path: root/anastasis.rst
diff options
Diffstat (limited to 'anastasis.rst')
1 files changed, 7 insertions, 7 deletions
diff --git a/anastasis.rst b/anastasis.rst
index 1d34acd..9773e95 100644
--- a/anastasis.rst
+++ b/anastasis.rst
@@ -145,7 +145,7 @@ determined by an adversary performing a targeted attack, as a user's
likely also be available to other actors.
+.. code-block:: none
kdf_id := Argon2( identifier, server_salt, keysize )
@@ -173,7 +173,7 @@ generate the corresponding public key. Here, "ver" is used as a salt for the
HKDF to ensure that the result differs from other cases where we hash
+.. code-block:: none
ver_secret := HKDF(kdf_id, "ver", keysize)
eddsa_priv := eddsa_d_to_a(ver_secret)
@@ -190,7 +190,7 @@ HKDF to ensure that the result differs from other cases where we hash
**eddsa_d_to_a()**: Function which converts the ver_key to a valid EdDSA private key. Specifically, assuming the value eddsa_priv is in a 32-byte array "digest", the function clears and sets certain bits as follows:
+.. code-block:: none
digest[0] = (digest[0] & 0x7f) | 0x40;
digest[31] &= 0xf8;
@@ -208,7 +208,7 @@ symmetric key and an initialization vector (IV). To ensure that the
symmetric key changes for each encryption operation, we compute the
key material using an HKDF over a nonce and the kdf_id.
+.. code-block:: none
(iv,key) := HKDF(kdf_id, nonce, keysize + ivsize)
@@ -248,7 +248,7 @@ the **key_share**. To ensure that the key derivation for the encryption
of the **recovery document** differs fundamentally from that of an
individual **key share**, we use different salts ("erd" and "eks" respectively).
+.. code-block:: none
(iv0, key0) = HKDF(key_id, nonce0, "erd", keysize + ivsize)
(encrypted_recovery_document, aes_gcm_tag) = AES256_GCM(recovery_document, key0, iv0)
@@ -277,7 +277,7 @@ The EdDSA keys are used to sign the data sent from the client to the
server. Everything the client sends to server is signed. The following
algorithm is equivalent for **Anastasis-Policy-Signature**.
+.. code-block:: none
(anastasis-account-signature) = eddsa_sign(h_body, eddsa_priv)
ver_res = eddsa_verifiy(h_body, anastasis-account-signature, eddsa_pub)
@@ -291,7 +291,7 @@ algorithm is equivalent for **Anastasis-Policy-Signature**.
When requesting policy downloads, the client must also provide a signature:
+.. code-block:: none
(anastasis-account-signature) = eddsa_sign(version, eddsa_priv)
ver_res = eddsa_verifiy(version, anastasis-account-signature, eddsa_pub)