s at ctrlc.hu
Tue Nov 8 11:33:17 PST 2016
On Fri, Nov 04, 2016 at 07:28:10PM -0700, Trevor Perrin wrote:
> A spec for the "X3DH" key agreeement protocol used in Signal is
> available at .
> We'd welcome feedback. Eventually we should take spec discussion to a
> more specific venue, but hopefully this list doesn't mind for now.
how about a simple post-quantum extension to this protocol ala cecpq1? like this:
1. besides the prekey, bob also publishes the public part of newhope_keygen,
preferably also signed by the IKB.
2. when alice retrieves the prekey, at the end of the triple-dh she also concats
the key from newhope_sharedb, adding a post-quantum component to the final
root-key derivation. her public part of the newhope_sharedb must be also
shared with bob in the first message.
3. bob when receiving the first message from alice he completes his
newhope_shareda with the parameters stored and/or sent by alice concating the
output into the input of the root-key derivation.
does this make sense? the only drawback is that the prekeys and the first
message from alice grows by about 2K iirc.
More information about the Messaging