encpedpop: Unify deckey and seed

ChillDKG anyway passes the hostseckey for both, so this was potentially confusing to readers of the code. This change is in line with BlockstreamResearch#42.
real-or-random · Oct 1, 2024 · 8aa8b10 · 8aa8b10
1 parent 813ce8a
commit 8aa8b10
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -277,8 +277,7 @@ Our variant of the SimplPedPop protocol then works as follows:
 EncPedPop is a thin wrapper around SimplPedPop that takes care of encrypting the VSS shares
 so that they can be sent over an insecure communication channel.
 
-As in SimplPedPop, every EncPedPop participant holds a long-term secret seed.
-Every participant derives from this seed a static, long-term ECDH key pair consisting of a secret decryption key and a public encryption key.
+As in SimplPedPop, every EncPedPop participant holds a long-term, static key ECDH pair consisting of a secret decryption key and a public encryption key.
 It is assumed that every participant has an authentic copy of every other participant's encryption key.
 
 The encryption relies on ephemeral-static ECDH key exchange.
@@ -291,8 +290,8 @@ the static encryption key and the index `j` of the recipient.[^mr-kem]
 
 [^mr-kem]: This implements a multi-recipient multi-key key encapsulation mechanism (MR-MK-KEM) secure under the static Diffie-Hellman assumption [[Theorem 2, PPS14](https://doi.org/10.1145/2590296.2590329)].
 
-Every participant derives an ephemeral *session seed* passed down to SimplPedPop from their long-term seed and their public encryption nonce.
-Moreover, all encryption keys of all participants is included in the derivation to ensure that different sets of participants will have different SimplPedPop sessions,
+Every participant derives an ephemeral *session seed*, to be passed down to SimplPedPop, from their decryption key, their public encryption nonce, and fresh randomness.
+Additionally, all encryption keys of all participants are included in the derivation to ensure that different sets of participants will have different SimplPedPop sessions,
 even in the case that the randomness for deriving the encryption nonce pair is accidentally reused.
 
 EncPedPop then works like SimplPedPop with the following differences:

diff --git a/python/chilldkg_ref/encpedpop.py b/python/chilldkg_ref/encpedpop.py
@@ -125,12 +125,12 @@ def serialize_enc_context(t: int, enckeys: List[bytes]) -> bytes:
     return t.to_bytes(4, byteorder="big") + b"".join(enckeys)
 
 
-def derive_session_seed(seed: bytes, pubnonce: bytes, enc_context: bytes) -> bytes:
-    return prf(seed, "encpedpop seed", pubnonce + enc_context)
+def derive_session_seed(deckey: bytes, pubnonce: bytes, enc_context: bytes) -> bytes:
+    return prf(deckey, "encpedpop seed", pubnonce + enc_context)
 
 
 def participant_step1(
-    seed: bytes,
+    deckey: bytes,
     t: int,
     enckeys: List[bytes],
     idx: int,
@@ -142,14 +142,14 @@ def participant_step1(
 
     # Create a synthetic encryption nonce
     enc_context = serialize_enc_context(t, enckeys)
-    secnonce = prf(seed, "encpodpop secnonce", random + enc_context)
+    secnonce = prf(deckey, "encpodpop secnonce", random + enc_context)
     # This can be optimized: We serialize the pubnonce here, but ecdh will need
     # to deserialize it again, which involves computing a square root to obtain
     # the y coordinate.
     pubnonce = pubkey_gen_plain(secnonce)
     # Add enc_context again to the derivation of the session seed, just in case
     # someone derives secnonce differently.
-    session_seed = derive_session_seed(seed, pubnonce, enc_context)
+    session_seed = derive_session_seed(deckey, pubnonce, enc_context)
 
     simpl_state, simpl_pmsg, shares = simplpedpop.participant_step1(
         session_seed, t, n, idx