Replying to Avatar JeffG

The new data being mixed in is a new ephemeral key that is generated as the root ratchet is turned, which in turn derives the chain keys. That new key would only be visible/accessible to an attacker if the users device was completely compromised to an attacker. At which point nothing is going to be useful.
Avatar
semisol 1y ago

Post-compromise security refers to recovery from a total leakage of internal state.

The DH ratchet uses continuous key exchanges to update itself in a non deterministic way.

In your case, this is not actually a DH ratchet, but a symmetric ratchet without any data mixed in (the root) being used to feed the sender and receiver ratchets. This makes the system state determinstic and gets rid of post-compromise guarantees, and has equivalent security guarantees as using a single ratchet for send and one for receive.

I also do not see how the “active participant changing” would be defined in contexts where there’s concurrent events being sent.

Reply to this note

Please Login to reply.

Discussion

Avatar
JeffG 1y ago

That’s incorrect. Each time the root (dh) ratchet is turned, the party turning generates a brand new keypair, does a dh calc, then includes the pubkey of the new keypair. As a tag. The output of that ratchet generates a new chain key. The other party has to use their current state plus the new pubkey to do a turn to catch up and then another (with another new ephemeral key) to get their other new chain key.

There is a DH exchange on each turn.

Avatar
semisol 1y ago

The only reference that I could find after looking through the spec a few times is a tag, and I couldn’t find any other documentation on this.

There also seems to be an assumption that there is strict message ordering.