Skip to content

Clarify ristretto255 and journalist fetching key usage#135

Merged
cfm merged 6 commits intomainfrom
clarify-spec-ristretto255
Jan 21, 2026
Merged

Clarify ristretto255 and journalist fetching key usage#135
cfm merged 6 commits intomainfrom
clarify-spec-ristretto255

Conversation

@rocodes
Copy link
Contributor

@rocodes rocodes commented Dec 19, 2025

Description

  • Clarify where we use ristretto255 keys as opposed to plain curve25519. For now this avoids talking about the curve25519 keys in dh-akem; this is just about the fetching key and ephemeral clue keys. The intention is to at minimum convey our use of ristretto255 for fetching and the fetching challenges. Terminology/notation not my strong suit so please feel free to make adjustments if it's clunky (cc @redshiftzero)

  • In addition, clarify that the fetching key is signed+sent once, on enrollment, and is not part of every journalist one-time key bundle (sign each journalist's fetching key once and return in "welcome bundle" #127)

Fixes #127
Fixes #128

@rocodes rocodes force-pushed the clarify-spec-ristretto255 branch from 460b62a to 1778a2e Compare January 5, 2026 21:58
@rocodes rocodes requested review from cfm and redshiftzero January 5, 2026 22:11
@rocodes rocodes changed the title [wip] Clarify ristretto255 and journalist fetching key usage Clarify ristretto255 and journalist fetching key usage Jan 5, 2026
@rocodes rocodes marked this pull request as ready for review January 5, 2026 22:12
@cfm cfm added this to SecureDrop Jan 6, 2026
@cfm cfm moved this to Ready For Review in SecureDrop Jan 6, 2026
@cfm cfm moved this from Ready For Review to Under Review in SecureDrop Jan 8, 2026
Copy link
Member

@cfm cfm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @rocodes! Looks great; no substantive changes here, just proofreading for consistency.

@cfm cfm assigned rocodes and unassigned cfm Jan 8, 2026
@cfm
Copy link
Member

cfm commented Jan 21, 2026

Two further notes here from #156, which builds on this branch:

  • Clarify where we use ristretto255 keys as opposed to plain curve25519. For now this avoids talking about the curve25519 keys in dh-akem; this is just about the fetching key and ephemeral clue keys. The intention is to at minimum convey our use of ristretto255 for fetching and the fetching challenges. Terminology/notation not my strong suit so please feel free to make adjustments if it's clunky (cc @redshiftzero)

#156 (comment)

I took the liberty of adding a TODO for the welcome bundle itself, which I don't believe is specified yet despite the reference to #127? In the interest of getting this and #156 in sooner rather than later, I'd be happy to draft that this sprint.

@rocodes
Copy link
Contributor Author

rocodes commented Jan 21, 2026

@cfm thank you for review! I'll push changes presently. re comments:

  • The "welcome bundle" as far as the protocol is concerned is RequestKeys in step 5, so I think we're ok unless you think we should add more details
  • Re co-pilot's suggestion about my footnote, I don't think it's better/clearer? I can just change it to "Fetching KeyGen uses the Ristretto255 prime order group" if that works for you? I just want it to be as simple and clear as possible

@rocodes rocodes force-pushed the clarify-spec-ristretto255 branch from 1778a2e to ae89879 Compare January 21, 2026 17:47
@cfm
Copy link
Member

cfm commented Jan 21, 2026

  • The "welcome bundle" as far as the protocol is concerned is RequestKeys in step 5, so I think we're ok unless you think we should add more details

Ah, yes: $pk_J^{fetch}$ is still retained per J, just not per J_i. I'd somehow gotten it into my head that the "welcome bundle" idea implies a new per-session request in addition to the per-message RequestKeys. But I see now that that's more like #56 (comment) and not necessary here.

  • Re co-pilot's suggestion about my footnote, I don't think it's better/clearer? I can just change it to "Fetching KeyGen uses the Ristretto255 prime order group" if that works for you? I just want it to be as simple and clear as possible

Sure; just thought I'd pass it along. I think it's just being finicky about what it means to restrict the KDF() output to Ristretto. I'll defer to you (and rebase all of #156 with whatever you decide here).

@rocodes rocodes force-pushed the clarify-spec-ristretto255 branch 2 times, most recently from a41ea46 to 5be1ed8 Compare January 21, 2026 17:51
Comment on lines +511 to +514
[^8]: $\mathbb{Z}_\ell \text{ (ristretto255 scalar field)}$.

<!-- In protocol manuscript, $\mathcal{E}_H \subset \mathbb{Z}$ per Definition 4 of Alwen et al.
(2020), ["Analyzing the HPKE Standard"][alwen2020]. -->
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simpler to keep the text out of LaTeX (but by all means let's keep the comment if you think we should document this divergence):

Suggested change
[^8]: $\mathbb{Z}_\ell \text{ (ristretto255 scalar field)}$.
<!-- In protocol manuscript, $\mathcal{E}_H \subset \mathbb{Z}$ per Definition 4 of Alwen et al.
(2020), ["Analyzing the HPKE Standard"][alwen2020]. -->
[^8]: $\mathbb{Z}_\ell$ (ristretto255 scalar field).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm gonna keep it if you don't hate it because it is a place where I'm using "formal" ish notation that isn't in the paper, and our future selves could ask "why" and then be glad we found this later.

The paper uses $\mathcal{E}_H \subset \mathbb{Z}$ to take advantage of pre existing proofs, but we restrict things further than that. This might not be the exact right or necessary way to explain it ("cryptographers hate this one weird trick?" :/) so I'm open to revising later, eg based on @redshiftzero or anyone's feedback, but I was trying to make sure it's clear that we know there's a difference and we are consistent throughout that if we say ristretto, we don't just say $\mathbb{Z}$

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I asked S about this, the comment was "it makes sense for the spec and the notation we use to diverge, and you might want to just use algorithms instead of the abstraction layer". I think we like the link to the abstractions so that people can cross-reference the docs, but just trying to kind of meet both needs I guess

@rocodes rocodes force-pushed the clarify-spec-ristretto255 branch from 5be1ed8 to 39ed84c Compare January 21, 2026 20:00
@rocodes
Copy link
Contributor Author

rocodes commented Jan 21, 2026

Rebased; kept ristretto255.KGen() even though I acknowledge it doesn't fit the exact same pattern we use everywhere; addressed other comments (I think/hope)!

@rocodes rocodes force-pushed the clarify-spec-ristretto255 branch from 39ed84c to add85ac Compare January 21, 2026 20:01
provide consistent notation wherever we are using ristretto255 (hint and
fetching key).
Copy link
Member

@cfm cfm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @rocodes—including for workshopping it with me.

@cfm cfm added this pull request to the merge queue Jan 21, 2026
Merged via the queue into main with commit b652b85 Jan 21, 2026
16 checks passed
@github-project-automation github-project-automation bot moved this from Under Review to Done in SecureDrop Jan 21, 2026
@cfm cfm mentioned this pull request Jan 22, 2026
cfm added a commit that referenced this pull request Jan 22, 2026
cfm added a commit that referenced this pull request Jan 22, 2026
cfm added a commit that referenced this pull request Jan 23, 2026
@nathandyer nathandyer removed this from SecureDrop Feb 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Small-order subgroup attack in X25519-based message fetching sign each journalist's fetching key once and return in "welcome bundle"

2 participants