Hi Trevor, Thanks for the prompt answer.
> In other asynchronous protocols (e.g. TextSecure) the initial setup > just requires server contact to retrieve the recipient's "prekeys", > and a bunch of computation. But even then, repeating this for every > message would have more communication and computation costs than > necessary, and relying entirely on prekeys for forward secrecy would > have some downsides (one-time prekeys can be consumed; time-based > prekeys have longer lifetimes), I was thinking about something like this: if ratchet_flag: DHRs = generateECDH() RK = HASH( DH(A, DHRr) || DH(DHRs, B) || DH(DHRs, DHRr) ) ratchet_flag = False > so it's nice to take advantage of > symmetric-key ratcheting. > But ratcheting involves a DH - otherwise we lose the future secrecy, no? RK, NHKs, CKs = KDF( HMAC-HASH(RK, DH(DHRs, DHRr)) ) Thanks, Sunny
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
