[messaging] KCI in X3DH

Ximin Luo infinity0 at pwned.gg
Wed Jan 17 15:39:00 PST 2018

Trevor Perrin:
> On Wed, Jan 17, 2018 at 5:40 PM, Ximin Luo <infinity0 at pwned.gg> wrote:
>> On the ART paper near the end it mentions: "we use the X3DH paper [..] extended to include the static-static DH key in order to prevent UKS and KCI attacks".
>> After some digging we came across this part from [1]: "When [..] Bob’s long-term secret key [..] [and] pre-key is also compromised, ProVerif finds [..] a novel key compromise impersonation attack"
>> Indeed, in this case the attacker can generate a new fake A-eph "from Alice" and compute X3DH(Alice, Bob) via
>> Alice[public static] ^ Bob[private prekey] ||
>> Fake-Alice[public eph] ^ Bob[private static] ||
>> Fake-Alice[private eph] ^ Bob[public prekey]
>> The defence is to turn X3DH into "X4DH", with an additional DH(Alice[static], Bob[static]) in there.
> If Bob's static key is compromised, adding a static-static DH
> obviously will not help anything.
> The only case it might help is if ephemerals are compromised but
> static keys are *NOT* compromised.  That isn't a likely case, so
> doesn't seem worth the computational expense.

You're right, I had reached the same conclusion thinking it through in the meantime and was just about to post that.

I wonder what their reasoning behind this addition was, then.

(One could imagine a scenario where private key operations of one's static key is delegated to another more secure device like a smartcard, then this might help. But this is a pretty specific case and from the wording in the paper it doesn't sound like that's what they're referring to here.)


GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE

More information about the Messaging mailing list