Commit 04690658 by Richard van der Hoff

### Merge branch 'rav/fix_math' into 'master'

Fix some math blocks

See merge request !10
parents baaf0026 5bcfeaff
 ... ... @@ -161,10 +161,10 @@ described in [The Megolm ratchet algorithm](#the-megolm-ratchet-algorithm), usin math \begin{aligned} H_0(A) &\equiv \operatorname{HMAC}(A,\text{"\x00"}) \\ H_1(A) &\equiv \operatorname{HMAC}(A,\text{"\x01"}) \\ H_2(A) &\equiv \operatorname{HMAC}(A,\text{"\x02"}) \\ H_3(A) &\equiv \operatorname{HMAC}(A,\text{"\x03"}) \\ H_0(A) &\equiv \operatorname{HMAC}(A,\text{\char\\x00"}) \\ H_1(A) &\equiv \operatorname{HMAC}(A,\text{\char\\x01"}) \\ H_2(A) &\equiv \operatorname{HMAC}(A,\text{\char\\x02"}) \\ H_3(A) &\equiv \operatorname{HMAC}(A,\text{\char\\x03"}) \\ \end{aligned}  ... ...
 ... ... @@ -10,13 +10,13 @@ $\parallel$ appears on the right hand side of an $=$ it means that the inputs are concatenated. When $\parallel$ appears on the left hand side of an $=$ it means that the output is split. When this document uses $ECDH\left(K_A,\,K_B\right)$ it means that each party computes a Diffie-Hellman agreement using their private key and the remote party's public key. So party $A$ computes $ECDH\left(K_B^{public},\,K_A^{private}\right)$ and party $B$ computes $ECDH\left(K_A^{public},\,K_B^{private}\right)$. When this document uses $\operatorname{ECDH}\left(K_A,K_B\right)$ it means that each party computes a Diffie-Hellman agreement using their private key and the remote party's public key. So party $A$ computes $\operatorname{ECDH}\left(K_B^{public},K_A^{private}\right)$ and party $B$ computes $\operatorname{ECDH}\left(K_A^{public},K_B^{private}\right)$. Where this document uses $HKDF\left(salt,\,IKM,\,info,\,L\right)$ it Where this document uses $\operatorname{HKDF}\left(salt,IKM,info,L\right)$ it refers to the [HMAC-based key derivation function][] with a salt value of $salt$, input key material of $IKM$, context string $info$, and output keying material length of $L$ bytes. ... ... @@ -35,10 +35,12 @@ HMAC-based Key Derivation Function using [SHA-256][] as the hash function math \begin{aligned} S&=ECDH\left(I_A,\,E_B\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\; \parallel\;ECDH\left(E_A,\,E_B\right)\\ S&=\operatorname{ECDH}\left(I_A,E_B\right)\;\parallel\; \operatorname{ECDH}\left(E_A,I_B\right)\;\parallel\; \operatorname{ECDH}\left(E_A,E_B\right)\\ R_0\;\parallel\;C_{0,0}&= HKDF\left(0,\,S,\,\text{"OLM\_ROOT"},\,64\right) \operatorname{HKDF}\left(0,S,\text{OLM\_ROOT"},64\right) \end{aligned}  ... ... @@ -55,10 +57,11 @@ info. math \begin{aligned} R_i\;\parallel\;C_{i,0}&=HKDF\left( R_{i-1},\, ECDH\left(T_{i-1},\,T_i\right),\, \text{"OLM\_RATCHET"},\, R_i\;\parallel\;C_{i,0}&= \operatorname{HKDF}\left( R_{i-1}, \operatorname{ECDH}\left(T_{i-1},T_i\right), \text{OLM\_RATCHET"}, 64 \right) \end{aligned} ... ... @@ -72,7 +75,7 @@ previous chain key as the key. math \begin{aligned} C_{i,j}&=HMAC\left(C_{i,j-1},\,\text{"\x02"}\right) C_{i,j}&=\operatorname{HMAC}\left(C_{i,j-1},\text{\char\\x02"}\right) \end{aligned}  ... ... @@ -86,7 +89,7 @@ by Bob to encrypt messages. math \begin{aligned} M_{i,j}&=HMAC\left(C_{i,j},\,\text{"\x01"}\right) M_{i,j}&=\operatorname{HMAC}\left(C_{i,j},\text{\char\\x01"}\right) \end{aligned}  ... ... @@ -263,7 +266,7 @@ message key using [HKDF-SHA-256][] using the default salt and an info of math \begin{aligned} AES\_KEY_{i,j}\;\parallel\;HMAC\_KEY_{i,j}\;\parallel\;AES\_IV_{i,j} &= HKDF\left(0,\,M_{i,j},\text{"OLM\_KEYS"},\,80\right) \\ &= \operatorname{HKDF}\left(0,M_{i,j},\text{OLM\_KEYS"},80\right) \end{aligned}  ... ...
 ... ... @@ -49,13 +49,14 @@ compromised keys, and sends a pre-key message using a shared secret $S$, where: math S = ECDH\left(I_A,\,E_E\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\; \parallel\;ECDH\left(E_A,\,E_E\right) S = ECDH\left(I_A,E_E\right)\;\parallel\; ECDH\left(E_A,I_B\right)\;\parallel\; ECDH\left(E_A,E_E\right)  Eve cannot decrypt the message because she does not have the private parts of either $E_A$ nor $I_B$, so cannot calculate $ECDH\left(E_A,\,I_B\right)$. However, suppose she later compromises $ECDH\left(E_A,I_B\right)$. However, suppose she later compromises Bob's identity key $I_B$. This would give her the ability to decrypt any pre-key messages sent to Bob using the compromised one-time keys, and is thus a problematic loss of forward secrecy. If Bob signs his keys with his Ed25519 ... ... @@ -66,8 +67,9 @@ On the other hand, signing the one-time keys leads to a reduction in deniability. Recall that the shared secret is calculated as follows: math S = ECDH\left(I_A,\,E_B\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\; \parallel\;ECDH\left(E_A,\,E_B\right) S = ECDH\left(I_A,E_B\right)\;\parallel\; ECDH\left(E_A,I_B\right)\;\parallel\; ECDH\left(E_A,E_B\right)  If keys are unsigned, a forger can make up values of $E_A`$ and ... ...
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!