mirror of https://git.matrix.org/git/olm.git
Merge branch 'rav/fix_math' into 'master'
Fix some math blocks See merge request matrix-org/olm!10matthew/js-fixes
Richard van der Hoff
commit
0469065855
|
|
@ -161,10 +161,10 @@ described in [The Megolm ratchet algorithm](#the-megolm-ratchet-algorithm), usin
|
|||
|
||||
```math
|
||||
\begin{aligned}
|
||||
H_0(A) &\equiv \operatorname{HMAC}(A,\text{"\x00"}) \\
|
||||
H_1(A) &\equiv \operatorname{HMAC}(A,\text{"\x01"}) \\
|
||||
H_2(A) &\equiv \operatorname{HMAC}(A,\text{"\x02"}) \\
|
||||
H_3(A) &\equiv \operatorname{HMAC}(A,\text{"\x03"}) \\
|
||||
H_0(A) &\equiv \operatorname{HMAC}(A,\text{``\char`\\x00"}) \\
|
||||
H_1(A) &\equiv \operatorname{HMAC}(A,\text{``\char`\\x01"}) \\
|
||||
H_2(A) &\equiv \operatorname{HMAC}(A,\text{``\char`\\x02"}) \\
|
||||
H_3(A) &\equiv \operatorname{HMAC}(A,\text{``\char`\\x03"}) \\
|
||||
\end{aligned}
|
||||
```
|
||||
|
||||
|
|
|
|||
39
docs/olm.md
39
docs/olm.md
|
|
@ -10,13 +10,13 @@ $`\parallel`$ appears on the right hand side of an $`=`$ it means that
|
|||
the inputs are concatenated. When $`\parallel`$ appears on the left hand
|
||||
side of an $`=`$ it means that the output is split.
|
||||
|
||||
When this document uses $`ECDH\left(K_A,\,K_B\right)`$ it means that each
|
||||
party computes a Diffie-Hellman agreement using their private key and the
|
||||
remote party's public key.
|
||||
So party $`A`$ computes $`ECDH\left(K_B^{public},\,K_A^{private}\right)`$
|
||||
and party $`B`$ computes $`ECDH\left(K_A^{public},\,K_B^{private}\right)`$.
|
||||
When this document uses $`\operatorname{ECDH}\left(K_A,K_B\right)`$ it means
|
||||
that each party computes a Diffie-Hellman agreement using their private key
|
||||
and the remote party's public key.
|
||||
So party $`A`$ computes $`\operatorname{ECDH}\left(K_B^{public},K_A^{private}\right)`$
|
||||
and party $`B`$ computes $`\operatorname{ECDH}\left(K_A^{public},K_B^{private}\right)`$.
|
||||
|
||||
Where this document uses $`HKDF\left(salt,\,IKM,\,info,\,L\right)`$ it
|
||||
Where this document uses $`\operatorname{HKDF}\left(salt,IKM,info,L\right)`$ it
|
||||
refers to the [HMAC-based key derivation function][] with a salt value of
|
||||
$`salt`$, input key material of $`IKM`$, context string $`info`$,
|
||||
and output keying material length of $`L`$ bytes.
|
||||
|
|
@ -35,10 +35,12 @@ HMAC-based Key Derivation Function using [SHA-256][] as the hash function
|
|||
|
||||
```math
|
||||
\begin{aligned}
|
||||
S&=ECDH\left(I_A,\,E_B\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\;
|
||||
\parallel\;ECDH\left(E_A,\,E_B\right)\\
|
||||
S&=\operatorname{ECDH}\left(I_A,E_B\right)\;\parallel\;
|
||||
\operatorname{ECDH}\left(E_A,I_B\right)\;\parallel\;
|
||||
\operatorname{ECDH}\left(E_A,E_B\right)\\
|
||||
|
||||
R_0\;\parallel\;C_{0,0}&=
|
||||
HKDF\left(0,\,S,\,\text{"OLM\_ROOT"},\,64\right)
|
||||
\operatorname{HKDF}\left(0,S,\text{``OLM\_ROOT"},64\right)
|
||||
\end{aligned}
|
||||
```
|
||||
|
||||
|
|
@ -55,12 +57,13 @@ info.
|
|||
|
||||
```math
|
||||
\begin{aligned}
|
||||
R_i\;\parallel\;C_{i,0}&=HKDF\left(
|
||||
R_{i-1},\,
|
||||
ECDH\left(T_{i-1},\,T_i\right),\,
|
||||
\text{"OLM\_RATCHET"},\,
|
||||
64
|
||||
\right)
|
||||
R_i\;\parallel\;C_{i,0}&=
|
||||
\operatorname{HKDF}\left(
|
||||
R_{i-1},
|
||||
\operatorname{ECDH}\left(T_{i-1},T_i\right),
|
||||
\text{``OLM\_RATCHET"},
|
||||
64
|
||||
\right)
|
||||
\end{aligned}
|
||||
```
|
||||
|
||||
|
|
@ -72,7 +75,7 @@ previous chain key as the key.
|
|||
|
||||
```math
|
||||
\begin{aligned}
|
||||
C_{i,j}&=HMAC\left(C_{i,j-1},\,\text{"\x02"}\right)
|
||||
C_{i,j}&=\operatorname{HMAC}\left(C_{i,j-1},\text{``\char`\\x02"}\right)
|
||||
\end{aligned}
|
||||
```
|
||||
|
||||
|
|
@ -86,7 +89,7 @@ by Bob to encrypt messages.
|
|||
|
||||
```math
|
||||
\begin{aligned}
|
||||
M_{i,j}&=HMAC\left(C_{i,j},\,\text{"\x01"}\right)
|
||||
M_{i,j}&=\operatorname{HMAC}\left(C_{i,j},\text{``\char`\\x01"}\right)
|
||||
\end{aligned}
|
||||
```
|
||||
|
||||
|
|
@ -263,7 +266,7 @@ message key using [HKDF-SHA-256][] using the default salt and an info of
|
|||
```math
|
||||
\begin{aligned}
|
||||
AES\_KEY_{i,j}\;\parallel\;HMAC\_KEY_{i,j}\;\parallel\;AES\_IV_{i,j}
|
||||
&= HKDF\left(0,\,M_{i,j},\text{"OLM\_KEYS"},\,80\right) \\
|
||||
&= \operatorname{HKDF}\left(0,M_{i,j},\text{``OLM\_KEYS"},80\right)
|
||||
\end{aligned}
|
||||
```
|
||||
|
||||
|
|
|
|||
|
|
@ -49,13 +49,14 @@ compromised keys, and sends a pre-key message using a shared secret $`S`$,
|
|||
where:
|
||||
|
||||
```math
|
||||
S = ECDH\left(I_A,\,E_E\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\;
|
||||
\parallel\;ECDH\left(E_A,\,E_E\right)
|
||||
S = ECDH\left(I_A,E_E\right)\;\parallel\;
|
||||
ECDH\left(E_A,I_B\right)\;\parallel\;
|
||||
ECDH\left(E_A,E_E\right)
|
||||
```
|
||||
|
||||
Eve cannot decrypt the message because she does not have the private parts of
|
||||
either $`E_A`$ nor $`I_B`$, so cannot calculate
|
||||
$`ECDH\left(E_A,\,I_B\right)`$. However, suppose she later compromises
|
||||
$`ECDH\left(E_A,I_B\right)`$. However, suppose she later compromises
|
||||
Bob's identity key $`I_B`$. This would give her the ability to decrypt any
|
||||
pre-key messages sent to Bob using the compromised one-time keys, and is thus a
|
||||
problematic loss of forward secrecy. If Bob signs his keys with his Ed25519
|
||||
|
|
@ -66,8 +67,9 @@ On the other hand, signing the one-time keys leads to a reduction in
|
|||
deniability. Recall that the shared secret is calculated as follows:
|
||||
|
||||
```math
|
||||
S = ECDH\left(I_A,\,E_B\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\;
|
||||
\parallel\;ECDH\left(E_A,\,E_B\right)
|
||||
S = ECDH\left(I_A,E_B\right)\;\parallel\;
|
||||
ECDH\left(E_A,I_B\right)\;\parallel\;
|
||||
ECDH\left(E_A,E_B\right)
|
||||
```
|
||||
|
||||
If keys are unsigned, a forger can make up values of $`E_A`$ and
|
||||
|
|
|
|||
Loading…
Reference in New Issue