[Cryptography] Signal double-ratchet vs. future breaks in ECC?
Nemo
nemo at self-evident.org
Tue Jul 31 13:54:17 EDT 2018
Jon Callas <jon at callas.org> writes:
>
> The double ratchet is really just a scheme for taking a credential and
> deriving a series of keys from that credential that has a bunch of
> desirable properties, but yes, if that initial credential exchange is
> compromised by any means from quantum computers to stupidity the whole
> security is blown. Game over.
Hi Jon, and thank you for your reply.
I actually do understand that part; I should have phrased my question
better. I am wondering what happens if the attacker does *not* intercept
all communications from the beginning of time, but only some subset of
them.
It looks to me like each step of the ratchet stirs together both the
current agreed key material *and* some new material agreed via ECDH. So
even an attacker who can break the key exchange would need to see *all*
of your key agreement traffic back to the beginning of time in order to
"replay the ratchet" and know your current key. So perhaps not
necessarily game over (?)
This is very informal, and I am not sure whether it would hold up
formally or even practically (e.g. does Signal ever fall back to a
completely fresh key agreement)?
- Nemo
More information about the cryptography
mailing list