[messaging] KCI in X3DH

Trevor Perrin trevp at trevp.net
Wed Jan 17 15:11:14 PST 2018

On Wed, Jan 17, 2018 at 5:40 PM, Ximin Luo <infinity0 at pwned.gg> wrote:
> On the ART paper near the end it mentions: "we use the X3DH paper [..] extended to include the static-static DH key in order to prevent UKS and KCI attacks".
> After some digging we came across this part from [1]: "When [..] Bob’s long-term secret key [..] [and] pre-key is also compromised, ProVerif finds [..] a novel key compromise impersonation attack"
> Indeed, in this case the attacker can generate a new fake A-eph "from Alice" and compute X3DH(Alice, Bob) via
> Alice[public static] ^ Bob[private prekey] ||
> Fake-Alice[public eph] ^ Bob[private static] ||
> Fake-Alice[private eph] ^ Bob[public prekey]
> The defence is to turn X3DH into "X4DH", with an additional DH(Alice[static], Bob[static]) in there.

If Bob's static key is compromised, adding a static-static DH
obviously will not help anything.

The only case it might help is if ephemerals are compromised but
static keys are *NOT* compromised.  That isn't a likely case, so
doesn't seem worth the computational expense.


More information about the Messaging mailing list