[messaging] X3DH: why put OTPKs on the server?

Ron Garret ron at flownet.com
Sat Feb 4 09:25:11 PST 2017

The X3DH protocol calls for Bob to publish a set of one-time pre-keys (OTPKs) to the server.  What is the purpose of this?  Why not just have Bob issue an OTPK directly to Alice on demand as the first step in the protocol?

The only possible answer I can think of is that Bob might not be on-line to fulfill the request.  But the whole point of X3DH (as I understand it) is to establish a session key for a real-time communications session, so if Bob is not on line the whole protocol is moot.

AFAICT, having OTPKs on the server introduces additional complexity (the protocol now has two cases depending on whether an OTPK is available) and additional attacks (a DOS attack where an adversary drains the OTPK pool) requiring mitigations (like rate limiting, i.e. more complexity) for no apparent advantage.  Have I missed something?


More information about the Messaging mailing list