[Cryptography] Double ratchets, useful or PITA?

Phillip Hallam-Baker phill at hallambaker.com
Thu Oct 5 15:13:47 EDT 2017

On Thu, Oct 5, 2017 at 3:02 PM, Ron Garret <ron at flownet.com> wrote:

> On Oct 5, 2017, at 9:50 AM, Phillip Hallam-Baker <phill at hallambaker.com>
> wrote:
> If it’s helpful, I wrote a Javascript reference implementation of the
> Signal double-ratchet:
> https://github.com/rongarret/ratchet-js/
> For session-based comms like real-time chat I think it’s probably
> worthwhile.  For asynchronous comms, probably not so much.  IMHO.

​What I am looking into doing right now is specifying the rekey mechanism
as follows:

* One of the outputs of the HKDF function is a 'RekeySalt' value

* Rekey Messages are authenticated and optionally encrypted under the
previous session key

* The RekeySalt value is the salt for the next HKDF Expand.

One of the peculiarities of the key agreement mechanisms that I am looking
at is that they all seem to be fixated on use of signatures for a key
agreement. Why not use a key agreement for a key agreement?

Both sides contribute an ephemeral key and an identity key, Bam, done!

Both sides are protected against perfidy by the other if they choose a
random ephemeral. It doesn't even need to be secret to protect against
small subgroup games.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171005/8c5b14b7/attachment.html>

More information about the cryptography mailing list