[messaging] Axolotl questions

Sunny Marueli sunnym at gmail.com
Mon Dec 15 13:03:44 PST 2014


Hi Trevor,
Thanks for the prompt answer.


> In other asynchronous protocols (e.g. TextSecure) the initial setup
> just requires server contact to retrieve the recipient's "prekeys",
> and a bunch of computation.  But even then, repeating this for every
> message would have more communication and computation costs than
> necessary, and relying entirely on prekeys for forward secrecy would
> have some downsides (one-time prekeys can be consumed; time-based
> prekeys have longer lifetimes),


I was thinking about something like this:

if ratchet_flag:
  DHRs = generateECDH()
  RK = HASH( DH(A, DHRr) || DH(DHRs, B) || DH(DHRs, DHRr) )
ratchet_flag = False



> so it's nice to take advantage of
> symmetric-key ratcheting.
>

But ratcheting involves a DH - otherwise we lose the future secrecy, no?

RK, NHKs, CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) )


Thanks,
  Sunny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141215/2201bc53/attachment.html>


More information about the Messaging mailing list