Ex 11 - round-trips

+1 vote
Hello,

I have a few questions about round-trips in Exercise 11.

2c) A new round-trip starts with m8 and I understand that the previous round-trip started with m5. This means m6 and m7 are part of the round-trip. My question is now about m9 and m10. These messages are send from B before m8 is received, so they use A's key from the previous round-trip, but they are send after m8. Do we say they are part of the m8 round-trip, the previous one or are they not part of any round-trip? The exercise says m9 and m10 are not part of the previous round-trip, but I think they might be, because from A's perspective we do not know that they are send after m8, we only receive them later.

2e) The exercise says the maximum number of round-trips that could have been started during the communication is 2. I would say it is 4 because A starts 2 and B starts 2. From my understanding a round-trip can be started by both A and B and both have their own round-trips.

2f) A new round-trip starts with m1. The answer to m1 is m5, which means m7 would start a new round-trip from B's perspective. We obtain all local secrets in B's state before B sends m3. The way I understand it is, that an attacker could now decrypt every message until B starts a new round-trip because we need to generate a new b' (Asymmetric Ratchet provides post compromise security). With this the first confidential message towards the attacker should be m7 but the exercise says it is m4.

Thanks in advance.
in Exercises by
edit history

1 Answer

0 votes
Best answer
Hi,

before answering those questions, I will give a general definition of round-trips, which we will follow in the exam, I have also regraded the exercise accordingly.

Definition of a round trip from A's perspective:
1. A samples new PK_A when receiving a message with a new PK_B from B
2. A round-trip (for A) starts with the first message sent using new pk_A
3. All messages (in both directions) encrypted under pk_A belong to the same round-trip

For B the definition follows accordingly.

With that definition in mind, we can answer your questions.

2 c) You are correct that m9 and m10 belong to the same round-trip as they are encrypted under the pk sent to B in m5. B only receives a new pk from A with m8

2 e) You are also correct that A and B start two round-trips in their communication. As we were not clear about who had to start the round-trip we accept both 2 and 4 as a correct answer.

2 f) m2 also starts a new round-trip from A's perspective. This leads to B sampling a new private and public key for m4. Thus, m4 is the first message the attacker cannot decrypt.
by (2.2k points)
edit history