General encryption #75
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mpretty-cyro
force-pushed
the
general-encryption
branch
from
6ac7598 to
cf4f833
Compare
The 25 blinding encryption design had a flaw in that it used
H(a(kB) || kA || kB)
as the shared secret, and then assumed that the other side could
compute `kbA || kA || kB`, but with 25 blinding that doesn't
work because *each side* has a different `k` value (since k depends on
both the server_id and the session_id), so this was actually computing:
H(a(jB) || kA || jB)
when encrypting, and
H(b(kA) || kA || jB)
when decrypting (where `j` is B's blinding factor). This amends the
encryption to instead use:
H(ak(jB) || kA || jB)
for encryption and
H(bj(kA) || kA || jB)
for decryption, which works because we end up with `kjaB` or `kjbA` for
the first term, which are equal (since `aB == bA`).
This also makes various other small fixes and improvements along the way
to the encryption code to get the 15 and 25 encryption and decryption
tests working (and make the code a bit easier):
- The hex version of blind15_id now returns a pair of the two
alternative ids, which simplifies calling code from needing to worry
about flipping the sign bit.
- added blinded[12]5_from_ed functions that are similar to the
non-`from_ed` versions, but can work more efficiently and precisely
(most notably, when we know the actual ed pubkey we can always return
the correctly signed blinded15 id; and when doing 25, having the ed
pubkey saves us from needing to invert the session id back to an ed
pubkey).
- Changed the types of blind[12]5_key_pair so that the returned private
scalar gets properly memory cleared when destroyed, and moved these
types (eg uc32, cleared_uc64) "higher up" in the include hierarchy.
- Changed `blind[12]5_key_pair` to optionally return (via pointer) the
blinding factor. For the 25 version we actually return ±k, depending
on whether an extra negation is needed to cancel out a negative
pubkey, so that the returned value can be used directly without having
to worry about the negation elsewhere.
- removed the "sender decrypt" blinded tests because we don't expose a
way for the sender to perform such decryption. (It's technically
possible to do, but doesn't seem like something we need).
jagerman
approved these changes
Jan 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR exposes all cryptography functions used by the session clients so they can remove direct dependencies on Sodium
Note: This is based on #74