Move client key derivation parameters to client input options (#100)

* Move client key derivation parameters to input options

Signed-off-by: bytemare <[email protected]>

* remove unnecessary test

Signed-off-by: bytemare <[email protected]>

* update ecc

Signed-off-by: bytemare <[email protected]>

---------

Signed-off-by: bytemare <[email protected]>

Author: bytemare

client.go

@@ -65,11 +65,11 @@ func (c *Client) GetConf() *internal.Configuration {
 }
 
 // buildPRK derives the randomized password from the OPRF output.
-func (c *Client) buildPRK(evaluation *ecc.Element) []byte {
+func (c *Client) buildPRK(evaluation *ecc.Element, ksfSalt, kdfSalt []byte, ksfLength int) []byte {
 	output := c.OPRF.Finalize(evaluation)
-	stretched := c.conf.KSF.Harden(output, c.conf.KSFSalt, c.conf.Hash.Size())
+	stretched := c.conf.KSF.Harden(output, ksfSalt, ksfLength)
 
-	return c.conf.KDF.Extract(nil, encoding.Concat(output, stretched))
+	return c.conf.KDF.Extract(kdfSalt, encoding.Concat(output, stretched))
 }
 
 // ClientRegistrationInitOptions enables setting internal client values for the client registration.
@@ -106,31 +106,50 @@ type ClientRegistrationFinalizeOptions struct {
 	ServerIdentity []byte
 	// EnvelopeNonce : optional.
 	EnvelopeNonce []byte
+	// KDFSalt: optional.
+	KDFSalt []byte
+	// KSFSalt: optional.
+	KSFSalt []byte
+	// KSFParameters: optional.
+	KSFParameters []int
+	// KSFLength: optional.
+	KSFLength uint32
 }
 
-func initClientRegistrationFinalizeOptions(options []ClientRegistrationFinalizeOptions) *keyrecovery.Credentials {
+func (c *Client) initClientRegistrationFinalizeOptions(
+	options []ClientRegistrationFinalizeOptions,
+) (*keyrecovery.Credentials, []byte, []byte, int) {
 	if len(options) == 0 {
 		return &keyrecovery.Credentials{
 			ClientIdentity: nil,
 			ServerIdentity: nil,
 			EnvelopeNonce:  nil,
-		}
+		}, nil, nil, c.conf.Group.ElementLength()
+	}
+
+	if len(options[0].KSFParameters) != 0 {
+		c.conf.KSF.Parameterize(options[0].KSFParameters...)
+	}
+
+	ksfLength := int(options[0].KSFLength)
+	if ksfLength == 0 {
+		ksfLength = c.conf.Group.ElementLength()
 	}
 
 	return &keyrecovery.Credentials{
 		ClientIdentity: options[0].ClientIdentity,
 		ServerIdentity: options[0].ServerIdentity,
 		EnvelopeNonce:  options[0].EnvelopeNonce,
-	}
+	}, options[0].KSFSalt, options[0].KDFSalt, ksfLength
 }
 
 // RegistrationFinalize returns a RegistrationRecord message given the identities and the server's RegistrationResponse.
 func (c *Client) RegistrationFinalize(
 	resp *message.RegistrationResponse,
 	options ...ClientRegistrationFinalizeOptions,
 ) (record *message.RegistrationRecord, exportKey []byte) {
-	credentials := initClientRegistrationFinalizeOptions(options)
-	randomizedPassword := c.buildPRK(resp.EvaluatedMessage)
+	credentials, ksfSalt, kdfSalt, ksfLength := c.initClientRegistrationFinalizeOptions(options)
+	randomizedPassword := c.buildPRK(resp.EvaluatedMessage, ksfSalt, kdfSalt, ksfLength)
 	maskingKey := c.conf.KDF.Expand(randomizedPassword, []byte(tag.MaskingKey), c.conf.KDF.Size())
 	envelope, clientPublicKey, exportKey := keyrecovery.Store(c.conf, randomizedPassword, resp.Pks, credentials)
 
@@ -151,20 +170,16 @@ type GenerateKE1Options struct {
 	// AKENonce: optional.
 	AKENonce []byte
 	// AKENonceLength: optional, overrides the default length of the nonce to be created if no nonce is provided.
-	AKENonceLength uint
-}
-
-func (c GenerateKE1Options) get() (*ecc.Scalar, ake.Options) {
-	return c.OPRFBlind, ake.Options{
-		KeyShareSeed: c.KeyShareSeed,
-		Nonce:        c.AKENonce,
-		NonceLength:  c.AKENonceLength,
-	}
+	AKENonceLength uint32
 }
 
 func getGenerateKE1Options(options []GenerateKE1Options) (*ecc.Scalar, ake.Options) {
 	if len(options) != 0 {
-		return options[0].get()
+		return options[0].OPRFBlind, ake.Options{
+			KeyShareSeed: options[0].KeyShareSeed,
+			Nonce:        options[0].AKENonce,
+			NonceLength:  options[0].AKENonceLength,
+		}
 	}
 
 	return nil, ake.Options{
@@ -191,20 +206,37 @@ type GenerateKE3Options struct {
 	ClientIdentity []byte
 	// ServerIdentity: optional.
 	ServerIdentity []byte
+	// KDFSalt: optional.
+	KDFSalt []byte
+	// KSFSalt: optional.
+	KSFSalt []byte
+	// KSFParameters: optional.
+	KSFParameters []int
+	// KSFLength: optional.
+	KSFLength uint32
 }
 
-func initGenerateKE3Options(options []GenerateKE3Options) *ake.Identities {
+func (c *Client) initGenerateKE3Options(options []GenerateKE3Options) (*ake.Identities, []byte, []byte, int) {
 	if len(options) == 0 {
 		return &ake.Identities{
 			ClientIdentity: nil,
 			ServerIdentity: nil,
-		}
+		}, nil, nil, c.conf.Group.ElementLength()
+	}
+
+	if len(options[0].KSFParameters) != 0 {
+		c.conf.KSF.Parameterize(options[0].KSFParameters...)
+	}
+
+	ksfLength := int(options[0].KSFLength)
+	if ksfLength == 0 {
+		ksfLength = c.conf.Group.ElementLength()
 	}
 
 	return &ake.Identities{
 		ClientIdentity: options[0].ClientIdentity,
 		ServerIdentity: options[0].ServerIdentity,
-	}
+	}, options[0].KSFSalt, options[0].KDFSalt, ksfLength
 }
 
 // GenerateKE3 returns a KE3 message given the server's KE2 response message and the identities. If the idc
@@ -221,10 +253,10 @@ func (c *Client) GenerateKE3(
 		return nil, nil, errInvalidMaskedLength
 	}
 
-	identities := initGenerateKE3Options(options)
+	identities, ksfSalt, kdfSalt, ksfLength := c.initGenerateKE3Options(options)
 
 	// Finalize the OPRF.
-	randomizedPassword := c.buildPRK(ke2.EvaluatedMessage)
+	randomizedPassword := c.buildPRK(ke2.EvaluatedMessage, ksfSalt, kdfSalt, ksfLength)
 
 	// Decrypt the masked response.
 	serverPublicKey, serverPublicKeyBytes,

examples_test.go

@@ -48,14 +48,12 @@ func Example_configuration() {
 	defaultConf := opaque.DefaultConfiguration()
 
 	customConf := &opaque.Configuration{
-		OPRF: opaque.RistrettoSha512,
-		KDF:  crypto.SHA512,
-		MAC:  crypto.SHA512,
-		Hash: crypto.SHA512,
-		KSF: opaque.KSFConfiguration{
-			Identifier: ksf.Argon2id,
-		},
+		OPRF:    opaque.RistrettoSha512,
 		AKE:     opaque.RistrettoSha512,
+		KSF:     ksf.Argon2id,
+		KDF:     crypto.SHA512,
+		MAC:     crypto.SHA512,
+		Hash:    crypto.SHA512,
 		Context: nil,
 	}
 
@@ -81,7 +79,7 @@ func Example_configuration() {
 
 	fmt.Println("OPAQUE configuration is easy!")
 
-	// Output: Encoded Configuration: 010707070101000000000000
+	// Output: Encoded Configuration: 0101010707070000
 	// OPAQUE configuration is easy!
 }
 

go.mod

@@ -3,7 +3,7 @@ module github.com/bytemare/opaque
 go 1.24.2
 
 require (
-	github.com/bytemare/ecc v0.8.5
+	github.com/bytemare/ecc v0.9.0
 	github.com/bytemare/hash v0.5.2
 	github.com/bytemare/ksf v0.3.0
 )
@@ -12,7 +12,7 @@ require (
 	filippo.io/edwards25519 v1.1.0 // indirect
 	filippo.io/nistec v0.0.3 // indirect
 	github.com/bytemare/hash2curve v0.5.4 // indirect
-	github.com/bytemare/secp256k1 v0.2.2 // indirect
+	github.com/bytemare/secp256k1 v0.3.0 // indirect
 	github.com/gtank/ristretto255 v0.1.2 // indirect
 	golang.org/x/crypto v0.38.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect

go.sum

@@ -2,16 +2,16 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 filippo.io/nistec v0.0.3 h1:h336Je2jRDZdBCLy2fLDUd9E2unG32JLwcJi0JQE9Cw=
 filippo.io/nistec v0.0.3/go.mod h1:84fxC9mi+MhC2AERXI4LSa8cmSVOzrFikg6hZ4IfCyw=
-github.com/bytemare/ecc v0.8.5 h1:6GhdqyJlXqMPoQ5EM1nzC/2QrM1vSzTKpZ4y/HlzkfE=
-github.com/bytemare/ecc v0.8.5/go.mod h1:qdA3X7uwWcux0AMTco4cdmY5lnjcCTgSNrhbknsOGlY=
+github.com/bytemare/ecc v0.9.0 h1:6+gqn9l63bd82nQVwIpW3LFtsnIsy8V4mvlybAYq6II=
+github.com/bytemare/ecc v0.9.0/go.mod h1:3sdNyM1oi4YwcUkxlogZT/CnahwrH38T7a1wc8JsICQ=
 github.com/bytemare/hash v0.5.2 h1:quCTPpPMh+Elg1autId1hQhI6QyVKj3d9Prn0l2X8oY=
 github.com/bytemare/hash v0.5.2/go.mod h1:SfyIe/M9RA+p48z/kYLMJCMVYepaLLkvxrnnqUaY6Yw=
 github.com/bytemare/hash2curve v0.5.4 h1:WLgEKcoZKHZ41a/TApFMxhaLYHNh9lL2DNAIZCVCLuM=
 github.com/bytemare/hash2curve v0.5.4/go.mod h1:XxXWaFy2g3AsIPovVp4Q8g9GDHNfr2NStnYNC+z1WRo=
 github.com/bytemare/ksf v0.3.0 h1:5gxry79Ql6TcBfgKFJqFQA3GmTbWP7660zwvb5NaNek=
 github.com/bytemare/ksf v0.3.0/go.mod h1:QJDwBqGhcd1G5mx+Hir5a0pxRIzRdAXUbR9dSDp6dTU=
-github.com/bytemare/secp256k1 v0.2.2 h1:cTHROEWfo6Qj37xNkUh9e6dvTBnwCXMAmUqKNtRs4To=
-github.com/bytemare/secp256k1 v0.2.2/go.mod h1:Z2HjKm36tC+Qz51fe1eqMsAM99oTTNlvSuPmPyVXGm0=
+github.com/bytemare/secp256k1 v0.3.0 h1:Te2HjAtTRKbqRDBOIMKDFkILTqd6YZ+sIgXvrJ7BaB0=
+github.com/bytemare/secp256k1 v0.3.0/go.mod h1:Z2HjKm36tC+Qz51fe1eqMsAM99oTTNlvSuPmPyVXGm0=
 github.com/gtank/ristretto255 v0.1.2 h1:JEqUCPA1NvLq5DwYtuzigd7ss8fwbYay9fi4/5uMzcc=
 github.com/gtank/ristretto255 v0.1.2/go.mod h1:Ph5OpO6c7xKUGROZfWVLiJf9icMDwUeIvY4OmlYW69o=
 golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=

internal/ake/3dh.go

@@ -10,8 +10,6 @@
 package ake
 
 import (
-	"math"
-
 	"github.com/bytemare/ecc"
 
 	"github.com/bytemare/opaque/internal"
@@ -68,7 +66,7 @@ type Options struct {
 	// Nonce: optional.
 	Nonce []byte
 	// NonceLength: optional, overrides the default length of the nonce to be created if no nonce is provided.
-	NonceLength uint
+	NonceLength uint32
 }
 
 func (o *Options) init() {
@@ -80,12 +78,8 @@ func (o *Options) init() {
 		o.NonceLength = internal.NonceLength
 	}
 
-	if o.NonceLength > math.MaxInt {
-		panic("invalid nonce length")
-	}
-
 	if len(o.Nonce) == 0 {
-		o.Nonce = internal.RandomBytes(int(o.NonceLength)) //nolint:gosec // overflow is checked beforehand.
+		o.Nonce = internal.RandomBytes(int(o.NonceLength))
 	}
 }
 

internal/configuration.go

@@ -36,7 +36,6 @@ type Configuration struct {
 	MAC          *Mac
 	Hash         *Hash
 	KSF          *KSF
-	KSFSalt      []byte
 	OPRF         oprf.Identifier
 	Context      []byte
 	NonceLen     int

internal/hash.go

@@ -108,6 +108,9 @@ type KSF struct {
 type ksfInterface interface {
 	// Harden uses default parameters for the key derivation function over the input password and salt.
 	Harden(password, salt []byte, length int) []byte
+
+	// Parameterize replaces the functions parameters with the new ones.
+	// Must match the amount of parameters for the KSF.
 	Parameterize(parameters ...int)
 }