[messaging] tDH extended with SPEKE
torfone at ukr.net
Sun Mar 3 23:40:26 PST 2019
Recently I chose the Initial Key Exchange procedure for my project and compare the properties of known protocols. I found that tDH has certain minor flaws that can be fixed.
The one flaw is the weak PFS of sender’s ID protection: Eve intercepts Alice’s connection to Bob and claims as Bob. She follows the tDH protocol, receives the authenticator and aborts.
Later, by revealing Bob’s private key, Eve can check Alice participation in this past session.
Many other protocols also inherit this flaw.
For example, see the Noise Structure Document:
http://www.noiseprotocol.org/noise.html chapter 7.8. “Personality hiding”
Authors are going to use signatures in the future. But to use signatures we need the full format of the points (both x and y coordinates or at least a sign of y), which is incompatible with X25519 Montgomery format.
There is an elegant way to fix this flaw by extending tDH using the SPEKE protocol performed in parallel.
SPEKE will only require a Hash2Point implementation based on Elligator2. This is easy to implement with elementary field math of X25519.
Alice is originator and connect to Bob.
SPEKE base point is derived from the value B * x == X * b where x is ephemeral key of Alice. Both sides compute SPEKE public keys using random ephemeral private keys independent of DH ephemeral private keys (x and y). The parties exchange DH and SPEKE keys simultaneously. SPEKE shared secret can be used to explicitly protect the sender's ID and is also included into tDH hash (there will now be four elements) to provide PFS of implicit ID protecting.
SPEKE has only recently become free so perhaps other effective combinations can be used to develop protocols with good properties.
Can in be applied in practice?
Best regards, Van Gegel.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging