[curves] Forward secrecy with "triple Diffie-Hellman"

[Tony Arcieri]

Trevor described this idea to me once and I haven't really seen it written
down anywhere. It's an alternative to something like the CurveCP handshake
for a transport encryption protocol which provides forward secrecy by
deriving a unique session key each time using ephemeral D-H keys. It
couples authentication to confidentiality in ways that might bother some,
but at the same time is incredibly simple and I think that's an advantage
in and of itself.

Let's say Alice has the following elliptic curve D-H keys:

a: long-lived private key
A: long-lived public key

Alice will also generate a' and A' for each session, which are short-lived
session keys.

Bob likewise has b, B , b', and B' respectively.

Alice can do:

  a * B' || a' * B' || a' * B

(The "*" character here represents Curve25519 scalar multiplication)

Bob can do the reciprocal operation and derive the same shared secret
string:

  b * A' || b' * A' || b' * A

These secret strings can then be used as input to a KDF to create a session
key.

If these keys haven't been tampered with in-flight, Alice and Bob should
derive the same session key, and can authenticate each other via their
long-lived public keys.

Does this seem correct, and if so, does anyone know of any literature on
this approach?

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20140408/f6b0eb84/attachment.html>