<p dir="ltr">On 23 Dec 2015 7:20 am, "Ben Harris" <<a href="mailto:mail@bharr.is">mail@bharr.is</a>> wrote:<br>
><br>
> On 22 Dec 2015 10:40 pm, "Max Skibinsky" <<a href="mailto:max@skibinsky.com">max@skibinsky.com</a>> wrote:<br>
> ><br>
> > > 5) Why use encryption of a secret as the ZKP of a_comm_pk? A signature would be the more conventional route.<br>
> ><br>
> > That is indeed a gnarly part, good catch. Main reason is the limit of<br>
> > a library we had to work with. Nacl uses different key formats for<br>
> > encryption (crypto_box) and signatures (crypto_sign). We based our web<br>
> > stack on nacl-js, which doesn’t yet support for conversion between<br>
> > these 2 types. So the judgment call was to either create<br>
> > unproven/untested code that will do sophisticated key converstion, or<br>
> > accept slightly bizzare structuring of the protocol, but keep all<br>
> > execution paths 100% within proven nacl functions. The latter seemed<br>
> > like significantly less risky choice.<br>
><br>
> Yes, good point. It would still be more idiomatic to use a HMAC instead of the encryption. You use the same key in both.</p>
<p dir="ltr">Actually, upon reading this again the real issue is that you are trying to use the same key pair for encryption and authentication.</p>
<p dir="ltr">Don't do that, the HPK should be based on a signing keypair (Ed25519). If you want to bootstrap an encryption session (curve25519 keypair or axolotl) just send the encryption keypair signed by the authentication keypair.</p>