[messaging] Question regarding Whatsapp/Signal Safety Numbers

Jeff Burdges burdges at gnunet.org
Fri Oct 6 06:42:05 PDT 2017

On Wed, 2017-09-27 at 18:10 +0000, Trevor Perrin wrote:
> If you hash everything together you have to worry about
> collision-resistance, so you still need a similar-sized value (e.g.
> 200 bits).

If ACKs do not advance the ratchet, then one could offer a "current
safety number" derived similarly to ratchet header encryption keys,

I'd dubious that ACKs that do not advance the ratchet are worth this,
but it should be more robust against partial collision attacks.  It
might be useful in legacy protocols that offer ACKs anyways, like say
the next iteration of OtR on XMPP or something.

> So that doesn't reduce the size, but that does lose the ability to
> extract out individual "fingerprints" from the safety number halves.

Yes, but one could identify the "them" and "you" halves, perhaps via
color or columns.  I do think the ordering of "them" and "you" should be
done the way you currently do it of course, so that people do not need
to understand the difference.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20171006/2a841035/attachment.sig>

More information about the Messaging mailing list