Incidentally, for anyone following along, here's a great thread I had on Twitter regarding this: https://twitter.com/dbarrett/status/1353768706141163520 My current summary of Signal's primary design goal is:
Perhaps I'm looking at it the wrong way. Signal's primary design goal seems to be to *enable* truly effective self-destructing chats (which means enabling them to self-destruct at every layer), to limit the damage from device compromise. That is their primary differentiated feature.
Given that the device is the weak link (ie, the most likely place that a key would be compromised), and without self-destructing chats the device has a complete record of all past messages, then there's really no point to all the double-ratchet stuff (which exists purely to limit the damage of any individual key being compromised) because in the process of compromising any key, you also compromise *all messages* (obviating your need for the key in the first place). Does that seem a fair summary? -david On Mon, Jan 25, 2021 at 10:31 AM David Barrett <dbarrett@expensify.com> wrote:
On Sun, Jan 24, 2021 at 9:15 PM <jamesd@echeque.com> wrote:
1) This is perhaps an obvious question (I've got to start somewhere, after all), but what is the downside of the simplest possible solution, which I think would be for all participants to publish a public key to some common key server, and then for each participant in the chat to simply re-encrypt the message N-1 times -- once for each participant in the chat (minus themselves) using each recipient's public key?
This does not work in itself, because what assurance do you have that you are seeing the same public key as everyone else?
Yes, this does assume a central keyserver -- and I agree, it's possible that it lies to you, establishing a connection with someone other than who you requested (or even a man-in-the-middle). I don't know how to really solve that for real without some out-of-band confirmation that the public key returned by the keyserver (whether centralized or distributed) matches the public key of the person you want to talk to.
2) I would think the most significant problem with this ultra-simple design
is just performance: asymmetric encryption is just too expensive in practice to use for every single message,
Nah, because its cost in human generated messages is absolutely insignificant, particularly if you are using ed25519 or, better, ristretto25519
I think you are saying that performance isn't a real world concern, but forward secrecy is? If so, that makes sense.
-david