10 Matching Annotations
  1. Dec 2020
    1. Q_plain

      Is the entropy from Q_plain really needed? A reason for it would be that the client provides randomness with the nonce contained in Q_plain, in the sense of a contributive key exchange. However, the client already contributes the HPKE ephemeral key.

      If the Extract step should stay, I suggest changing the order of Q_plain and odoh_secret. The value odoh_secret is of fixed size and uniformly random, and thus fits better as salt to HKDF-Extract. If the first value is longer than a hash function block size, HMAC will do an additional hashing step: This seems easily possible for Q_plain.

    2. proxy and target indistinguishability

      How is this defined?

    3. of unique per-client keys

      What kind of keys are meant here? Unique target public keys per client?

    4. Q_encrypted

      The function could receive only ct instead, as it does not use enc, and setup_query_context already splits Q_encrypted.

    5. key_id

      The function does not use this parameter.

    6. context

      The context is not returned by this function, but required as parameter to decrypt_response_body.

    7. Expand(Extract("", config), "odoh key id", Nh)

      config contains kem_id, kdf_id, aead_id, and the public key. Why is entropy extraction needed here?

  2. Nov 2019
  3. Oct 2018
  4. Mar 2018