On Mon, Dec 15, 2014 at 4:16 AM, Sunny Marueli <[email protected]> wrote: > Hi, > > I've been looking at the Axolotl Ratchet protocol and have a few questions: > > - If a message is lost, it seems one must try to decrypt an incoming message > with different keys, one after the other. This seems wasteful - why not > maintain a "ratchet count" that can map directly to the right root key to > use?
In the non-header-encryption case the receiver can directly retrieve skipped message keys based on the header n value and the advertised ratchet public key. In the header-encryption case the receiver might have to attempt trial decryption of the header with stored header keys corresponding to missing messages. Not a big deal - probably just a small number of MAC verifications of <100 bytes. > - Key chaining means all previous keys in the chain are required. Why not > instead "reuse" the original handshake? In some protocols (e.g. Pond) the initial setup requires out-of-band contact and a "rendezvous" protocol that is not feasible to do on every message, so you want to leverage the initial key agreement. In other asynchronous protocols (e.g. TextSecure) the initial setup just requires server contact to retrieve the recipient's "prekeys", and a bunch of computation. But even then, repeating this for every message would have more communication and computation costs than necessary, and relying entirely on prekeys for forward secrecy would have some downsides (one-time prekeys can be consumed; time-based prekeys have longer lifetimes), so it's nice to take advantage of symmetric-key ratcheting. Anyways, we're aware that public specs on this stuff are poor, this will hopefully become clearer soon. Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
