[Cryptography] Double ratchets, useful or PITA?

Phillip Hallam-Baker phill at hallambaker.com
Thu Oct 5 12:50:45 EDT 2017

I am reading the double ratched docs again, trying to see if there is any
real advantage over just doing a rekey.

My basic key exchange is to use a 3 or 4 way DH as follows (ignoring the
mod p part)

Sender has long term credential {a, e^a} creates an ephemeral {x, e^x}.
Sends public keys e^a, e^x to recipient.

Receiver has long term credential {b, e^b}, optionally creates an ephemeral
{y, e^y}. Sends public keys e^b, e^y to recipient plus a witness value

Shared secret is s=KDF(e^abxy, m), witness value is KDF(e^abxy, w)

Receiver also replies with an opaque identifier for the connection of up to
1Kb (or so) which may be kerberos ticket style.

I am anticipating a situation where Alice and Bob might have tens of
different encrypted streams between them simultaneously. They might have a
couple of web cams, a chat, shared desktop, etc. Some or all of these may
be across different device pairs.

Yes, I can do the ratchet but it seems to me that it is not buying me a
great deal that I can't get better by using the old ticket and shared
session key to get a new ticket and session key.

I can always do s_n+_1 = KDF(e^abxy+s_n, m)

But what is that really buying me? I cannot expect every party to keep
state on every possible sender/receiver pair. So an attacker can always say
'lets set up a completely new session'.

My protocol already has forward secrecy as the client and server both
contribute a nonce per key exchange and discard it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171005/2346ae82/attachment.html>

More information about the cryptography mailing list