Closed declanvk closed 8 months ago
Hey, those are good questions, and the answer is that we made a mistake in the writeup. In the inductive case, where the website says
You then encrypt the Path by first encrypting path_i, and then appending kdf(key_i, component_i) as the final Component.
it should really say
..., and then appending the result of encrypting component_i with the key kdf(key_i, component_i) as the final Component.
I'll push a fix when I'm properly awake (just past midnight in my timezone right now). I'll also mull over a formulation for making cipher_encrypt
explicit. Thanks for reading this carefully!
Regarding communication of the initial keying material: this is indeed not covered by the WGPS protocol. There are several communication issues around capabilities and encryption that will benefit from standardized protocols, and we plan to tackle those eventually. It will just take a while until we get there. But we should probably put some disclaimers saying as much onto the website.
Turns out there was a bit more to fix, there was an off-by-one in which components to feed to the key derivation function. https://github.com/earthstar-project/willowprotocol.org/commit/063b7748f0f87d0d4f02ca42256f342d0c6d4c4c should fix everything
Thanks so much for responding and pushing a fix! I'll mark this resolved since you got all my questions
Hello, I had a question about the procedure for encrypting paths from https://willowprotocol.org/specs/e2e/index.html#e2e_paths. I'm a bit confused and I thought I would ask the authors, but this isn't a true "issue". If you'd prefer inquiry via email or other, please let me know and I can resend this.
Using the terminology from that section:
I'm going to add a new function for my own understanding
The first bullet point is straightforward:
The second bullet point:
Is probably where I start to go wrong. My reading of the part "Encrypt [...] using the key [...]" implies there should be some sort of other encryption function? I was imagining a symmetric cipher like:
Then the
encrypt_path
for this bullet point would be:The third bullet point:
So at this point I tried to figure out the length 2 case:
But that feels weird because then the first component is encrypted with the
cipher_encrypt
, but the second component is not.My main question: does the
cipher_encrypt
function actually exist in this procedure? Or did I imagine it into existence? Is thekdf
function sufficient to provide confidentiality of the plaintext path components? Is that part of what you meant by:Other question(s) (less important, feel free to ignore):
key_0
input key material need to be communicated between peers outside of the willow sync protocol?Thanks for working on the Willow protocol! Sorry am cryptography noob