Once upon a time...
Both proofs have seen several corrections, and live in similar, but slightly separate models.
Feature | Model #1 | Model #2 |
---|---|---|
Protocol modelling | ||
Encrypted handshake messages | ✅ | ❌ |
HKDF and HMAC decomposed into hash | ✅ | ❌ |
Key exchange and auth KEMs are same algorithm | ✅ | ❌ |
Security properties | ||
Adversary can reveal long-term keys | ✅ | ✅ |
Adversary can reveal ephemeral keys | ✅ | ❌ |
Adversary can reveal intermediate session keys | ❌ | ✅ |
Secrecy of handshake and traffic keys | ✅ | ✅ |
Forward Secrecy | ✅ | ✅ |
Multiple flavours of forward secrecy | ❌ | ✅ |
Explicit authentication | ✅ | ✅ |
Deniability | ❌ | ✅ |
[reuse]
!)Model your own protocols!
Thanks for your attention