diff --git a/44.md b/44.md index 8bc4038..0efa482 100644 --- a/44.md +++ b/44.md @@ -80,7 +80,7 @@ NIP-44 version 2 has the following design characteristics: but won't leak the long-term key 3. Calculate message keys - The keys are generated from `conversation_key` and `nonce`. Validate that both are 32 bytes long - - Use HKDF-expand, with sha256, `OKM=conversation_key`, `info=nonce` and `L=76` + - Use HKDF-expand, with sha256, `PRK=conversation_key`, `info=nonce` and `L=76` - Slice 76-byte HKDF output into: `chacha_key` (bytes 0..32), `chacha_nonce` (bytes 32..44), `hmac_key` (bytes 44..76) 4. Add padding - Content must be encoded from UTF-8 into byte array @@ -115,9 +115,9 @@ validation rules, refer to BIP-340. - Validate length of base64 message to prevent DoS on base64 decoder: it can be in range from 132 to 87472 chars - Validate length of decoded message to verify output of the decoder: it can be in range from 99 to 65603 bytes 3. Calculate conversation key - - See step 1 of (encryption)[#Encryption] + - See step 1 of [encryption](#Encryption) 4. Calculate message keys - - See step 3 of (encryption)[#Encryption] + - See step 3 of [encryption](#Encryption) 5. Calculate MAC (message authentication code) with AAD and compare - Stop and throw an error if MAC doesn't match the decoded one from step 2 - Use constant-time comparison algorithm @@ -126,7 +126,7 @@ validation rules, refer to BIP-340. 7. Remove padding - Read the first two BE bytes of plaintext that correspond to plaintext length - Verify that the length of sliced plaintext matches the value of the two BE bytes - - Verify that calculated padding from step 3 of the (encryption)[#Encryption] process matches the actual padding + - Verify that calculated padding from step 3 of the [encryption](#Encryption) process matches the actual padding ### Details @@ -291,5 +291,5 @@ The file also contains intermediate values. A quick guidance with regards to its - `valid.encrypt_decrypt`: emulate real conversation. Calculate pub2 from sec2, verify conversation_key from (sec1, pub2), encrypt, verify payload, then calculate pub1 from sec1, verify conversation_key from (sec2, pub1), decrypt, verify plaintext. - `valid.encrypt_decrypt_long_msg`: same as previous step, but instead of a full plaintext and payload, their checksum is provided. - `invalid.encrypt_msg_lengths` -- `invalid.get_conversation_key`: calculating converastion_key must throw an error +- `invalid.get_conversation_key`: calculating conversation_key must throw an error - `invalid.decrypt`: decrypting message content must throw an error