akwizgran created page: BQP

BTP.markdown

@@ -15,6 +15,10 @@ BTP uses the following cryptographic primitives:
 * A message authentication code, MAC(k, m)
 * An authenticated cipher, ENC(k, n, m) and DEC(k, n, m), where n is a nonce
 
+We use MAC(k, m) to define a key derivation function:
+
+* `KDF(k, x_1, ..., x_n) == MAC(k, len(x_1) || x_1 || ... || len(x_n) || x_n)`
+
 All keys are KEY_LEN bytes and all nonces are NONCE_LEN bytes. The output of MAC(k, m) is MAC_LEN bytes, and the output of ENC(k, n, m) is AUTH_LEN bytes longer than m. For simplicity we require that MAC_LEN == KEY_LEN.
 
 > Implementation note: The current implementation uses HMAC-SHA-256 as the message authentication code and AES-256-GCM as the authenticated cipher. In the next release we propose to use keyed BLAKE2s as the message authentication code and XSalsa20/Poly1305 as the authenticated cipher. This gives KEY_LEN = 32, MAC_LEN = 32, NONCE_LEN = 24, and AUTH_LEN = 16.
@@ -36,10 +40,6 @@ The devices must also agree which of them will play the role of Alice and which
 
 ### Key derivation
 
-BTP's key derivation function is based on a message authentication code:
-
-* `KDF(k, x_1, ..., x_n) == MAC(k, len(x_1) || x_1 || ... || len(x_n) || x_n)`
-
 Each device derives four initial keys from S:
 
 * `atk = KDF(S, "ALICE_TAG_KEY")`