[messaging] Axolotl questions
Sunny Marueli
sunnym at gmail.com
Mon Dec 15 13:03:44 PST 2014
Hi Trevor,
Thanks for the prompt answer.
> In other asynchronous protocols (e.g. TextSecure) the initial setup
> just requires server contact to retrieve the recipient's "prekeys",
> and a bunch of computation. But even then, repeating this for every
> message would have more communication and computation costs than
> necessary, and relying entirely on prekeys for forward secrecy would
> have some downsides (one-time prekeys can be consumed; time-based
> prekeys have longer lifetimes),
I was thinking about something like this:
if ratchet_flag:
DHRs = generateECDH()
RK = HASH( DH(A, DHRr) || DH(DHRs, B) || DH(DHRs, DHRr) )
ratchet_flag = False
> so it's nice to take advantage of
> symmetric-key ratcheting.
>
But ratcheting involves a DH - otherwise we lose the future secrecy, no?
RK, NHKs, CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) )
Thanks,
Sunny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141215/2201bc53/attachment.html>
More information about the Messaging
mailing list