Skip to content
This repository has been archived by the owner on Sep 18, 2019. It is now read-only.

XSTREAM

Jump to bottom
Tony Arcieri edited this page Dec 29, 2017 · 12 revisions

XSTREAM is a public key encryption system combining X25519 Elliptic Curve Diffie-Hellman (RFC 7748) with the STREAM construction.

The implementations in this repository are built on top of the Miscreant misuse-resistant symmetric encryption library, which provides the AES-SIV and AES-PMAC-SIV algorithms.

Key Derivation Function

XSTREAM KDF Diagram

Inputs

  • Public Key (P): X25519 public key of the recipient
  • Salt (optional): Additional domain separation string to pass to HKDF

Outputs

  • Ephemeral Public Key (E): Random X25519 public key used to decrypt message
  • Derived Symmetric Key (k): Uniformly random symmetric key to be used in conjunction with STREAM (as Ek in the STREAM diagram below)

STREAM Construction

STREAM Diagram

STREAM is a a construction which, when combined with AES-SIV or AES-PMAC-SIV, provides online/streaming authenticated encryption and defends against reordering and truncation attacks.

The algorithm was designed by cryptographer Phil Rogaway and is described in the paper Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance in which it is formally proven to have the properties of a nonce-based online authenticated encryption (nOAE) construction (see Section 7, p. 18).

For more information, please see the STREAM page in the Miscreant Wiki.

NOTE: As XSTREAM derives a unique symmetric key every time the KDF is invoked, and also supports an optional salt value passed directly to HKDF, the N parameter passed to the underlying STREAM construction is fixed to all-zeroes.

The XSTREAM API is explicitly designed to prevent encrypting more than one message under the same ephemeral key.

Variants

There are two variants of XSTREAM, both providing a 128-bit security level:

  • XSTREAM_X25519_HKDF_SHA256_AES128_SIV
    • Key Agreement: X25519
    • KDF: HMAC-SHA-256
    • Symmetric Cipher: AES-128-SIV
  • XSTREAM_X25519_HKDF_SHA256_AES128_PMAC_SIV
    • Key Agreement: X25519
    • KDF: HMAC-SHA-256
    • Symmetric Cipher: AES-128-PMAC-SIV

XSTREAM constructions providing security levels higher than 128-bit are not presently specified, however it would be possible using the X448 elliptic curve for key agreement along with HKDF-SHA-512 for key derivation and AES-SIV/AES-PMAC-SIV in conjunction with AES-256. See Issue #6 for more information.

Clone this wiki locally