-
Notifications
You must be signed in to change notification settings - Fork 2
Closed
Labels
protocol researchIssues for tracking protocol research and choicesIssues for tracking protocol research and choices
Milestone
Description
It makes me sad to see things these days that depend on DH as opposed to KEM, since only KEMs. FWIW, I think you could refactor the clue scheme to be KEM-based, if you have a DeriveKeyPair function (as in RFC 9180).
DH-based:
S->SD: g^a, g^ab
SD->R: g^ab, E(g^abc, msgid)
R: (g^ab)^c => msgid
KEM-based:
S: (CT_ac, SS_ac) = Encap(PK_c), (SK_ac, PK_ac) = DeriveKeyPair(SS_ac)
S->SD: CT_ac, PK_ac
SD: (CT_abc, SS_abc) = Encap(PK_ac)
SD->R: CT_ac, CT_abc, E(SS_abc, msgid)
R: SS_ac = Decap(SK_c, CT_ac)
=> (SK_ac, PK_ac) = DeriveKeyPair(SS_ac)
=> SS_abc = Decap(SK_ac, CT_abc)
=> msgid
That shares the properties that (1) the clue is only intelligible by the intended recipient and random otherwise (2) the SecureDrop server can encrypt the msgid to the recipient without knowing the recipient's public key. (In principle, you could also just have msgid=SS_abc and save a symmetric encryption step.) Definitely possible I'm missing some other requirements, though.
Metadata
Metadata
Assignees
Labels
protocol researchIssues for tracking protocol research and choicesIssues for tracking protocol research and choices