-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathindex.txt
120 lines (92 loc) · 4.12 KB
/
index.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
{
title: Elligator
description: A way to hide a cryptographic key exchange using
elliptic curves as random noise.
}
**Elligator** is a way to hide a cryptographic key exchange using
elliptic curves as random noise,
devised by Daniel J. Bernstein,
Mike Hamburg,
Anna Krasnova, and
Tanja Lange.
When do you need Elligator?
---------------------------
Elligator addresses a specific problem:
you need to perform a cryptographic key exchange protocol,
_and hide the very fact that you are using cryptography_.
A cryptographic key exchange can happen in various forms.
The most popular ones often use Diffie-Hellman key exchanges and send
random public keys over the network.
Problem is, random public keys are not random bytes.
A passive eavesdropper can easily spot the difference,
and notice that you are trying to exchange keys.
This is when Elligator comes in.
It maps uniformly distributed random numbers to certain types of
elliptic curve points, and back.
This effectively allows you to turn random public keys into actual
random bytes,
which hides metadata and facilitates steganography.
Who is this website for?
------------------------
We are a secondary resource aimed at implementers of cryptographic
protocols that use Elligator.
We assume some familiarity with terms commonly used in elliptic curve
cryptography.
If you need an introduction or a refresher,
we recommend the excellent [“ECCHacks” talk by Daniel
J. Bernstein and Tanja Lange][ECCHacks].
[ECCHacks]: https://media.ccc.de/v/31c3_-_6369_-_en_-_saal_1_-_201412272145_-_ecchacks_-_djb_-_tanja_lange
The canonical, primary resource for learning about Elligator is the
paper [Daniel J. Bernstein, Mike Hamburg, Anna Krasnova, Tanja
Lange. Elligator: Elliptic-curve points indistinguishable from uniform
random strings. ACM Conference on Computer and Communications Security
2013, pp. 967–980][paper].
[paper]: https://dl.acm.org/doi/10.1145/2508859.2516734
Is Elligator the solution to censorship-resistance?
---------------------------------------------------
It is *part of* the solution.
Elligator can hide positive proof that a cryptographic key exchange is
taking place.
It goes without saying, however, that it is exceedingly unlikely for
two hosts to just send each other random data;
the mere presence of sequences of random bytes in and of itself remains
suspicious.
Protocols that adopt Elligator need to have a bigger picture view of
the threat model and how to maintain plausible deniability.
Additionally, Elligator won’t help you if you’re already the victim of
[rubber-hose cryptanalysis](https://xkcd.com/538/).
What other applications does Elligator have?
--------------------------------------------
Elligator is not limited to plausible deniability and
censorship-resistance.
A number of cryptographic protocols need a way to map an arbitrary input
to an elliptic curve point _whose factorisation is unknown_
(“hashing to an elliptic curve”),
such as verifiable random functions (VRFs) and oblivious pseudorandom
functions (OPRFs).
Elligator provides a critical part for implementing these kinds of
cryptographic protocol elements.
Show me the code.
-----------------
We have a list of [known implementations](implementations).
We also made a reference implementation
([html](src), [tarball](/elligator-reference.tar.gz))
in Python (not for production).
If you want to implement Elligator yourself
you should read [how Elligator works](map),
and [how to apply it safely](key-exchange).
Then you can copy the [explicit formulas](formulas)
and test it with our [test vectors](vectors).
Legal
-----
The pseudocode presented on any of these pages,
including explicit formulas,
are provided under either of these terms:
- [CC0-1.0](https://creativecommons.org/publicdomain/zero/1.0/legalcode)
- [2-clause BSD](/LICENSE.SNIPPETS.2BSD)
If a page or file hosted on this domain indicates different terms,
then those different terms take precedence.
This does not grant any additional rights with regards to the the other
parts of this website;
in particular, no additional rights are granted for the body text,
design, CSS or HTML.