^L)
T'_4 = ((h1^n1) /( h2^n2)) * ((e1 / e2)^L)
- Compute
L' = SHA-3_256(g1 ∥ g2 ∥ q ∥ pk_1 ∥ pk_2 ∥ u_11 ∥ u_21 ∥ e_1 ∥ v_1 ∥ α'_1 ∥ u_12 ∥ u_22 ∥ e_2 ∥ v_2 ∥ α'_2 ∥ T'_11 ∥ T'_21 ∥ T'_31 ∥ T'_12 ∥ T'_22 ∥ T'_32 ∥ T'_4 ∥ Φ)
. - Verify
L ≟ L'
- for
- Verify Cramer-Shoup
((u_1i^x_1i) * (u_2i^x_2i)) * (((u_1i^y_1i) * (u_2i^y_2i))^α'_i) ≟ v_i
- Recover secret key by
K = (e_i )/ (u1_i^z_i)
.
Receiver can now recover m
by ADecK(φ)
, where ADecK
refers to the decryption routine under key K
corresponding to AEncK
.
from otrv4.
TO DO:
- Make this human readable but keep somewhere else this explanation: clarified on the draft.
- Be consistent in notation.
- Find out how to do subtraction and division: We can use inverse of a point to do this.
- Do we really need an appropriate implementation-defined cryptosystem with IND-CCA2 security? We need to encrypt
"I"||"R"||g1^i||g1^r
. // @tcz001 OK - Find an appropriate implementation-defined cryptosystem with IND-CCA2 security: secretbox from NaCl is pretty straightforward. Secretbox uses XSalsa20 and Poly1305 to encrypt and authenticate messages with secret-key cryptography. AES-256 in OCB can be used freely in software not developed and not sold inside the US or licensed under the GNU General Public License: XSalsa20 and Poly1305.
- Find a one-way hash function: As stated by Bruce Schneier in Applied Criptography (pag. 455), the SHA family seems like a good choice. Choosing here SHA-3_256. It will be target collision resistant. At least 'kill SHA1 with fire and use SHA3', as stated here.
- Find out what a hash function is modeled by a random oracle. It will be: collision-resistance, preimage resistance and have the pseudorandom function property, as defined here by Koblitz and Menezes. Chosing SHA-3_256, following definitions on Introduction to Modern Cryptography (pag. 178) by Katz and Lindell.
- Explain SHA-3 properties.
- Find out how to slice the output of SHA-3_256.
- Find out the session-specific protocol state: not using, is that ok?
The ≟ denotes 'questioned equal to', following Minkowski's question mark function. Means 'not yet demonstrated to be equal to'.
from otrv4.
Another TODO:
Quoting "Improved Techniques for Implementing Strongly Deniable Authenticated Key Exchanges", in ROM DRE section:
All hash functions used in this paper output values in Zq.
We need to define how to decode an array of bytes (the output of the hash) into a (big) number and reduce it modulo q
. Ed448 reference implementation uses a barret-reduction for this, and assumes the array of bytes is a number in a specific endianness (I can't remember which).
from otrv4.
About the hash function output:
for ed25519, we can use the decodeint function to deserialize a 256 bit length data, which will convert the SHA3-256 output into a scalar in Zq
.
from otrv4.
Related Issues (20)
- Check that we are advising to queue messages in the correct places
- Recover rights of github.com/off-the-record and update HOT 6
- Where to find Double Ratchet implementation in libotr-ng HOT 2
- Issue in `ECDH(a, B)` with check calculating shared secret? HOT 1
- When should we delete skipped_MKenc? HOT 1
- Create a contributing document
- Migrate to gitlab HOT 5
- Create a CONTRIBUTING page
- Synchronize with gitlab instance HOT 12
- Key Registration with Knowledge HOT 1
- Create a plan for 2020 in relationship with the new outcomes as defined in some meetings HOT 2
- Conversations Legacy has been removed HOT 4
- Update for Psi and Psi+ in Wiki page HOT 5
- Clarify what it means to "Send new Auth-R message with new values"
- Add an extension TLV to upgrade to v4 HOT 11
- Application/protocol-specific TLVs
- [Idea] PSK-authenticated fingerprint verification
- http://bugs.otr.im/otrv4/otrv4 is down. HOT 3
- Status of the OTRv4 specification HOT 1
- Concerns regarding verification of generated shared secret (identity checking)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from otrv4.