[messaging] OTR version 4 Draft

Sofia sofia at autonomia.digital
Fri Mar 23 08:38:11 PDT 2018


As suggested by Trevor, we are also sending this over here ;)

I am Sofia from the team that previously sent a draft of the OTRv4
protocol over the OTR-dev mailing list[1]. We, as a team, would like to
present the third version of this draft. It has been reviewed by Ian
Golberg and Nik Unger two times in the interim[2]. The draft is at

There are many changes on this version as compared with the version 3 of
the OTR protocol. Just to briefly summarize them:

* Security level raised to 224 bits and based on Elliptic Curve
Cryptography (ECC) (using ed448, Goldilocks, -huge thanks to Mike
* Additional protection against transcript decryption in the case of ECC
* Support for both online and offline conversations.
* Support for an out-of-order network model.
* The following cryptographic primitives and protocols have been updated:
  * Deniable authenticated key exchanges (DAKE) using "DAKE with Zero
Knowledge" (DAKEZ) and "Extended Zero-knowledge Diffie-Hellman" (XZDH).
DAKEZ corresponds to conversations when both parties are online
(interactive) and XZDH to conversations when one of the parties is
offline (non-interactive).
  * Key management using the Double Ratchet Algorithm.
  * Upgraded SHA-1 and SHA-2 to SHAKE-256.
  * Switched from AES to XSalsa20.
* Support for different modes in how the specification can be used
(OTRv4 only, OTRv4+v3 compatibility mode, OTRv4 interactive only).
* Explicit instructions for producing forged transcripts using the same
functions used to conduct honest conversations.

The DAKEs we are using are based upon the ones defined by Nik and Ian in
their paper: Improved Strongly Deniable Authenticated Key Exchanges for
Secure Messaging[4]. Nik will be talking about them at the next PETS[5],
if you are interested, or you can check this diagram around them [6].

Previously, there were some comments inquiring whether this was the
"official" draft of OTRv4. As we have been closely working with Ian and
Nik on this, we consider this an official version 4 of the OTR protocol.
Just for context, this version of the protocol started with a discussion
held at the beginning of March, 2015, at the IFF - you can see the
report and discussion about that beginning here [7].

This proposal have had two reviews. We briefly held a meeting around it
with Ian at Real World Crypto, 2018.

Notice that the draft points to another specification for how a prekey
server used for offline conversations works. This specific specification
is still a work in progress. But we will finish it soon, and send it
along for review ;)

We are sending this in order to get a third review from Nik and Ian, but
also to get the opinions, thoughts, discussions and much more from the
OTR community and the privacy/security community. This is by no means a
finished draft, so, we welcome your feedback on it (please, do so).

Let's discuss and share our opinions! :)

Thanks and have a very good weekend!

The OTRv4 team

1- https://lists.cypherpunks.ca/pipermail/otr-dev/2018-March/002512.html
2- https://lists.cypherpunks.ca/pipermail/otr-dev/2016-December/002502.html
3- https://github.com/otrv4/otrv4/blob/master/otrv4.md
4- http://cacr.uwaterloo.ca/techreports/2016/cacr2016-06.pdf
5- https://petsymposium.org/2018/paperlist.php
6- https://cs.uwaterloo.ca/~njunger/dake_csdf17_poster_72dpi.png
7- https://lists.cypherpunks.ca/pipermail/otr-dev/2016-March/002447.html

SofĂ­a Celi (aka cherenkov)
@claucece / @cherenkov_d
EF74 1A5F 5692 E56F 14F6  243C 3992 6144 F89D 996F

More information about the Messaging mailing list