332 lines
9.8 KiB
TeX
332 lines
9.8 KiB
TeX
\newcommand{\ts}[1]{\textsubscript{#1}}
|
|
% \newcommand{\sf}[1]{\textsf{#1}}
|
|
|
|
\begin{figure*}[h!]
|
|
\centering
|
|
%\footnotesize % Apply footnotesize to all text
|
|
\setmsckeyword{}
|
|
\drawframe{no} % uncomment to not draw a frame
|
|
\begin{msc}[
|
|
/msc/title top distance=0cm,
|
|
/msc/first level height=.1cm,
|
|
/msc/last level height=0.7cm, % Slightly reduced
|
|
/msc/head height=0cm,
|
|
/msc/instance width=0cm,
|
|
/msc/head top distance=0.5cm,
|
|
/msc/foot distance=-0.0cm,
|
|
/msc/instance width=0cm,
|
|
/msc/every label/.append style = { % extra style for all labels
|
|
/tikz/fill = white, % paint a white rectangle
|
|
/tikz/draw = none, % no border
|
|
/tikz/inner sep = 1pt % a little padding
|
|
},
|
|
/msc/condition height=0.1cm, % Reduced condition height
|
|
]{}
|
|
%%%%%%%%%%%%%%%%%% CONFIG %%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\setlength{\instwidth}{0\mscunit} % to remove default box below agents
|
|
\setlength{\instdist}{6cm} % default value between agents
|
|
|
|
%%%%%%%%%%%%%%%%%% AGENTS %%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\declinst{A}{ % Alice
|
|
\begin{tabular}[c]{c}
|
|
Alice (Initiator) \\
|
|
\end{tabular}
|
|
}{}
|
|
\declinst{Server}{ % Alice
|
|
\begin{tabular}[c]{c}
|
|
Server \\
|
|
\end{tabular}
|
|
}{}
|
|
\declinst{B}{ % Bob
|
|
\begin{tabular}[c]{c}
|
|
Bob (Responder)
|
|
\end{tabular}
|
|
}{}
|
|
|
|
\action*{
|
|
\footnotesize
|
|
\begin{tabular}{@{}l@{}}
|
|
\text{// Begin P2P-layer operations} \\
|
|
\textsf{(opk\ts{A}, osk\ts{A}) = X25519\_Gen()} \\
|
|
\textsf{eph\_pk\ts{A}, eph\_sk\ts{A} = X25519\_Gen()} \\
|
|
\textsf{sig\_eph\_pk\ts{A} = Sign(opk\ts{A}, eph\_pk\ts{A})} \\
|
|
\end{tabular}
|
|
}{A}
|
|
|
|
\action*{
|
|
\footnotesize
|
|
\begin{tabular}{@{}l@{}}
|
|
\textsf{(opk\ts{B}, osk\ts{B}) = X25519\_Gen()} \\
|
|
\textsf{eph\_pk\ts{B}, eph\_sk\ts{B} = X25519\_Gen()} \\
|
|
\textsf{sig\_eph\_pk\ts{B} = Sign(opk\ts{B}, eph\_pk\ts{B})} \\
|
|
\end{tabular}
|
|
}{B}
|
|
|
|
% \action*{
|
|
% \footnotesize
|
|
% \begin{tabular}{@{}l@{}}
|
|
% \textsf{(opk\textsubscript{A}, osk\textsubscript{A}) = X25519\_Gen()} \\
|
|
% \end{tabular}
|
|
% }{B}
|
|
|
|
|
|
\nextlevel[4.4]
|
|
|
|
|
|
\condition{{{\footnotesize out-of-band mutual verification of \textsf{opk\textsubscript{A}, opk\textsubscript{B}}}}}{B,A,Server}
|
|
|
|
\nextlevel[2.3]
|
|
|
|
\mess{
|
|
\footnotesize
|
|
\textsf{
|
|
opk\ts{B}, sig\_eph\_pk\ts{B}
|
|
}
|
|
}{B}{Server}
|
|
|
|
\nextlevel[1]
|
|
|
|
\mess{
|
|
\footnotesize
|
|
Alice requests Bob's pre-keys
|
|
}{A}{Server}
|
|
|
|
\nextlevel[1.5]
|
|
|
|
\mess{
|
|
\footnotesize
|
|
\textsf{
|
|
opk\ts{B}, eph\_pk\ts{B}, sig\_eph\_pk\ts{B}
|
|
}
|
|
}{Server}{A}
|
|
|
|
\nextlevel[1]
|
|
|
|
\action*{
|
|
\footnotesize
|
|
\begin{tabular}{@{}l@{}}
|
|
\textsf{If CheckSign(opk\ts{B}, eph\_pk\ts{B}, sig\_eph\_pk\ts{B}):} \\
|
|
\textsf{key1 = DH(osk\ts{A}, opk\ts{B})} \\
|
|
\textsf{key2 = DH(eph\_sk\ts{A}, eph\_pk\ts{B})} \\
|
|
\textsf{key3 = DH(eph\_sk\ts{A}, opk\ts{B})} \\
|
|
\textsf{master\ts{A} = Concat(key1, key2, key3)} \\
|
|
\textsf{r1\ts{A}, c1\ts{A} = HKDF(master\ts{A})} \\
|
|
\textsf{(t1\_pk\ts{A}, t1\_sk\ts{A}) = DH\_Gen()} \\
|
|
\end{tabular}
|
|
}{A}
|
|
|
|
\nextlevel[6.5]
|
|
|
|
\mess{
|
|
\footnotesize
|
|
\textsf{
|
|
opk\ts{A}, eph\_pk\ts{A}, sig\_eph\_pk\ts{A}
|
|
}
|
|
}{A}{Server}
|
|
|
|
\mess{
|
|
\footnotesize
|
|
\textsf{
|
|
opk\ts{A}, eph\_pk\ts{A}, sig\_eph\_pk\ts{A}
|
|
}
|
|
}{Server}{B}
|
|
|
|
\nextlevel[1]
|
|
|
|
\action*{
|
|
\footnotesize
|
|
\begin{tabular}{@{}l@{}}
|
|
\text{// Begin fan-out layer operations} \\
|
|
% \textit{generates} \textsf{m1}, \textsf{symkey\ts{A0}} \\
|
|
\textit{generates} \textsf{symkey\ts{A0}} \\
|
|
\textsf{ssk\_pk\ts{A}, ssk\_sk\ts{A} = SignGen()} \\
|
|
\textsf{session\ts{A} = Encrypt(r1\ts{A}, Concat(ssk\_pk\ts{A}, symkey\ts{A0}))} \\
|
|
\textsf{session\_mac\ts{A} = MAC(r1\ts{A}, session\ts{A}) } \\
|
|
% \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
|
|
% Hash(symkey\textsubscript{A0})
|
|
% }\\
|
|
% \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
|
|
% \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)}
|
|
\end{tabular}
|
|
}{A}
|
|
|
|
|
|
|
|
|
|
|
|
\action*{
|
|
\footnotesize
|
|
\begin{tabular}{@{}l@{}}
|
|
\textsf{If CheckSign(opk\ts{A}, eph\_pk\ts{A}, sig\_eph\_pk\ts{A}):} \\
|
|
\textsf{key1 = DH(osk\ts{B}, opk\ts{A})} \\
|
|
\textsf{key2 = DH(eph\_sk\ts{B}, eph\_pk\ts{A})} \\
|
|
\textsf{key3 = DH(eph\_sk\ts{B}, opk\ts{A})} \\
|
|
\textsf{master\ts{B} = Concat(key1, key2, key3)} \\
|
|
\textsf{r1\ts{B}, c1\ts{B} = HKDF(master\ts{B})} \\
|
|
\textsf{(t1\_pk\ts{B}, t1\_sk\ts{B}) = DH\_Gen()} \\
|
|
\end{tabular}
|
|
}{B}
|
|
|
|
\nextlevel[6.5]
|
|
|
|
\mess{
|
|
\footnotesize
|
|
\textsf{
|
|
session\ts{A}, session\_mac\ts{A}
|
|
}
|
|
}{A}{Server}
|
|
|
|
|
|
\mess{
|
|
\footnotesize
|
|
\textsf{
|
|
session\ts{A}, session\_mac\ts{A}
|
|
}
|
|
}{Server}{B}
|
|
|
|
\nextlevel[1]
|
|
|
|
\action*{
|
|
\footnotesize
|
|
\begin{tabular}{@{}l@{}}
|
|
\textsf{if CheckMac(r1\ts{B}, session\ts{A}, session\_mac\ts{A}):} \\
|
|
\textsf{ssk\_pk\ts{A}, symkey\ts{A0} = Decrypt(r1\ts{A}, session\ts{A})} \\
|
|
% \textsf{session\_mac\ts{A} = MAC(r1\ts{A}, session\ts{A}) } \\
|
|
% \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
|
|
% Hash(symkey\textsubscript{A0})
|
|
% }\\
|
|
% \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
|
|
% \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)}
|
|
\end{tabular}
|
|
}{B}
|
|
|
|
\action*{
|
|
\footnotesize
|
|
\begin{tabular}{@{}l@{}}
|
|
\textit{generates} \textsf{m1} \\
|
|
% \textit{generates} \textsf{symkey\ts{A0}} \\
|
|
% \textsf{ssk\_pk\ts{A}, ssk\_sk\ts{A} = SignGen()} \\
|
|
% \textsf{session\ts{A} = Encrypt(r1\ts{A}, Concat(ssk\_pk\ts{A}, symkey\ts{A0}))} \\
|
|
% \textsf{session\_mac\ts{A} = MAC(r1\ts{A}, session\ts{A}) } \\
|
|
\textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
|
|
Hash(symkey\textsubscript{A0})
|
|
}\\
|
|
\textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
|
|
\textsf{x1\_sig = Sign(ssk\_sk\ts{A}, x1)}
|
|
\end{tabular}
|
|
}{A}
|
|
|
|
\nextlevel[4]
|
|
|
|
\mess{
|
|
\footnotesize
|
|
\textsf{
|
|
x1, x1\_sig
|
|
}
|
|
}{A}{Server}
|
|
|
|
|
|
|
|
\mess{
|
|
\footnotesize
|
|
server-side fan-out:
|
|
\textsf{
|
|
x1, x1\_sig
|
|
}
|
|
}{Server}{B}
|
|
|
|
\nextlevel[1]
|
|
|
|
\action*{
|
|
\footnotesize
|
|
\begin{tabular}{@{}l@{}}
|
|
\textsf{if CheckSign(ssk\_pk\ts{A}, x1, x1\_sig):} \\
|
|
\textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
|
|
Hash(symkey\textsubscript{A0})
|
|
}\\
|
|
\textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)} \\
|
|
\end{tabular}
|
|
}{B}
|
|
|
|
|
|
\nextlevel[2]
|
|
|
|
|
|
|
|
% \condition{{\footnotesize Secure channel establishment via AKE}}{B,A}
|
|
|
|
% \nextlevel[2.25]
|
|
|
|
% \mess{
|
|
% \footnotesize
|
|
% \textsf{
|
|
% pk\textsubscript{A}, symkey\textsubscript{A0}
|
|
% }
|
|
% }{A}{B}
|
|
|
|
% \nextlevel[0.6]
|
|
|
|
% \action*{
|
|
% \footnotesize
|
|
% \begin{tabular}{@{}l@{}}
|
|
% \textit{generates} \textsf{m1} \\
|
|
% \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
|
|
% Hash(symkey\textsubscript{A0})
|
|
% }\\
|
|
% % \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
|
|
% % \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)}
|
|
% \end{tabular}
|
|
% }{A}
|
|
|
|
% \nextlevel[4.4]
|
|
|
|
% \mess{
|
|
% \footnotesize
|
|
% (server-side fan-out)
|
|
% \textsf{
|
|
% x1, x1\_sig
|
|
% }
|
|
% }{A}{B}
|
|
|
|
% \nextlevel[0.6]
|
|
|
|
% \action*{
|
|
% \footnotesize
|
|
% \begin{tabular}{@{}l@{}}
|
|
% \textsf{if CheckSign(sk\textsubscript{A}, x1\_sig))} \\
|
|
% \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{Hash(symkey\textsubscript{A0})} \\
|
|
% \textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)}
|
|
% % \textit{generates} \textsf{m1} \\
|
|
% % \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{
|
|
% % Hash(symkey\textsubscript{A0})
|
|
% % }\\
|
|
% % \textsf{x1 = Encrypt(symkey\textsubscript{A1}, m1)} \\
|
|
% % \textsf{x1\_sig = Sign(pk\textsubscript{A}, x1)}
|
|
% \end{tabular}
|
|
% }{B}
|
|
|
|
% \action*{
|
|
% \footnotesize
|
|
% \begin{tabular}{@{}l@{}}
|
|
|
|
% \textsf{if CheckSign(sk\textsubscript{A}, x1\_sig))} \\
|
|
% \textsf{symkey\textsubscript{A1}} $\leftarrow$ \textsf{Hash(symkey\textsubscript{A0})} \\
|
|
% \textsf{m1 = Decrypt(symkey\textsubscript{A1}, x1)} \\
|
|
% % \textsf{(pk\textsubscript{B}, sk\textsubscript{B}) = DH\_Gen()} \\
|
|
% % \textsf{(spk\textsubscript{B}, ssk\textsubscript{B}) = SignGen()} \\
|
|
% % \textsf{sig\_pk\textsubscript{B} = Sign(spk\textsubscript{B}, pk\textsubscript{B})}
|
|
% \end{tabular}
|
|
% }{B}
|
|
|
|
|
|
|
|
\end{msc}
|
|
|
|
\caption{
|
|
An example instantiation of the nested ratchet protocol using 3DH as the pairwise ratcheting channel. In this example, Alice, the initiator, asynchronously establishes a shared secret with Bob, the responder, via 3DH. Alice then transmits her fan-out layer session, including her ratchet key \textsf{symkey\ts{A0}} and session public key \textsf{ssk\_pk\ts{A}}, using the established secure 3DH channel. Alice follows this by sending Bob her first message, encrypted and signed using her session, and fanned out by the server to all receivers, including Bob. We note the above handshake may be equivalently condensed into just a 3-way handshake; however, for the sake of example, we make explicit the transmission of the 3DH material, session material, and message material. Specified notation for cryptographic primitives, as well as their respective descriptions, are elaborated upon in Table \ref{tab:symbols}.
|
|
}
|
|
\label{fig:megolm}
|
|
|
|
\end{figure*}
|
|
|