On Fri, Nov 04, 2016 at 07:28:10PM -0700, Trevor Perrin wrote: > A spec for the "X3DH" key agreeement protocol used in Signal is > available at [1]. > > We'd welcome feedback. Eventually we should take spec discussion to a > more specific venue, but hopefully this list doesn't mind for now.
how about a simple post-quantum extension to this protocol ala cecpq1? like this: 1. besides the prekey, bob also publishes the public part of newhope_keygen, preferably also signed by the IKB. 2. when alice retrieves the prekey, at the end of the triple-dh she also concats the key from newhope_sharedb, adding a post-quantum component to the final root-key derivation. her public part of the newhope_sharedb must be also shared with bob in the first message. 3. bob when receiving the first message from alice he completes his newhope_shareda with the parameters stored and/or sent by alice concating the output into the input of the root-key derivation. does this make sense? the only drawback is that the prekeys and the first message from alice grows by about 2K iirc. best,s _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
