[Cryptography] Preventing correlation on rebinding connection identifiers.

jrzx jrzx at protonmail.ch
Thu Feb 11 22:52:41 EST 2021


> So in the ordinary state of affairs, the host recognizes packets from Alice by their source address+port and this is used to obtain the shared secret used to decrypt the remainder of the message.
>
> If the client source address+port change, the host is going to respond with a packet saying 'unrecognized connection' and bounce the source address and port back to the client. The client then realizes that its outbound connection config has changed and we need to rebind.
>
> One option would be a packet 'claiming' the prior source address+ip but that seems ugly. I would like to have as little connecting one packet to another as possible enclair.

What is the problem?

Host replies "Unrecognized connection, here is a random single use point *H* on the elliptic curve to which only I know the corresponding random single use scalar *h*"

Alice replies "Here is a random single use point *A* on the elliptic curve to which only I know the corresponding scalar *a*, and what follows shall be decrypted by our shared secret *aH=hA"

The computation of a shared secret takes two and half microseconds on my computer using the curve Ristretto25519. You don't need to economize on shared secrets.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210212/5f00d5df/attachment.htm>


More information about the cryptography mailing list