aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorRichard van der Hoff <richard@matrix.org>2016-09-22 11:35:23 +0100
committerRichard van der Hoff <richard@matrix.org>2016-09-22 11:35:23 +0100
commitec91dd45705020c02edfe0d2593f8fb39085cb6a (patch)
treee2586da8939ecae1cd55b578a0e30b2165f3e242 /docs
parentc07444d3e6826933800a621f81f8da15d855dcc7 (diff)
Megolm.rst: add Background and footer
Diffstat (limited to 'docs')
-rw-r--r--docs/megolm.rst39
1 files changed, 39 insertions, 0 deletions
diff --git a/docs/megolm.rst b/docs/megolm.rst
index 24bceed..9d49aef 100644
--- a/docs/megolm.rst
+++ b/docs/megolm.rst
@@ -3,6 +3,35 @@ Megolm group ratchet
An AES-based cryptographic ratchet intended for group communications.
+Background
+----------
+
+The Megolm ratchet is intended for encrypted messaging applications where there
+may be a large number of recipients of each message, thus precluding the use of
+peer-to-peer encryption systems such as `Olm`_.
+
+It also allows a receipient to decrypt received messages multiple times. For
+instance, in client/server applications, a copy of the ciphertext can be stored
+on the (untrusted) server, while the client need only store the session keys.
+
+Overview
+--------
+
+Each participant in a conversation uses their own session, which consists of a
+ratchet, and an Ed25519 keypair.
+
+Secrecy is provided by the ratchet, which can be wound forwards, via hash
+functions, but not backwards, and is used to derive a distinct message key
+for each message.
+
+Authenticity is provided via the Ed25519 key.
+
+The value of the ratchet, and the public part of the Ed25519 key, are shared
+with other participants in the conversation via secure peer-to-peer
+channels. Provided that peer-to-peer channel provides authenticity of the
+messages to the participants and deniability of the messages to third parties,
+the Megolm session will inherit those properties.
+
The Megolm algorithm
--------------------
@@ -206,6 +235,16 @@ The length of the signature is determined by the signing algorithm being used
(64 bytes in this version of the protocol). The signature covers all of the
bytes preceding the signaure.
+IPR
+---
+
+The Megolm specification (this document) is hereby placed in the public domain.
+
+Feedback
+--------
+
+Can be sent to richard at matrix.org.
+
.. _`Ed25519`: http://ed25519.cr.yp.to/
.. _`HMAC-based key derivation function`: https://tools.ietf.org/html/rfc5869