[OTR-dev] Forward secrecy/deniability for long messages with low overhead
Sergio Lerner
sergiolerner at certimix.com
Fri Feb 22 16:43:18 EST 2013
On 22/02/2013 05:44 p.m., Ileana wrote:
> On Fri, 22 Feb 2013 14:47:14 -0300
> Sergio Lerner <sergiolerner at certimix.com> wrote:
>
>> BUFFER1[0]=IVK1
>> BUFFER1[i] =Hash(BUFFER1[i-1])
>>
>> BUFFER2[0]=IVK2
>> BUFFER2[i] =Hash(BUFFER2[i-1])
>>
>> Encryption: C = AES(EK,BUFFER1[i] XOR BUFFER2[i]) XOR P
> And also the security of the hash concatenation in this case provides
> no greater security/entropy then the highest hash...in particular
> the xor in this case reduces effective randomness of the hash, by
> create a seperate function f(i) = hash(yi) xor hash(zi), where y
> and z are dependant values...so why two hash buffers? The value of xor
> of two non-random data values, further decreases the entropy?
>
The idea of two buffers has nothing to do with security but with forward
secrecy. Even if the attacker knows:
BUFFER1[i] (the last computer state)
BUFFER2[i]
EK
i
C[0] .. C[i-1] (all past communications)
P[i-1] (the last plaintext block sent)
He cannot know P[i-2] because this means deriving BUFFER1[i-1] from
(BUFFER1[i-1] XOR BUFFER2[i-1]) which is infeasible under the
assumption that BUFFER1 and BUFFER2 are independent random variables.
More information about the OTR-dev
mailing list