Why is forward secrecy needed at X3DH?

p_1092131280

3/27/24, 1:00 PM

In the official documentation of the X3DH Algorithm (link) is made an analysis about the forward secrecy. Forward secrecy would be an uselful property if we would repeat the protocol multiple times. But in the Signal-Protocol it is always used only once, to initialize the Double Ratchet Algorithm (which then on its own leads to forward / backward secrecy and so on). So why do we care about the security for multiple rounds of X3DH when we use double ratchet afterwards? Thanks in advance!

113

1 + 0

forward-secrecy

signal-protocol

Score:1

Crypto

p_1092131280

4/11/24, 7:47 PM

I think I have found the answer to my question. At the Sesame-Protocol (the session-management-protocol of Signal), they describe an attack by a malicious server at which the security of the Protocol relies on the forward secrecy of X3DH.

At Section 6.2 of the Sesame-Documentation they say:

"For example, the server could make each message received by the target device use a new X3DH initial message without a one-time prekey (by forging retry requests, or by repeatedly deleting and re-adding devices). In this case, messages sent to the target during the lifetime of a signed prekey’s private key would be decryptable if the attacker compromises that private key."

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why is forward secrecy needed at X3DH?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.