Claude/check paramant post quantum p2 hhi#27
Merged
Conversation
…M row The crypto-stack table previously hid the classical leg of the hybrid (ECDH P-256, present in crypto-wasm/src/lib.rs) and conflated relay-side STH/receipt signing with client-side signing — which only the Node/Python SDK actually performs today. The browser ParaShare/Drop path encrypts but does not yet sign client-side. Site copy on paramant.app implies otherwise. Also tighten the "what a compromised relay cannot do" row: a registered pubkey substitution is only ruled out *after* an out-of-band fingerprint check (TOFU model), which the rest of the docs already assume.
Closes HIGH-2 from the post-quantum review on this branch: the WASM AES-256-GCM call previously had no Associated Data, so the wire-format header (magic byte, length prefixes, sender ECDH pubkey, nonce, ctLen) was only authenticated implicitly via cascade — HKDF salt = ctKem[..32] makes a tampered ctKem derive a different key, and AES-GCM fails. That is a secure-by-failure outcome but not explicit binding; mutated length prefixes can shift parsing offsets in surprising ways before the AEAD tag is even reached. Now: encrypt_blob produces magic 0x03 and passes the entire wire prelude (offset 0 through u32be(ctLen)) to AES-GCM as Associated Data, so any in-flight mutation is rejected explicitly with a clean auth error. decrypt_blob accepts both 0x02 (legacy, no AAD) and 0x03 (AAD-bound) so already-uploaded blobs keep decrypting. Also: - Cargo.toml: disable wasm-pack's wasm-opt step. wasm-opt downloads a binaryen tarball at build time, which fails offline and makes the SHA-256 pin in crypto-bridge.js non-reproducible. ~50 KB code-size cost is worth "anyone with stable Rust + wasm-pack rebuilds to the same hash." - crypto-bridge.js: update WASM_SHA256 pin and the wire-format comment. - crypto-wasm/test.js: load noble from relay/node_modules; cover the new magic byte; add a tamper-detection negative test (flip a byte in the prelude, expect rejection). - frontend/pkg/: rebuilt artifacts. Verified: node crypto-wasm/test.js — round-trip OK, tamper detected.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.