[Cryptography] Hohha quantum resistant end-to-end encryption protocol draft

Ersin Taskin hersintaskin at gmail.com
Mon Nov 26 03:37:42 EST 2018

On Fri, Nov 23, 2018 at 11:49 PM Peter Fairbrother <peter at tsto.co.uk> wrote:

> On 21/11/18 22:08, Bertrand Mollinier Toublet wrote:
> >
> >> On Nov 21, 2018, at 7:31 AM, Ersin Taskin <hersintaskin at gmail.com>
> wrote:
> >>
> >> [snip]
> >
> >> So, I think PSK scheme is interesting.
> I agree, and not just for use in a postquantum crypto setting.
> In fact, I cannot think of another option for an ultimately secure
> messaging system. I wonder why it is not mainstream, I don't know a
> messaging system that is PSK based or has PSK option.
> All OTPs are PSK.
> Len Sassaman used to use an OTP PSK - he would give people DVDs of
> random key material.
> Then there is WAP etc,. And so on...
> There is/was at least one text messaging system which has preshared key
> exchange on mobiles using bar- and/or QR- codes. Nothing else afaik, the
> key is simply reused.
> Can't remember the name offhand, it was used by criminals who got caught
> and convicted through location tracing and thenceforward required each
> other to remove batteries from mobile phones when on a mission.

Let me repeat my context which is obviously different than Hohha: I think
people who are not crypto experts (doctors, students, lawyers, politicians,
businessmen, housewives, etc.) have the right to use whatssapp (or
telegram, or skype, or yahoo, etc.) in a user-friendly manner and get
ultimate security. Let us define it as PQ-Resistant. The system I have in
mind should be P2P. It is for the people and run by the people. No
different messaging application than the one u use (say whatsapp for all
messaging). No need to enter a pin, etc. Mainstream. So the
OTP/WAP/2FA/criminal/noname examples you gave do not answer my question.

The best I can think of is physical P2P PSK initialization (one PSK per
pair of people). Then ADH takes care of the session keys. Simple.

> FS is good, and in general I'd use authenticated DH to provide it it in
> a simple presharedkey app.
> But the Hohha use-case is post-quantum-resistance, and DH won't provide
> FS in a Post Quantum setting.
> For PQ FS in a PSK app we would need some kind of PQ one-way key
> evolution function. There are several hash- and symmetric- based
> possibilities. The difficulties are synchronisation and in having to
> rely on the recipient, as ever.
> <rant> The proper term is forward secrecy, not perfect forward secrecy.
> DH can never provide perfect forward secrecy, as it can be broken using
> quantum computers (or even classical computers if you have enough of
> them. An OTP can provide perfect forward secrecy - where Alice exists,
> nothing else can) </rant>

I see we have been thinking the same way and only differ in our context and
therefore the threat model. The PSK is compromised via physical contact,
and session keys are compromised by mim.

Session key randmoness is built on top of PSK randomness. ADH is not PQ
resistant, but ADH on PSK is. Therefore, the session is PQ resistant
(against its threat model which is mim). PSK threat model and session key
(SK) threat model differ significantly. The two corresponding surgeons who
ask their asistants to use their laptops for their own work, but are
literate enough to use their mobile phone (like most doctors) can
communicate securely and easily against the crypto mim because they live in
different countries/cities. Mim cannot get their PSK's. All the
non-literate users need to know is to keep their devices secure physically
by obeying easy to understand rules of thumb. So the sessions are
PQ-resistant. If however, a threat model which has close proximity can get
the PSK via some physical contact then the sessions are not PQ-resistant
but are still pretty safe against the proximity threat (say the house-wife
:)). So the scheme relies on the two different and independent nature of
threat models to provide a much more secure than available and convenieant
messaging scheme for the people. The beauty of ADH is that it can be
applied P2P, without the need for 2FA, vendor registration, pinning, etc.
Once again the root of trust is PSK which is PQ-r, we use AE/ADH like sexy
stuff only for session keys. The more fancy/sexy you go the more
sophisticated (vulnerable and/or incoveniant) the system gets. The
simplicity of this model helps the security of PSK's. Therefore, the
physical contact requirement for the attack is the key foundation of the

The fact that mainstream mail and messaging system vendors (whatsapp,
telegram, yahoo, google, microsoft, etc.) do not provide people such a
scheme is worth discussing and addressing to me. That is my whole
motivation for the above context and scheme.

Where do we go from the above initial scheme? I think we should focus on
making session keys PQ-r even when PSK's are compromised. For that we have
time and wish we have wide adoption on the users in the meantime, because
we may need them to become more experienced, informed and eager for the
optimal construct. Still this additional construct will mostly like be
optional since it will be less conveniant for the user.

I would personally love to have the freedom to make some of my whatssapp
communication PQ-resistant relying on my physical security
habits/performance only and without relying on any vendor/provider.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20181126/4fee03dc/attachment.html>

More information about the cryptography mailing list