On Wed, Jan 17, 2018 at 5:40 PM, Ximin Luo <infini...@pwned.gg> wrote: > > On the ART paper near the end it mentions: "we use the X3DH paper [..] > extended to include the static-static DH key in order to prevent UKS and KCI > attacks". > > After some digging we came across this part from [1]: "When [..] Bob’s > long-term secret key [..] [and] pre-key is also compromised, ProVerif finds > [..] a novel key compromise impersonation attack" > > Indeed, in this case the attacker can generate a new fake A-eph "from Alice" > and compute X3DH(Alice, Bob) via > > Alice[public static] ^ Bob[private prekey] || > Fake-Alice[public eph] ^ Bob[private static] || > Fake-Alice[private eph] ^ Bob[public prekey] > > The defence is to turn X3DH into "X4DH", with an additional DH(Alice[static], > Bob[static]) in there.
If Bob's static key is compromised, adding a static-static DH obviously will not help anything. The only case it might help is if ephemerals are compromised but static keys are *NOT* compromised. That isn't a likely case, so doesn't seem worth the computational expense. Trevor _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
