[messaging] X3DH
stef
s at ctrlc.hu
Tue Nov 8 11:33:17 PST 2016
On Fri, Nov 04, 2016 at 07:28:10PM -0700, Trevor Perrin wrote:
> A spec for the "X3DH" key agreeement protocol used in Signal is
> available at [1].
>
> We'd welcome feedback. Eventually we should take spec discussion to a
> more specific venue, but hopefully this list doesn't mind for now.
how about a simple post-quantum extension to this protocol ala cecpq1? like this:
1. besides the prekey, bob also publishes the public part of newhope_keygen,
preferably also signed by the IKB.
2. when alice retrieves the prekey, at the end of the triple-dh she also concats
the key from newhope_sharedb, adding a post-quantum component to the final
root-key derivation. her public part of the newhope_sharedb must be also
shared with bob in the first message.
3. bob when receiving the first message from alice he completes his
newhope_shareda with the parameters stored and/or sent by alice concating the
output into the input of the root-key derivation.
does this make sense? the only drawback is that the prekeys and the first
message from alice grows by about 2K iirc.
best,s
More information about the Messaging
mailing list