diff options
author | Richard van der Hoff <richard@matrix.org> | 2019-11-08 13:48:34 +0000 |
---|---|---|
committer | Richard van der Hoff <richard@matrix.org> | 2019-11-08 13:48:34 +0000 |
commit | a9c7bde4577030e000c1742ccc2e660ac040b899 (patch) | |
tree | 73ce20d14b1c15a26e780fec984df91ed32e4ecf /docs | |
parent | 52098b3af7885094d13d035ae98ce7e746cf7954 (diff) |
Update signing.md
Diffstat (limited to 'docs')
-rw-r--r-- | docs/signing.md | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/docs/signing.md b/docs/signing.md index fcc5342..58a2b5e 100644 --- a/docs/signing.md +++ b/docs/signing.md @@ -49,13 +49,14 @@ compromised keys, and sends a pre-key message using a shared secret $`S`$, where: ```math -S = ECDH\left(I_A,\,E_E\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\; - \parallel\;ECDH\left(E_A,\,E_E\right) +S = ECDH\left(I_A,E_E\right)\;\parallel\; + ECDH\left(E_A,I_B\right)\;\parallel\; + ECDH\left(E_A,E_E\right) ``` Eve cannot decrypt the message because she does not have the private parts of either $`E_A`$ nor $`I_B`$, so cannot calculate -$`ECDH\left(E_A,\,I_B\right)`$. However, suppose she later compromises +$`ECDH\left(E_A,I_B\right)`$. However, suppose she later compromises Bob's identity key $`I_B`$. This would give her the ability to decrypt any pre-key messages sent to Bob using the compromised one-time keys, and is thus a problematic loss of forward secrecy. If Bob signs his keys with his Ed25519 @@ -66,8 +67,9 @@ On the other hand, signing the one-time keys leads to a reduction in deniability. Recall that the shared secret is calculated as follows: ```math -S = ECDH\left(I_A,\,E_B\right)\;\parallel\;ECDH\left(E_A,\,I_B\right)\; - \parallel\;ECDH\left(E_A,\,E_B\right) +S = ECDH\left(I_A,E_B\right)\;\parallel\; + ECDH\left(E_A,I_B\right)\;\parallel\; + ECDH\left(E_A,E_B\right) ``` If keys are unsigned, a forger can make up values of $`E_A`$ and |