Commit 04690658 by Richard van der Hoff

### Merge branch 'rav/fix_math' into 'master'

Fix some math blocks

See merge request !10
parents baaf0026 5bcfeaff
 ... @@ -161,10 +161,10 @@ described in [The Megolm ratchet algorithm](#the-megolm-ratchet-algorithm), usin ... @@ -161,10 +161,10 @@ described in [The Megolm ratchet algorithm](#the-megolm-ratchet-algorithm), usin math math \begin{aligned} \begin{aligned} H_0(A) &\equiv \operatorname{HMAC}(A,\text{"\x00"}) \\ H_0(A) &\equiv \operatorname{HMAC}(A,\text{\char\\x00"}) \\ H_1(A) &\equiv \operatorname{HMAC}(A,\text{"\x01"}) \\ H_1(A) &\equiv \operatorname{HMAC}(A,\text{\char\\x01"}) \\ H_2(A) &\equiv \operatorname{HMAC}(A,\text{"\x02"}) \\ H_2(A) &\equiv \operatorname{HMAC}(A,\text{\char\\x02"}) \\ H_3(A) &\equiv \operatorname{HMAC}(A,\text{"\x03"}) \\ H_3(A) &\equiv \operatorname{HMAC}(A,\text{\char\\x03"}) \\ \end{aligned} \end{aligned}   ... ...
 ... @@ -10,13 +10,13 @@ $\parallel$ appears on the right hand side of an $=$ it means that ... @@ -10,13 +10,13 @@ $\parallel$ appears on the right hand side of an $=$ it means that the inputs are concatenated. When $\parallel$ appears on the left hand the inputs are concatenated. When $\parallel$ appears on the left hand side of an $=$ it means that the output is split. side of an $=$ it means that the output is split. When this document uses $ECDH\left(K_A,\,K_B\right)$ it means that each When this document uses $\operatorname{ECDH}\left(K_A,K_B\right)$ it means party computes a Diffie-Hellman agreement using their private key and the that each party computes a Diffie-Hellman agreement using their private key remote party's public key. and the remote party's public key. So party $A$ computes $ECDH\left(K_B^{public},\,K_A^{private}\right)$ So party $A$ computes $\operatorname{ECDH}\left(K_B^{public},K_A^{private}\right)$ and party $B$ computes $ECDH\left(K_A^{public},\,K_B^{private}\right)$. and party $B$ computes $\operatorname{ECDH}\left(K_A^{public},K_B^{private}\right)$. Where this document uses $HKDF\left(salt,\,IKM,\,info,\,L\right)$ it Where this document uses $\operatorname{HKDF}\left(salt,IKM,info,L\right)$ it refers to the [HMAC-based key derivation function][] with a salt value of refers to the [HMAC-based key derivation function][] with a salt value of $salt$, input key material of $IKM$, context string $info$, $salt$, input key material of $IKM$, context string $info$, and output keying material length of $L$ bytes. and output keying material length of $L$ bytes. ... @@ -35,10 +35,12 @@ HMAC-based Key Derivation Function using [SHA-256][] as the hash function ... @@ -35,10 +35,12 @@ HMAC-based Key Derivation Function using [SHA-256][] as the hash function math math \begin{aligned} \begin{aligned} S&=ECDH\left(I_A,\,E_B\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\; S&=\operatorname{ECDH}\left(I_A,E_B\right)\;\parallel\; \parallel\;ECDH\left(E_A,\,E_B\right)\\ \operatorname{ECDH}\left(E_A,I_B\right)\;\parallel\; \operatorname{ECDH}\left(E_A,E_B\right)\\ R_0\;\parallel\;C_{0,0}&= R_0\;\parallel\;C_{0,0}&= HKDF\left(0,\,S,\,\text{"OLM\_ROOT"},\,64\right) \operatorname{HKDF}\left(0,S,\text{OLM\_ROOT"},64\right) \end{aligned} \end{aligned}   ... @@ -55,12 +57,13 @@ info. ... @@ -55,12 +57,13 @@ info. math math \begin{aligned} \begin{aligned} R_i\;\parallel\;C_{i,0}&=HKDF\left( R_i\;\parallel\;C_{i,0}&= R_{i-1},\, \operatorname{HKDF}\left( ECDH\left(T_{i-1},\,T_i\right),\, R_{i-1}, \text{"OLM\_RATCHET"},\, \operatorname{ECDH}\left(T_{i-1},T_i\right), 64 \text{OLM\_RATCHET"}, \right) 64 \right) \end{aligned} \end{aligned}   ... @@ -72,7 +75,7 @@ previous chain key as the key. ... @@ -72,7 +75,7 @@ previous chain key as the key. math math \begin{aligned} \begin{aligned} C_{i,j}&=HMAC\left(C_{i,j-1},\,\text{"\x02"}\right) C_{i,j}&=\operatorname{HMAC}\left(C_{i,j-1},\text{\char\\x02"}\right) \end{aligned} \end{aligned}   ... @@ -86,7 +89,7 @@ by Bob to encrypt messages. ... @@ -86,7 +89,7 @@ by Bob to encrypt messages. math math \begin{aligned} \begin{aligned} M_{i,j}&=HMAC\left(C_{i,j},\,\text{"\x01"}\right) M_{i,j}&=\operatorname{HMAC}\left(C_{i,j},\text{\char\\x01"}\right) \end{aligned} \end{aligned}   ... @@ -263,7 +266,7 @@ message key using [HKDF-SHA-256][] using the default salt and an info of ... @@ -263,7 +266,7 @@ message key using [HKDF-SHA-256][] using the default salt and an info of math math \begin{aligned} \begin{aligned} AES\_KEY_{i,j}\;\parallel\;HMAC\_KEY_{i,j}\;\parallel\;AES\_IV_{i,j} AES\_KEY_{i,j}\;\parallel\;HMAC\_KEY_{i,j}\;\parallel\;AES\_IV_{i,j} &= HKDF\left(0,\,M_{i,j},\text{"OLM\_KEYS"},\,80\right) \\ &= \operatorname{HKDF}\left(0,M_{i,j},\text{OLM\_KEYS"},80\right) \end{aligned} \end{aligned}   ... ...
 ... @@ -49,13 +49,14 @@ compromised keys, and sends a pre-key message using a shared secret $S$, ... @@ -49,13 +49,14 @@ compromised keys, and sends a pre-key message using a shared secret $S$, where: where: math math S = ECDH\left(I_A,\,E_E\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\; S = ECDH\left(I_A,E_E\right)\;\parallel\; \parallel\;ECDH\left(E_A,\,E_E\right) ECDH\left(E_A,I_B\right)\;\parallel\; ECDH\left(E_A,E_E\right)   Eve cannot decrypt the message because she does not have the private parts of Eve cannot decrypt the message because she does not have the private parts of either $E_A$ nor $I_B$, so cannot calculate either $E_A$ nor $I_B$, so cannot calculate $ECDH\left(E_A,\,I_B\right)$. However, suppose she later compromises $ECDH\left(E_A,I_B\right)$. However, suppose she later compromises Bob's identity key $I_B$. This would give her the ability to decrypt any Bob's identity key $I_B$. This would give her the ability to decrypt any pre-key messages sent to Bob using the compromised one-time keys, and is thus a pre-key messages sent to Bob using the compromised one-time keys, and is thus a problematic loss of forward secrecy. If Bob signs his keys with his Ed25519 problematic loss of forward secrecy. If Bob signs his keys with his Ed25519 ... @@ -66,8 +67,9 @@ On the other hand, signing the one-time keys leads to a reduction in ... @@ -66,8 +67,9 @@ On the other hand, signing the one-time keys leads to a reduction in deniability. Recall that the shared secret is calculated as follows: deniability. Recall that the shared secret is calculated as follows: math math S = ECDH\left(I_A,\,E_B\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\; S = ECDH\left(I_A,E_B\right)\;\parallel\; \parallel\;ECDH\left(E_A,\,E_B\right) ECDH\left(E_A,I_B\right)\;\parallel\; ECDH\left(E_A,E_B\right)   If keys are unsigned, a forger can make up values of $E_A$ and If keys are unsigned, a forger can make up values of $E_A$ and ... ...
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!