... | ... | @@ -12,7 +12,7 @@ We use || to denote concatenation, double quotes to denote an ASCII string, int( |
|
|
|
|
|
BTP uses the following cryptographic primitives:
|
|
|
|
|
|
* A message authentication code, MAC(k, m)
|
|
|
* A pseudo-random function, MAC(k, m)
|
|
|
* An authenticated cipher, ENC(k, n, m) and DEC(k, n, m), where n is a nonce
|
|
|
* A random number generator, R(n), with an output length of n bytes. R(n) must be either a true random number generator or a cryptographically secure pseudo-random number generator.
|
|
|
|
... | ... | @@ -20,9 +20,9 @@ We use MAC(k, m) to define a key derivation function: |
|
|
|
|
|
* `KDF(k, x_1, ..., x_n) == MAC(k, len(x_1) || x_1 || ... || len(x_n) || x_n)`
|
|
|
|
|
|
All keys are KEY_LEN bytes and all nonces are NONCE_LEN bytes. The output of MAC(k, m) is MAC_LEN bytes, and the output of ENC(k, n, m) is AUTH_LEN bytes longer than m. For simplicity we require that MAC_LEN == KEY_LEN.
|
|
|
All keys are KEY_LEN bytes and all nonces are NONCE_LEN bytes. The output of MAC(k, m) is MAC_LEN bytes. The output of ENC(k, n, m) is AUTH_LEN bytes longer than m. For simplicity we require that MAC_LEN == KEY_LEN.
|
|
|
|
|
|
> Implementation note: We propose to use keyed BLAKE2s as the message authentication code and XSalsa20/Poly1305 as the authenticated cipher. This gives KEY_LEN = MAC_LEN = 32, NONCE_LEN = 24, and AUTH_LEN = 16.
|
|
|
> Implementation note: We propose to use keyed BLAKE2s as the pseudo-random function and XSalsa20/Poly1305 as the authenticated cipher. This gives KEY_LEN = MAC_LEN = 32, NONCE_LEN = 24, and AUTH_LEN = 16.
|
|
|
|
|
|
### Initial state
|
|
|
|
... | ... | |