On Wed, 2017-09-27 at 18:10 +0000, Trevor Perrin wrote: > If you hash everything together you have to worry about > collision-resistance, so you still need a similar-sized value (e.g. > 200 bits).
If ACKs do not advance the ratchet, then one could offer a "current safety number" derived similarly to ratchet header encryption keys, right? I'd dubious that ACKs that do not advance the ratchet are worth this, but it should be more robust against partial collision attacks. It might be useful in legacy protocols that offer ACKs anyways, like say the next iteration of OtR on XMPP or something. > So that doesn't reduce the size, but that does lose the ability to > extract out individual "fingerprints" from the safety number halves. Yes, but one could identify the "them" and "you" halves, perhaps via color or columns. I do think the ordering of "them" and "you" should be done the way you currently do it of course, so that people do not need to understand the difference. Jeff
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
