tapir sketch

This commit is contained in:
Sarah Jamie Lewis 2020-07-03 11:20:37 -07:00
parent 3785479f48
commit 06198bc6c4
1 changed files with 64 additions and 2 deletions

View File

@ -21,7 +21,13 @@ application.
## Primitives
### Privacy Pass
### Identity
An ed25519 keypair, required for established a Tor v3 onion service
and used to maintain a consistent cryptographic identity for a peer.
* InitializeIdentity - from a known, persistent keypair: \\(i,I\\)
* InitializeEphemeralIdentity - from a random keypair: \\(i_e, I_e\\)
## Applications
@ -38,18 +44,74 @@ Initializes a [Merlin](https://merlin.cool)-based cryptographic transcript that
### Authentication App
**Dependencies:** Transcript App
* **Dependencies**: Transcript App
* **Capabilities Granted**: *AuthenticationCapability*
* **Capabilities Required**: *None*
Engages in an ephemeral triple-diffie-hellman handshake to derive a unique,
authenticated session key.
Each peer, given an open connection \\(C\\):
\\[ \\
I = \mathrm{InitializeIdentity()} \\\\
I_e = \mathrm{InitializeEphemeralIdentity()} \\\\
\\\\
I,I_e \rightarrow C \\\\
P,P_e \leftarrow C \\\\
\\\\
k = \mathrm{KDF}({P_e}^{i} + {P}^{i_e} + {P_e}^{i_e}) \\\\
c = \mathrm{E}(k, I) \\\\
c \rightarrow C \\\\
c_p \leftarrow C \\\\
\mathrm{D}(k, c_p) \stackrel{?}{=} P \\\\
\\]
The above represents a sketch protocol, in reality there are a few
implementation details worth pointing out:
Once derived from the key deriviation function \\(\mathrm{KDF}\\\) the key
\\(k\\) is set *on* the connection, meaning the authentication app doesn't
do the encryption or decryption explicitly.
Also the concatenation of parts of the 3DH exchange is strictly ordered:
* DH of the Long term identity of the outbound connection by the ephemeral
key of the inbound connection.
* DH of the Long term identity of the inbound connection by the ephemeral
key of the outbound connection.
* DH of the two ephemeral identities of the inbound and outbound connections.
This strict ordering ensures both sides of the connection derive the *same*
session key.
#### Asymmetry
The client connection is guaranteed to possess the long term identity of the
server connection through the propreties of the underlying tor v3 onion
connection.
As such if the server attempts to send a different long term identity to the
client we can detect it and terminate the authentication protocol early.
### Token App
**Dependencies:** Transcript App
* **Capabilities Granted**: *HasTokensCapability*
* **Capabilities Required**: *None* (implicitly guarded)
Allows the client to obtain signed, blinded tokens for use in another
application.
While this application has no explicit requirement for any given capability,
we expect it to be protected via a preceeding app in an `ApplicationChain` e.g.
powTokenApp := new(applications.ApplicationChain).
ChainApplication(new(applications.ProofOfWorkApplication), applications.SuccessfulProofOfWorkCapability).
ChainApplication(tokenApplication, applications.HasTokensCapability)
#### Notes
* No direct testing (tested via integration tests and unit tests)