mirror of
https://source.quilibrium.com/quilibrium/ceremonyclient.git
synced 2024-12-27 17:15:18 +00:00
181 lines
8.5 KiB
Protocol Buffer
181 lines
8.5 KiB
Protocol Buffer
syntax = "proto3";
|
||
|
||
package quilibrium.node.channel.pb;
|
||
|
||
option go_package = "source.quilibrium.com/quilibrium/monorepo/node/protobufs";
|
||
|
||
import "keys.proto";
|
||
|
||
// Describes a general channel envelope for a message.
|
||
message P2PChannelEnvelope {
|
||
// A general protocol identifier as a uint32 – this is expected to rarely
|
||
// iterate, and should be uniquely identifying both protocol and version.
|
||
// Pragmatically speaking, this implies that the least significant byte
|
||
// specifies version (which should iterate most minimally), and the three most
|
||
// significant bytes should specify protocol. Recipients SHOULD ignore
|
||
// messages with incompatible protocol identifiers, but also SHOULD warn on
|
||
// identifiers with versions higher than the supported protocol. A large
|
||
// number of unsupported protocol messages may indicate spam/some other
|
||
// attack, whereas a large number of unsupported protocol versions may
|
||
// indicate an out of date client, respective to which side is the maximum of
|
||
// the version number.
|
||
uint32 protocol_identifier = 1;
|
||
|
||
// The encrypted message header. Message header encryption is mandatory –
|
||
// P2P channels in some cases pre-empt the mixnet and leaky information from
|
||
// unencrypted message headers could de-anonymize the recipient. It is thus
|
||
// also mandatory at the protocol implementation level that header sizes are
|
||
// consistent within a protocol so as to not leak metadata. An example of this
|
||
// is in Double and Triple-Ratchet, where the sequence identifiers MUST be
|
||
// encoded as fixed-length integers, as variable encoding can indicate a
|
||
// message being in the first 256, 65,536, etc. if an exchange is highly
|
||
// asymmetrical in sends/receives. This is especially critical in long
|
||
// running protocols with a need for fixed length messages (see message_body
|
||
// notes).
|
||
MessageCiphertext message_header = 2;
|
||
|
||
// The encrypted message body. Message bodies are variable length – ciphertext
|
||
// could range widely, however if this metadata is pertinent to determining
|
||
// protocol state, such as knowing what round an encapsulated protocol is in,
|
||
// or potentially what might be transferred over the protocol, protocol
|
||
// implementers SHOULD utilize chunking and send fixed length messages.
|
||
// Additionally, if rounds themselves are highly asymmetric or have
|
||
// long-standing processing times that could dangerously leak information of
|
||
// round state, implementers SHOULD defer protocol use to leverage the mixnet.
|
||
// If this is not feasible, the implementation details are left up to the
|
||
// exercise of the protocol author.
|
||
MessageCiphertext message_body = 3;
|
||
}
|
||
|
||
// Describes a general ciphertext payload.
|
||
message MessageCiphertext {
|
||
// The intialization vector used for encryption. While cipher specific,
|
||
// typically this should be a unique value for every ciphertext. If this is
|
||
// not the case for a protocol where it should be, this SHOULD be considered
|
||
// an invalid message and warned, as it could either indicate compromise,
|
||
// or a faulty cryptographic implementation – such as a faulty PKCS#11
|
||
// implementation that has a code path to handle HSM vendors which mandate
|
||
// zeroed IVs before passing into encryption methods, as they will update the
|
||
// IV within the HSM through hardware-supplied entropy.
|
||
bytes initialization_vector = 1;
|
||
|
||
// The raw ciphertext byte string. This will be cipher specific, however some
|
||
// general attributes are expected to be followed. If there is a common
|
||
// layout expected, such as AES-GCM having the GCM tag appended to the
|
||
// ciphertext, please follow the common layout.
|
||
bytes ciphertext = 2;
|
||
|
||
// The associated data byte string, if available. This will be highly protocol
|
||
// specific, but SHOULD NOT leak metadata.
|
||
bytes associated_data = 3;
|
||
}
|
||
|
||
// Describes the announcement of a new proving key.
|
||
message ProvingKeyAnnouncement {
|
||
// The commitment to a Schnorr proof of the Identity Key. The commitment is
|
||
// produced by taking a hash of the C and S components of the proof.
|
||
bytes identity_commitment = 1;
|
||
// The commitment to a Schnorr proof of the Signed Pre Key. The commitment is
|
||
// produced by taking a hash of the C and S components of the proof.
|
||
bytes prekey_commitment = 2;
|
||
|
||
oneof proving_key_signature {
|
||
quilibrium.node.keys.pb.Ed448Signature proving_key_signature_ed448 = 3;
|
||
}
|
||
}
|
||
|
||
// Represents a request for a proving key.
|
||
message ProvingKeyRequest {
|
||
bytes proving_key_bytes = 1;
|
||
}
|
||
|
||
// Describes the aggregation of inclusion commitments for a given clock frame
|
||
message InclusionAggregateProof {
|
||
// The filter in which the inclusion proof was produced.
|
||
bytes filter = 1;
|
||
// The frame number in which the inclusion proof was added.
|
||
uint64 frame_number = 2;
|
||
// The collection of inclusion commitments, in order.
|
||
repeated InclusionCommitment inclusion_commitments = 3;
|
||
// The raw serialized proof, mirroring the type of commitment scheme used
|
||
// within the inclusion proofs.
|
||
bytes proof = 4;
|
||
}
|
||
|
||
// Describes the commitment of a data's inclusion in a given clock frame
|
||
message InclusionCommitment {
|
||
// The filter in which the inclusion aggregate proof was produced.
|
||
bytes filter = 1;
|
||
// The frame number in which the inclusion aggregate proof was added.
|
||
uint64 frame_number = 2;
|
||
// The position of the data in the proof.
|
||
uint32 position = 3;
|
||
// The specific type url represented by the data.
|
||
string type_url = 4;
|
||
// The raw serialized data as incorporated into the inclusion proof. Due to
|
||
// the non-deterministic nature of protobuf serialization, this data is an
|
||
// opaque binary string so that inclusion proofs can be accurately assessed
|
||
// between various node implementations, and retain forwards-compatibility
|
||
// with additional properties in future revisions to types.
|
||
bytes data = 5;
|
||
// The raw serialized commitment. Similar to data, this commitment data is an
|
||
// opaque binary string so that future commitment types can be added without
|
||
// having to break the underlying inclusion structure.
|
||
bytes commitment = 6;
|
||
}
|
||
|
||
// Describes the announcement of both an identity key and signed pre key. This
|
||
// is expected to be used for the initial announcement of a key bundle, and
|
||
// subsequent full revocations if identity key and signed pre keys are both
|
||
// suspected of/known to be compromised. Signatures under KeyBundleAnnouncement
|
||
// are expected to be cross-signed, such that the signature on the identity key
|
||
// is produced through the prover key, the signature on the signed pre key is
|
||
// produced through the identity key. ProvingKeyAnnouncements may be repeated
|
||
// whenever a key bundle update is expected – only the first proving key
|
||
// announcement is retained in inclusion proofs, but the announcements
|
||
// necessarily are required for key bundle updates, as they provide a commitment
|
||
// to the updated keys' Schnorr proofs. An updated KeyBundleAnnouncement must
|
||
// be captured in an inclusion proof before it may be used for communication
|
||
// channels, and may only be used in communication channels once a lobby has
|
||
// opened _after_ the inclusion proof. If a lobby is open during the time the
|
||
// inclusion proof has been created, the announcement is not yet considered
|
||
// valid.
|
||
message KeyBundleAnnouncement {
|
||
IdentityKey identity_key = 1;
|
||
SignedPreKey signed_pre_key = 2;
|
||
bytes proving_key_bytes = 3;
|
||
}
|
||
|
||
// Describes the Identity Key and corresponding Schnorr proof. Schnorr proofs
|
||
// are expected to mirror the EC parameters of the proving and identity key. If
|
||
// they do not, validation will fail.
|
||
message IdentityKey {
|
||
// The C component of the Schnorr proof, serialized as big endian.
|
||
bytes challenge = 1;
|
||
// The S component of the Schnorr proof, serialized as big endian.
|
||
bytes response = 2;
|
||
// The Statement component of the Schnorr proof, serialized as an (compressed,
|
||
// if possible) affine representation of the point.
|
||
bytes statement = 3;
|
||
|
||
oneof identity_key_signature {
|
||
quilibrium.node.keys.pb.Ed448Signature public_key_signature_ed448 = 4;
|
||
}
|
||
}
|
||
|
||
// Describes the Signed Pre Key and corresponding Schnorr proof. Schnorr proofs
|
||
// are expected to mirror the EC parameters of the identity and signed pre key.
|
||
// If they do not, validation will fail.
|
||
message SignedPreKey {
|
||
// The C component of the Schnorr proof, serialized as big endian.
|
||
bytes challenge = 1;
|
||
// The S component of the Schnorr proof, serialized as big endian.
|
||
bytes response = 2;
|
||
// The Statement component of the Schnorr proof, serialized as an (compressed,
|
||
// if possible) affine representation of the point.
|
||
bytes statement = 3;
|
||
|
||
oneof signed_pre_key_signature {
|
||
quilibrium.node.keys.pb.Ed448Signature public_key_signature_ed448 = 4;
|
||
}
|
||
} |