> This has the same security properties as Noise, but only uses ECC and Keccak. Keccak-f just to avoid any confusion (i.e. the permutation only, it uses different api and domain properties to Keccak).
forget() is weaker than Axolotl, as forget is just erasing state bits to prevent inverting the permutation (breaking a previous message). Axolotl creates new ephemerals to prevent breaking future messages too. Using Keyak as the AEAD cipher for bodies is great. But using it for everything might present some issues with lost messages (can't skip a message without having the body) and the concurrency stuff you mention. It would be interesting to look at an Axolotl-sponge that modifies Axolotl to suit a sponge construction like Keyak. One example is simplifying header encryption into two sequential calls to DuplexWrap instead of two decryptions with separate keys.
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
