Closed soatok closed 1 year ago
The latest OPAQUE draft is significantly improved from earlier designs.
Open question to be decided:
We currently propose a simple construction (AES-256-CTR + HMAC-SHA384, encrypt-then-MAC) to actually encrypt the keys with the OPAQUE export_key.
Would ChaCha20 + BLAKE2b-MAC be better? (AES has cache-timing attacks.)
Are we going to double down on libsodium for our underlying library?
(To decide in a future commit.)
EDIT: Now using ChaCha20 + BLAKE2b-MAC instead of AES-CTR + HMAC. https://github.com/soatok/mastodon-e2ee-specification/pull/4/commits/ea1f59308aaebe999a705ac71377e7a9cbf0bbc1
Merging as-is. This ended up being less controversial than I anticipated before I dived deeper into the latest OPAQUE drafts.
The latest OPAQUE draft is significantly improved from earlier designs.
Open question to be decided:
We currently propose a simple construction
(AES-256-CTR + HMAC-SHA384, encrypt-then-MAC)to actually encrypt the keys with the OPAQUE export_key.Would ChaCha20 + BLAKE2b-MAC be better? (AES has cache-timing attacks.)Are we going to double down on libsodium for our underlying library?(To decide in a future commit.)EDIT: Now using ChaCha20 + BLAKE2b-MAC instead of AES-CTR + HMAC. https://github.com/soatok/mastodon-e2ee-specification/pull/4/commits/ea1f59308aaebe999a705ac71377e7a9cbf0bbc1