On 02/10/2015 07:33 PM, Ben Harris wrote:
> This has the same security properties as Noise, but only uses ECC
and Keccak.
Keccak-f just to avoid any confusion (i.e. the permutation only, it
uses different api and domain properties to Keccak).
Ah right, good catch.
forget() is weaker than Axolotl, as forget is just erasing state bits
to prevent inverting the permutation (breaking a previous message).
Axolotl creates new ephemerals to prevent breaking future messages too.
Yes, which is why I wrote:
[Mike] Once the connections are set up, you can ratchet them at will, either in
a simple way (using forget()) or by incorporating new DH ephemerals as in
Axlotl.
I was thinking that you could exchange ephemerals, then header(g^xy) and
forget() in some order.
Using Keyak as the AEAD cipher for bodies is great. But using it for
everything might present some issues with lost messages (can't skip a
message without having the body) and the concurrency stuff you mention.
Hm, yes. It would only really work for protocols which run over TCP or
similar.
It would be interesting to look at an Axolotl-sponge that modifies
Axolotl to suit a sponge construction like Keyak. One example is
simplifying header encryption into two sequential calls to DuplexWrap
instead of two decryptions with separate keys.
Yeah, the simpler header encryption was really what I was after.
Cheers,
-- Mike
_______________________________________________
Messaging mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/messaging
