On Tue, 2018-01-09 at 12:34 +0000, Ximin Luo wrote: > I was just forwarded this: https://eprint.iacr.org/2017/666 .. > It looks very nice. However, on a quick glance through the paper, it doesn't > define a way to merge operations performed on the DH group tree. That seems > to constrain the group chat to rely on some external mechanism to ensure that > operations on the ratchet are performed (by everyone) in a linear order
I'd expect your root keys would form a directed acyclic graph without any canonical rootkey: You build the mapping from (contact, H(rootkey)) to H(contact,rootkey) for all contacts and recent root keys. Any message that updates a root key contains a list of H(rootkey) to incorporate, so those can used the H(contact,rootkey) and discarded them along with antecedents. We must use HMAC(contact,rootkey) rather than rootkey itself so that rootkey does not lay around waiting for some lazy guy who never replies. Best, Jeff
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
