[Cryptography] Hohha quantum resistant end-to-end encryption protocol draft

Wed Nov 21 10:31:39 EST 2018

On Thu, Nov 15, 2018 at 11:04 PM Peter Fairbrother <peter at tsto.co.uk> wrote:

> On 15/11/18 13:10, Ismail Kizir wrote:
> > Hohha Protocol is a quantum safe communication protocol.
> > This is the techinal whitepaper draft of our Hohha Messenger which
> > we'll publish soon with a MIT Licence.
> > Any contribution and or comment will be appreciated.
> > Link is a sharable link of a Google Docs document.
> >
> > https://lnkd.in/gpPXW8n
>
> Just had a quick look. It's a bit of a hodge-podge, isn't it. But
> there's worse:
>
> 1] The key renewal is worse than useless. If an existing key is not
> known to Alice, there is no reason to renew it - if it is known to
> Alice, she can deduce the new key. So it's useless.
>
> It's worse than useless because it introduces complexity and attack
> surface. KISS. I don't know of an attack on that part of the protocol
> offhand, but why take the chance?
>
> PSK is an excellent idea. Renew PSK only with the same mechanism as its
creation, which means do not renew PSK at all. Any security gain you
probably imagined from renewal should come from extension of keylength. If
your value proposition is quantum secure message exchange, be generous with
the leylength. You are saved from ae already, you have enough space, use
it. Taking into account sidechannel defense and implementation
hardware/infrastructure you do not have a countious choice space. Focus on
the conveniance-security trade-off, more, make calculations and give
specific keylength offering based on calculations.

>
> 2] It uses an untested ?proprietary? roll-your-own algorithm. Ouch. Why
> not use something tested? Why allow an untested option, even as an option?
>
It is OK to propose an algorithm designed specifically for the PSK scheme
to be tested.  I think everyone here (including Ismail) agrees that a real
world implementation should always use a well tested symetric enryption
algorithm.

>
> 3] it can be forced back into using quantum-insecure DH. Ouch. Mallory
> will have fun...
>
The use case of PSK scheme dictates that users use unbreakable passwords
and end-point is secure eough. Otherwise, there is no point to take the
unconvenaince of the PSK scheme. If a user password or a PSK gets
compromised the only solution is physical contact through the same PSK
creation mechanism.

4] it places too high a burden on the user. Users are clueless about
> security, that's our job, not theirs.
>
Therefore, the only burden on the user should be physical contact as in
case of PSK initialization (creation and sharing) which is user-friendly,
though physically inefficient.

>
> 5] it relies on a trusted server.
>
It should not as long as the correspondents have a mutual PSK and the
protocol sticks to my suggestions above.

So, I think PSK scheme is interesting. In fact, I cannot think of another
option for an ultimately secure messaging system. I wonder why it is not
mainstream, I don't know a messaging system that is PSK based or has PSK
option. However, once you have PSK never go below. Once parties bother
physical contact for PSK initialization, the rest must be based on a simple
protocol which never goes outside the PSK initialization scheme. No online
key exchange, no asymetrical encryption, nothing fancy/sexy/complex.

Cheers,
Ersin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20181121/6dd7e698/attachment.html>