[Cryptography] Hohha quantum resistant end-to-end encryption protocol draft

Bertrand Mollinier Toublet crypto-metzdowd at bmt-online.org
Wed Nov 21 17:08:59 EST 2018

> On Nov 21, 2018, at 7:31 AM, Ersin Taskin <hersintaskin at gmail.com> wrote:
> [snip]

> So, I think PSK scheme is interesting. In fact, I cannot think of another option for an ultimately secure messaging system. I wonder why it is not mainstream, I don't know a messaging system that is PSK based or has PSK option. However, once you have PSK never go below. Once parties bother physical contact for PSK initialization, the rest must be based on a simple protocol which never goes outside the PSK initialization scheme. No online key exchange, no asymetrical encryption, nothing fancy/sexy/complex.

I disagree that “online key exchange” and “fancy/sexy” schemes “goes below” what PSK offer. As an example, let me refer you to MSL (https://github.com/netflix/msl) and specifically the Authenticated Diffie-Hellman key exchange section thereof (https://github.com/Netflix/msl/wiki/Authenticated-Diffie-Hellman-Key-Exchange).

The high level point: Authenticated Diffie-Hellman builds on top of a PSK use case, where both the (Netflix) device and the backend endpoint share the same key. We recognize though, that, with perfect forward secrecy in mind, it is not a particularly good idea to protect any on the wire message with the shared keys, and instead we proceed with a Diffie-Hellman key exchange, followed by further derivation of key material from the computed shared secret, with one of the shared keys.

Should the shared set of keys ever be broken, captured past on-the-wire messages would not be decryptable by an attacked, because the attacker could not know the shared secret or anything deriving therefrom.

In other words, reusing some of your vocabulary, we start from a PSK situation, but the Authenticated Diffie Hellman scheme allows us to go up from there to add PFS properties.

More information about the cryptography mailing list