[messaging] MPHFs for public key lookup?

Michael Rogers michael at briarproject.org
Mon Jul 6 06:45:14 PDT 2015

On 04/07/15 21:50, Brian Warner wrote:
> The sender puts three items into each message: (some details omitted for
> brevity, SecretBox/Box are from NaCl)
> 1: "CIDToken": HKDF(key=CIDKey+seqnum)
> 2: "CIDBox": SecretBox(key=CIDKey, data=seqnum+rxpub+..)
> 3: encrypted message: Box(privkey=ephemeralpriv, pub=rxpub, data=msg)
> The recipient looks up the CIDToken against a pre-generated table of
> values created for the next-expected sequence number for each potential
> sender. In the best case, this is basically O(1), and identifies the
> sender (who either used the current pubkey, or the old one).

This is similar to what we do in Briar, with the following differences:

1. The recipient keeps a sliding window of CIDTokens ("tags" in Briar)
so they can be recognised out of order without trial decryption.

2. The CIDBox ("stream header" in Briar) contains a symmetric key for
decrypting and authenticating the remainder of the message ("stream" in
Briar). No asymmetric crypto is needed.

3. The remainder of the stream consists of one or more frames, each made
up of two secretboxes. The first secretbox is a fixed-length header
containing the length of the second secretbox, which is a
variable-length body containing data and/or padding. The header also
contains a flag to indicate the last frame in the stream.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x9FC527CC.asc
Type: application/pgp-keys
Size: 1748 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150706/4992c286/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150706/4992c286/attachment.sig>

More information about the Messaging mailing list