Improve key binding in introduction protocol
The introduction protocol provides the following guarantees:
- Each introducee knows that the ephemeral and identity public keys she received are owned by the other introducee
- Each introducee knows that the ephemeral and identity public keys she received were used by the other introducee in the same run of the protocol - in other words it binds each introducee's ephemeral key pair to the same introducee's identity key pair and vice versa
- Each introducee knows that the ephemeral public key she received was used by the other introducee in the current run of the protocol - in other words it binds the introducees' ephemeral key pairs to each other
Unlike the contact exchange protocol, the introduction protocol does not verify the personal identity of the other introducee. The other introducee may be a persona presented by the introducer as part of a man-in-the-middle attack. However, the introduction protocol guarantees that if an introducee later verifies that a person owns the identity public key she received, that person also owns the ephemeral public key she received, and no man-in-the-middle attack took place.
To achieve this, each introducee uses her identity key pair to sign a nonce derived from the ephemeral shared secret, and authenticates her identity key pair using a symmetric key derived from the ephemeral shared secret.
Each introducee knows that the nonce she received is fresh, as it depends on her own ephemeral key pair, so the nonce itself proves that the other introducee owns the ephemeral public key received by the first introducee, while the signature proves that the other introducee owns the identity public key received by the first introducee.
The nonce is unique to this combination of ephemeral key pairs, so the signature represents a claim by the owner of the received identity public key that she took part in a protocol run involving both ephemeral key pairs. Authenticating the identity public key with a symmetric key derived from the ephemeral shared secret represents a claim by the owner of the received ephemeral public keys that she took part in a protocol run involving both ephemeral key pairs and the identity key pair.
As far as I can tell, this construction is secure and achieves what we need, but it's unnecessarily convoluted. The binding and proof of ownership that's achieved by signing nonces could be achieved more straightforwardly by signing public keys:
- Each introducee signs both introducees' ephemeral public keys and timestamps using her identity key pair
- Each introducee authenticates both introducees' identity public keys, ephemeral public keys and timestamps, using a symmetric key derived from the ephemeral shared secret
If we're not concerned with deniability, each introducee can sign both introducees' identity public keys, ephemeral public keys and timestamps. But as far as I can see, we get all the assurance we need without doing this.
Related to #901.