diff options
| author |   trevnoise <noise@trevp.net> | 2018-07-01 03:55:54 +0000 |
|---|---|---|
| committer | trevnoise <noise@trevp.net> | 2018-07-01 03:55:54 +0000 |
| commit | 2cd4d390370651ef6de12a9e89df1ab3bb750f28 (patch) | |
| tree | e9a9e75a07a2d9af95cee8021a671a0d70b37ed9 | |
| parent | Update date (diff) | |
| download | noise-2cd4d390370651ef6de12a9e89df1ab3bb750f28.tar.xz noise-2cd4d390370651ef6de12a9e89df1ab3bb750f28.zip | |
Clarified DH definition so the identity element is an invalid value which may be rejected.
| -rw-r--r-- | noise.md | 15 | ||||
| -rw-r--r-- | output/noise.html | 3 | ||||
| -rw-r--r-- | output/noise.pdf | bin | 384000 -> 384390 bytes |
3 files changed, 11 insertions, 7 deletions
@@ -228,12 +228,13 @@ Noise depends on the following **DH functions** (and an associated constant): on this function must be unsolvable by any practical cryptanalytic adversary [@gapdh]. - The `public_key` either encodes some value in a large prime-order group - (which may have multiple equivalent encodings), or is an invalid value. - Implementations must handle invalid public keys either by returning some - output which is purely a function of the public key and does not depend on - the private key, or by signaling an error to the caller. The DH function - may define more specific rules for handling invalid values. + The `public_key` either encodes some value which is a generator in a large + prime-order group (which value may have multiple equivalent encodings), or + is an invalid value. Implementations must handle invalid public keys + either by returning some output which is purely a function of the public + key and does not depend on the private key, or by signaling an error to + the caller. The DH function may define more specific rules for handling + invalid values. * **`DHLEN`** = A constant specifying the size in bytes of public keys and DH outputs. For security reasons, `DHLEN` must be 32 or greater. @@ -2484,6 +2485,8 @@ The security properties are labelled using the notation from [Section 7.6](#payl * Clarified ciphertext-indistinguishability requirement for AEAD schemes and added a rationale. + * Clarified DH() definition so that the identity element is an invalid value which may be rejected. + * Replaced "fallback patterns" concept with Bob-initiated pattern notation. * Added a new identity-hiding property, and changed identity-hiding property 3 to discuss an identity equality-check attack. diff --git a/output/noise.html b/output/noise.html index e57d234..29e0c26 100644 --- a/output/noise.html +++ b/output/noise.html @@ -176,7 +176,7 @@ <ul> <li><p><strong><code>GENERATE_KEYPAIR()</code></strong>: Generates a new Diffie-Hellman key pair. A DH key pair consists of <code>public_key</code> and <code>private_key</code> elements. A <code>public_key</code> represents an encoding of a DH public key into a byte sequence of length <code>DHLEN</code>. The <code>public_key</code> encoding details are specific to each set of DH functions.</p></li> <li><p><strong><code>DH(key_pair, public_key)</code></strong>: Performs a Diffie-Hellman calculation between the private key in <code>key_pair</code> and the <code>public_key</code> and returns an output sequence of bytes of length <code>DHLEN</code>. For security, the Gap-DH problem based on this function must be unsolvable by any practical cryptanalytic adversary <span class="citation">[<a href="#ref-gapdh">2</a>]</span>.</p> -<p>The <code>public_key</code> either encodes some value in a large prime-order group (which may have multiple equivalent encodings), or is an invalid value. Implementations must handle invalid public keys either by returning some output which is purely a function of the public key and does not depend on the private key, or by signaling an error to the caller. The DH function may define more specific rules for handling invalid values.</p></li> +<p>The <code>public_key</code> either encodes some value which is a generator in a large prime-order group (which value may have multiple equivalent encodings), or is an invalid value. Implementations must handle invalid public keys either by returning some output which is purely a function of the public key and does not depend on the private key, or by signaling an error to the caller. The DH function may define more specific rules for handling invalid values.</p></li> <li><p><strong><code>DHLEN</code></strong> = A constant specifying the size in bytes of public keys and DH outputs. For security reasons, <code>DHLEN</code> must be 32 or greater.</p></li> </ul> <h2 id="cipher-functions">4.2. Cipher functions</h2> @@ -1843,6 +1843,7 @@ XXfallback: <li><p>Removed parenthesized list of keys from pattern notation, as it was redundant.</p></li> <li><p>Added deferred patterns.</p></li> <li><p>Clarified ciphertext-indistinguishability requirement for AEAD schemes and added a rationale.</p></li> +<li><p>Clarified DH() definition so that the identity element is an invalid value which may be rejected.</p></li> <li><p>Replaced "fallback patterns" concept with Bob-initiated pattern notation.</p></li> <li><p>Added a new identity-hiding property, and changed identity-hiding property 3 to discuss an identity equality-check attack.</p></li> <li><p>Clarified the order of hashing pre-message public keys.</p></li> diff --git a/output/noise.pdf b/output/noise.pdf Binary files differindex 31dd1d1..74d46eb 100644 --- a/output/noise.pdf +++ b/output/noise.pdf |