[messaging] Axolotl questions

Trevor Perrin trevp at trevp.net
Mon Dec 15 11:20:07 PST 2014


On Mon, Dec 15, 2014 at 4:16 AM, Sunny Marueli <sunnym at gmail.com> wrote:
> Hi,
>
> I've been looking at the Axolotl Ratchet protocol and have a few questions:
>
> - If a message is lost, it seems one must try to decrypt an incoming message
> with different keys, one after the other. This seems wasteful - why not
> maintain a "ratchet count" that can map directly to the right root key to
> use?

In the non-header-encryption case the receiver can directly retrieve
skipped message keys based on the header n value and the advertised
ratchet public key.

In the header-encryption case the receiver might have to attempt trial
decryption of the header with stored header keys corresponding to
missing messages.  Not a big deal - probably just a small number of
MAC verifications of <100 bytes.


> - Key chaining means all previous keys in the chain are required. Why not
> instead "reuse" the original handshake?

In some protocols (e.g. Pond) the initial setup requires out-of-band
contact and a "rendezvous" protocol that is not feasible to do on
every message, so you want to leverage the initial key agreement.

In other asynchronous protocols (e.g. TextSecure) the initial setup
just requires server contact to retrieve the recipient's "prekeys",
and a bunch of computation.  But even then, repeating this for every
message would have more communication and computation costs than
necessary, and relying entirely on prekeys for forward secrecy would
have some downsides (one-time prekeys can be consumed; time-based
prekeys have longer lifetimes), so it's nice to take advantage of
symmetric-key ratcheting.

Anyways, we're aware that public specs on this stuff are poor, this
will hopefully become clearer soon.

Trevor


More information about the Messaging mailing list