<!DOCTYPE html>
<html>
<head>
<title></title>
<style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style>
</head>
<body><div style="font-family:georgia, serif;"><span class="font" style="font-family:georgia, serif, sans-serif">Hi all,</span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">I'm one of the authors of the Signal and ART papers. We have pushed a small update to the paper to help clarify its wording. If you spot any other places where we can improve things, please do let us know :)</span></span><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">I think in general there is a lot of subtlety here because different threat models consider compromises of different sets of keys. Define X3DH(Alice, Bob) = 1 || 2 || 3 where 1 = DH(Alice's ephemeral, Bob's medium-term), 2 = DH(Alice's static, Bob's medium-term), 3 = DH(Alice's ephemeral, Bob's static), and 4 = DH(Alice's static, Bob's static).</span></span><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><b><span class="font" style="font-family:georgia, serif, sans-serif">KCI </span></b><span class="font" style="font-family:georgia, serif, sans-serif">For the KCI </span></span><span class="thread-378661910755139338729006 author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">attack</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif"> described by Kobeissi et al</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6 s-lbracket"><span class="font" style="font-family:georgia, serif, sans-serif"> </span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6 h-lbracket"><span class="font" style="font-family:georgia, serif, sans-serif">[</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6 url"><a class="dynamiclink" href="https://doi.org/10.1109/EuroSP.2017.38"><span class="font" style="font-family:georgia, serif, sans-serif">https://doi.org/10.1109/EuroSP.2017.38</span></a></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">] you only need to compromise one key</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6 s-lparen"><span class="font" style="font-family:georgia, serif, sans-serif"> </span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6 h-lparen"><span class="font" style="font-family:georgia, serif, sans-serif">(</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">Bob's medium term signed prekey). If I know that key, I can impersonate anybody to Bob by making up a fake ephemeral key for Alice. Then I can compute 1 because I know Alice's ephemeral, 2 because I know Bob's medium-term, and 3 because I know Alice's ephemeral. I can't compute 4.</span></span><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">If you think it is impossible to compromise Bob's medium-term key without also compromising his identity key, then including the static-static does not help you. Otherwise, it does</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90za3u7z76z2z74zz78zz87zz122zz78zz70zqz75zoyz73zbjfo0z71zz76z81sgj9z70z"><span class="font" style="font-family:georgia, serif, sans-serif">, since it requires the a</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">dversary</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90za3u7z76z2z74zz78zz87zz122zz78zz70zqz75zoyz73zbjfo0z71zz76z81sgj9z70z"><span class="font" style="font-family:georgia, serif, sans-serif"> to compromise both Bob’s medium-term key and his long-term private key.</span></span><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><b><span class="font" style="font-family:georgia, serif, sans-serif">Bad RNG</span></b><span class="font" style="font-family:georgia, serif, sans-serif"> Suppose that I know Alice's ephemeral and Bob's medium-term keys. I can compute any session key: I know 1 because I know Alice's ephemeral, 2 because I know Bob's medium-term, and 3 because I know Alice's ephemeral. I can't compute 4.</span></span><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">If you think it is impossible to compromise Bob's medium-term key and Alice's ephemeral keys without also compromising at least one of their long-term keys, then including the static-static does not help you. Otherwise, it does, since it requires the adversary to compromise at least one static key in order to compute the static-static DH share.</span></span><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">In both cases, the resistance of the protocol to some attacks is increased at the cost of a fourth exponentiation</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90za3u7z76z2z74zz78zz87zz122zz78zz70zqz75zoyz73zbjfo0z71zz76z81sgj9z70z"><span class="font" style="font-family:georgia, serif, sans-serif">, which can however be cached over multiple sessions</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">.</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6 s-lparen"><span class="font" style="font-family:georgia, serif, sans-serif"> </span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6 h-lparen"><span class="font" style="font-family:georgia, serif, sans-serif">(</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">My view is that the cost is worth it for the additional benefits and that there are realistic contexts in which this sort of compromise can occur. T</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90za3u7z76z2z74zz78zz87zz122zz78zz70zqz75zoyz73zbjfo0z71zz76z81sgj9z70z"><span class="font" style="font-family:georgia, serif, sans-serif">hree</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif"> examples: storing identity keys in an iPhone secure enclave, a Debian-style update which breaks the system RNG</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90za3u7z76z2z74zz78zz87zz122zz78zz70zqz75zoyz73zbjfo0z71zz76z81sgj9z70z"><span class="font" style="font-family:georgia, serif, sans-serif">, or finding the state of an ISO </span></span><span class="thread-377208427566590310497156 author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90za3u7z76z2z74zz78zz87zz122zz78zz70zqz75zoyz73zbjfo0z71zz76z81sgj9z70z"><span class="font" style="font-family:georgia, serif, sans-serif">DR</span></span><span class="thread-377208427566590310497156 author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">B</span></span><span class="thread-377208427566590310497156 author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90za3u7z76z2z74zz78zz87zz122zz78zz70zqz75zoyz73zbjfo0z71zz76z81sgj9z70z"><span class="font" style="font-family:georgia, serif, sans-serif">G</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90za3u7z76z2z74zz78zz87zz122zz78zz70zqz75zoyz73zbjfo0z71zz76z81sgj9z70z"><span class="font" style="font-family:georgia, serif, sans-serif"> and predicting future values</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">. But reasonable people can disagree here.)</span></span><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><b><span class="font" style="font-family:georgia, serif, sans-serif">UKS</span></b><span class="font" style="font-family:georgia, serif, sans-serif"> Unknown key share attacks are subtle</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90za3u7z76z2z74zz78zz87zz122zz78zz70zqz75zoyz73zbjfo0z71zz76z81sgj9z70z"><span class="font" style="font-family:georgia, serif, sans-serif">, and come in multiple flavours. W</span></span><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">e are planning to write a separate document to clarify them. That is really an orthogonal argument to what we mean to say in the paper, so we've removed their mention from the ART paper for now. Stay tuned!</span></span><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">I hope that helps shed some light here.</span></span><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="font" style="font-family:georgia, serif, sans-serif"></span><br></div>
<div><span class="author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9z84zrpcz82zhz68zeiyhsz89zfz70z7r3z86zz85zv3ez67z9z80zfiz72z6"><span class="font" style="font-family:georgia, serif, sans-serif">Katriel</span></span><br></div>
</body>
</html>