[OTR-dev] Forward secrecy/deniability for long messages with low overhead

Sergio Lerner sergiolerner at certimix.com
Fri Feb 22 16:43:18 EST 2013


On 22/02/2013 05:44 p.m., Ileana wrote:
> On Fri, 22 Feb 2013 14:47:14 -0300
> Sergio Lerner <sergiolerner at certimix.com> wrote:
>
>> BUFFER1[0]=IVK1
>> BUFFER1[i] =Hash(BUFFER1[i-1])
>>
>> BUFFER2[0]=IVK2
>> BUFFER2[i] =Hash(BUFFER2[i-1])
>>
>> Encryption: C = AES(EK,BUFFER1[i] XOR BUFFER2[i]) XOR P
> And also the security of the hash concatenation in this case provides
> no greater security/entropy then the highest hash...in particular
> the xor in this case reduces effective randomness of the hash, by
> create a seperate function f(i) = hash(yi) xor hash(zi), where y
> and z are dependant values...so why two hash buffers?  The value of xor
> of two non-random data values, further decreases the entropy?
>

The idea of two buffers has nothing to do with security but with forward
secrecy. Even if the attacker knows:
   BUFFER1[i]      (the last computer state)
   BUFFER2[i]
   EK
   i
  C[0] .. C[i-1]   (all past communications)
  P[i-1]             (the last plaintext block sent)

He cannot know P[i-2] because this means deriving BUFFER1[i-1]  from
(BUFFER1[i-1]  XOR BUFFER2[i-1]) which is infeasible under the
assumption that BUFFER1 and BUFFER2 are independent random variables.







More information about the OTR-dev mailing list