[messaging] Key exchange and DuplexWrap-like protocols

Mike Hamburg mike at shiftleft.org
Tue Feb 10 22:33:00 PST 2015

On 02/10/2015 07:33 PM, Ben Harris wrote:
> > This has the same security properties as Noise, but only uses ECC 
> and Keccak.
> Keccak-f just to avoid any confusion (i.e. the permutation only, it 
> uses different api and domain properties to Keccak).
Ah right, good catch.
> forget() is weaker than Axolotl, as forget is just erasing state bits 
> to prevent inverting the permutation (breaking a previous message). 
> Axolotl creates new ephemerals to prevent breaking future messages too.
Yes, which is why I wrote:
> [Mike] Once the connections are set up, you can ratchet them at will, either in a simple way (using forget()) or by incorporating new DH ephemerals as in Axlotl.
I was thinking that you could exchange ephemerals, then header(g^xy) and 
forget() in some order.
> Using Keyak as the AEAD cipher for bodies is great. But using it for 
> everything might present some issues with lost messages (can't skip a 
> message without having the body) and the concurrency stuff you mention.
Hm, yes.  It would only really work for protocols which run over TCP or 
> It would be interesting to look at an Axolotl-sponge that modifies 
> Axolotl to suit a sponge construction like Keyak. One example is 
> simplifying header encryption into two sequential calls to DuplexWrap 
> instead of two decryptions with separate keys.
Yeah, the simpler header encryption was really what I was after.

-- Mike

More information about the Messaging mailing list