hpke

package

v0.0.0-...-5d1c50d Latest Latest Go to latest Published: May 12, 2021 License: Apache-2.0 Imports: 3 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

Documentation ¶

Overview ¶

Package hpke provides the underlying STROBE protocol for Veil's authenticated hybrid public key encryption system. Unlike traditional HPKE constructions, this does not have separate KEM/DEM components or a specific derived DEK.

Encryption ¶

Encryption is as follows, given the sender's key pair, d_s and Q_s, an ephemeral key pair, d_e and Q_e, the receiver's public key, Q_r, a plaintext message P, and MAC size N_mac:

INIT('veil.hpke', level=256)
AD(LE_U32(N_mac), meta=true)
AD(Q_r)
AD(Q_s)
ZZ_s = Q_r^d_s
KEY(ZZ_s)
SEND_ENC(Q_e) -> E
ZZ_e = Q_r^d_e
KEY(ZZ_e)

This is effectively an authenticated ECDH KEM, but instead of returning KDF output for use in a DEM, we use the keyed protocol to directly encrypt the ciphertext and create a MAC:

SEND_ENC(P)     -> C
SEND_MAC(N_mac) -> M

The resulting ciphertext is the concatenation of E, C, and M.

Decryption ¶

Decryption is then the inverse of encryption, given the recipient's key pair, d_r and Q_r, and the sender's public key Q_s:

INIT('veil.hpke', level=256)
AD(LE_U32(N_max), meta=true)
AD(Q_r)
AD(Q_s)
ZZ_s = Q_s^d_r
KEY(ZZ_s)
RECV_ENC(E) -> Q_e
ZZ_e = Q_e^d_r
KEY(ZZ_e)
RECV_ENC(C) -> P
RECV_MAC(M)

If the RECV_MAC call is successful, the ephemeral public key E and the plaintext message P are returned.

IND-CCA2 Security ¶

This construction combines two overlapping KEM/DEM constructions: a "El Gamal-like" KEM combined with a STROBE-based AEAD, and an ephemeral ECIES-style KEM combined with a STROBE-based AEAD.

The STROBE-based AEAD is equivalent to Construction 5.6 of Modern Cryptography 3e and is CCA-secure per Theorem 5.7, provided STROBE's encryption is CPA-secure. STROBE's SEND_ENC is equivalent to Construction 3.31 and is CPA-secure per Theorem 3.29, provided STROBE is a sufficiently strong pseudorandom function.

The first KEM/DEM construction is equivalent to Construction 12.19 of Modern Cryptography 3e, and is CCA-secure per Theorem 12.22, provided the gap-CDH problem is hard relative to ristretto255 and STROBE is modeled as a random oracle.

The second KEM/DEM construction is equivalent to Construction 12.23 of Modern Cryptography 3e, and is CCA-secure per Corollary 12.24, again provided that the gap-CDH problem is hard relative to ristretto255 and STROBE is modeled as a random oracle.

IK-CCA Security ¶

veil.hpke is IK-CCA (per Bellare, https://iacr.org/archive/asiacrypt2001/22480568.pdf), in that it is impossible for an attacker in possession of two public keys to determine which of the two keys a given ciphertext was encrypted with in either chosen-plaintext or chosen-ciphertext attacks. Informally, veil.hpke ciphertexts consist exclusively of STROBE ciphertext and PRF output; an attacker being able to distinguish between ciphertexts based on keying material would imply STROBE's AEAD construction is not IND-CCA2.

Consequently, a passive adversary scanning for encoded elements would first need the parties' static Diffie-Hellman secret in order to distinguish messages from random noise.

Forward Sender Security ¶

Because the ephemeral private key is discarded after encryption, a compromise of the sender's private key will not compromise previously-created ciphertexts. If the sender's private key is compromised, the most an attacker can discover about previously sent messages is the ephemeral public key, not the message itself.

Insider Authenticity ¶

This construction is not secure against insider attacks on authenticity, nor is it intended to be. A recipient can forge ciphertexts which appear to be from a sender by re-using the ephemeral public key and encrypting an alternate plaintext, but the forgeries will only be decryptable by the forger. Because this type of forgery is possible, veil.hpke ciphertexts are therefore repudiable.

Randomness Re-Use ¶

The ephemeral key pair, d_e and Q_e, are generated outside of this construction and can be used multiple times for a single message. This improves the efficiency of the scheme without reducing its security, per Bellare et al.'s treatment of Randomness Reusing Multi-Recipient Encryption Schemes (http://cseweb.ucsd.edu/~Mihir/papers/bbs.pdf).

Index ¶

Constants
func Decrypt(dst []byte, dR *ristretto255.Scalar, qR, qS *ristretto255.Element, ...) (*ristretto255.Element, []byte, error)
func Encrypt(dst []byte, dS, dE *ristretto255.Scalar, qS, qE, qR *ristretto255.Element, ...) []byte

Constants ¶

View Source

const Overhead = internal.ElementSize + internal.MACSize

Overhead is the number of bytes added to each veil.hpke ciphertext.

Variables ¶

This section is empty.

Functions ¶

func Decrypt ¶

func Decrypt(
	dst []byte, dR *ristretto255.Scalar, qR, qS *ristretto255.Element, ciphertext []byte,
) (*ristretto255.Element, []byte, error)

Decrypt decrypts the ciphertext iff it was encrypted by the owner of qS for the owner of qR and no bit of the ciphertext has been modified.

func Encrypt ¶

func Encrypt(dst []byte, dS, dE *ristretto255.Scalar, qS, qE, qR *ristretto255.Element, plaintext []byte) []byte

Encrypt encrypts the plaintext such that the owner of qR will be able to decrypt it knowing that only the owner of qS could have encrypted it.

Types ¶

This section is empty.

Source Files ¶

View all Source files

hpke.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL