Signal protocol: X3DH

Question

I've been trying to get a grasp of how the Signal protocol works. According to the spec, DH is done on four keys: IK_A, SPK_B, EK_A and IK_B:

If the bundle does not contain a one-time prekey, she calculates:

    DH1 = DH(IK_A, SPK_B)
    DH2 = DH(EK_A, IK_B)
    DH3 = DH(EK_A, SPK_B)
    SK = KDF(DH1 || DH2 || DH3)

Given that all these four keys are public keys and are announced through untrusted channels, couldn't a nefarious player compute the shared secret SK?

I think that this documentation is fuzzy. To compute DH, Alice uses the discrete logarithm of IK_A and EK_A known only by herself. — Ievgeni, Jun 15 '21 at 17:52

Ievgeni · Answer 1 · 2022-12-20T12:03:09.537

1

In fact $DH1, DH2$ and $DH3$ are not "announced through untrusted channels".

I think that this documentation is fuzzy. To compute DH, Alice uses the discrete logarithm of IK_A and EK_A known only by herself.

To be more concrete, if $IK_A = g^{sk_A}$, and $SPK_B=g^{sk_B}$, with $sk_A$ a secrete value already known by Alice.

Then she could compute DH(IK_A, SPK_P) by computing $(SPK_B)^{sk_A}$.

And Bob could compute DH(IK_A, SPK_P) by computing $(IK_A)^{sk_B}$.

This part of the protocol is secure under the computational Diffie-Hellman assumption.

But it is not necessarily enough to show the security of the whole protocol.

edited Dec 20 '22 at 12:03

answered Jun 15 '21 at 17:55

Ievgeni

2,513
1
8
30

Do you have a claim for the security under CDH? Indeed, without CDH the protocol is broken but, in this analysis of x3dh https://eprint.iacr.org/2016/1013. They had to rely on the GapDH. Now one could argue this is an artifact of the model, but at the same time these Bellare-Rogaway model for AKE seem highly reasonable. Hence, the attacker has more power than a CDH adversary and we need stronger assumptions. – Marc Ilunga Dec 17 '22 at 10:17
I was answering to the specific part asked by John not about the whole protocol (I will edit in my answer to precise). Maybe you should ask a new question more precise. – Ievgeni Dec 20 '22 at 11:47
I was mainly curious whether there was a new result on x3dh that directly proves security under CDH only, and did require additional assumption. Maybe it's good to indicate that CDH is okay taken isolated, but the overall protocol is likely to need more assumptions in common security models. – Marc Ilunga Dec 20 '22 at 12:00

Signal protocol: X3DH

1 Answers1