[noise] A Noise-based protocol for signatures?

[Alex]

On Tue, 19 Jul 2016 13:39:26 +0000
Paul Chiusano <paul.chiusano at gmail.com> wrote:

> To verify, Alice reads the keypair, which is in the clear, then runs
> the rest of the handshake using my static public key, then decrypts
> the message. Due to the dhss token, decryption should fail unless the
> sender really was me or someone with my private key, right?
> 

What if the message is passively intercepted by Mallory? She could then
run the rest of the handshake herself and derive the same pair of TX/RX
symmetric keys as Alice would, thus making your secure channel
completely broken.

> Is this secure? The full keypair for the "dummy" recipient is
> transmitted in the clear as part of the signature, so does knowledge
> of that private key and the signature leak any information about my
> private key? And how easy would it be for someone to forge a
> signature?
> 

There are no signatures in Noise at this time. The purpose of the
protocol is to securely negotiate a pair of symmetric keys.

> And if both these are bad ideas, is there any proposal for doing
> digital signatures in Noise that would have good security properties?
> The key is that I would like something non-interactive, which can be
> verified by anyone with knowledge of the signer public key.
> 

All three non-interactive handshakes require the recipient to have a
static key and the sender to have knowledge of it. If your goal is to
provide authenticated messages without confidentiality, then I don't
think Noise is the right choice.

-- 
Alex