[Cryptography] Announcing XSTREAM v0.1: misuse-resistant public-key cryptography combining X25519+HKDF+Miscreant
Kristian Gjøsteen
kristian.gjosteen at ntnu.no
Mon Jan 8 03:44:14 EST 2018
8. jan. 2018 kl. 02:41 skrev John Gilmore <gnu at toad.com>:
>
>> XSTREAM's encryptor accepts a static X25519 public key as an argument.
>> Internally it randomly generates an ephemeral secret scalar value (i.e.
>> X25519 secret key), performs elliptic curve Diffie-Hellman, then uses the
>> resulting shared secret as an input to ...
>
> Am I confused? Doing Diffie-Hellman requires talking with another
> party. For data-at-rest, who is the other party? And how does your
> library communicate with that other party?
It’s a fairly standard Diffie-Hellman key encapsulation method (KEM) similar to ECIES, followed by a somewhat standard symmetric cryptosystem. The hybrid construction is secure under the usual assumptions.
The claim is that it tolerates RNG failures, but that is obviously not true, since the KEM component does not tolerate RNG failures (e.g. an RNG with very low entropy).
It is possible to design schemes that retain some security even when the RNG fails (take any secure deterministic public key cryptosystem and add a nonce at an appropriate place), but this isn’t such a scheme.
--
Kristian Gjøsteen
More information about the cryptography
mailing list