[noise] A Noise-based protocol for signatures?

Paul Chiusano paul.chiusano at gmail.com
Tue Jul 19 07:24:17 PDT 2016 

> What if the message is passively intercepted by Mallory? She could then
run the rest of the handshake herself and derive the same pair of TX/RX
symmetric keys as Alice would, thus making your secure channel
completely broken.

That is totally fine. Mallory can also verify the "signature" too if she
wants. I don't care about transmitting the signature under encryption.

Think of the use case - I publish a message somewhere public on the
internet, and others would like to verify the message was produced by
someone with my private key. So I include after the message a "signed" hash
of it, using the protocol I gave. We assume that verifiers have out-of-band
knowledge of my corresponding public key.

> There are no signatures in Noise at this time. The purpose of the
protocol is to securely negotiate a pair of symmetric keys.

Okay, well treat this as a hypothetical question if you prefer. I am hoping
to learn something here. So if the protocol I gave is broken in some way
I'd like to understand why... even if it's just pointers to further reading.

I feel like there should be a clear answer to this, like "don't do that,
because then cryptanalysis technique X becomes trivial and it's easy for
attacker to learn your private key" or "it's easy for anyone to
'impersonate' your 'signature' using this protocol, via the following
procedure..." Or if the answer is "I don't really know, no one has analyzed
that, and we cryptographers are a suspicious and conservative bunch, so
don't do it", well that's not very satisfying but okay.

Paul :)

On Tue, Jul 19, 2016 at 10:00 AM Alex <alex at centromere.net> wrote:

> On Tue, 19 Jul 2016 13:39:26 +0000
> Paul Chiusano <paul.chiusano at gmail.com> wrote:
>
> > To verify, Alice reads the keypair, which is in the clear, then runs
> > the rest of the handshake using my static public key, then decrypts
> > the message. Due to the dhss token, decryption should fail unless the
> > sender really was me or someone with my private key, right?
> >
>
> What if the message is passively intercepted by Mallory? She could then
> run the rest of the handshake herself and derive the same pair of TX/RX
> symmetric keys as Alice would, thus making your secure channel
> completely broken.
>
> > Is this secure? The full keypair for the "dummy" recipient is
> > transmitted in the clear as part of the signature, so does knowledge
> > of that private key and the signature leak any information about my
> > private key? And how easy would it be for someone to forge a
> > signature?
> >
>
> There are no signatures in Noise at this time. The purpose of the
> protocol is to securely negotiate a pair of symmetric keys.
>
> > And if both these are bad ideas, is there any proposal for doing
> > digital signatures in Noise that would have good security properties?
> > The key is that I would like something non-interactive, which can be
> > verified by anyone with knowledge of the signer public key.
> >
>
> All three non-interactive handshakes require the recipient to have a
> static key and the sender to have knowledge of it. If your goal is to
> provide authenticated messages without confidentiality, then I don't
> think Noise is the right choice.
>
> --
> Alex
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160719/b21a1cc2/attachment.html>

More information about the Noise mailing list