[noise] A Noise-based protocol for signatures?

Paul Chiusano paul.chiusano at gmail.com
Tue Jul 19 09:11:49 PDT 2016 

> Messages in Noise aren't signed. There is no signature to verify. In
your setup, Mallory would be able to impersonate you because she will
derive the same TX/RX keys as Alice.

Ah, I see. I was pretty confused about what the dhss token accomplished -
the only thing that would ensure (I think, correct me if I am wrong) is
that decrypting replies to me on the channel after that point requires
knowledge of my corresponding private key. It wouldn't prevent anyone from
producing the "signed" message in the first place.

> If that is your goal, I don't think Noise is what you want. You'll want
to look in to Ed25519, ECDSA, etc.

Cool, thanks.

Paul :)

On Tue, Jul 19, 2016 at 11:03 AM Alex <alex at centromere.net> wrote:

> On Tue, 19 Jul 2016 14:24:17 +0000
> Paul Chiusano <paul.chiusano at gmail.com> wrote:
>
> > > What if the message is passively intercepted by Mallory? She could
> > > then
> > run the rest of the handshake herself and derive the same pair of
> > TX/RX symmetric keys as Alice would, thus making your secure channel
> > completely broken.
> >
> > That is totally fine. Mallory can also verify the "signature" too if
> > she wants. I don't care about transmitting the signature under
> > encryption.
> >
>
> Messages in Noise aren't signed. There is no signature to verify. In
> your setup, Mallory would be able to impersonate you because she will
> derive the same TX/RX keys as Alice.
>
> > Think of the use case - I publish a message somewhere public on the
> > internet, and others would like to verify the message was produced by
> > someone with my private key. So I include after the message a
> > "signed" hash of it, using the protocol I gave. We assume that
> > verifiers have out-of-band knowledge of my corresponding public key.
> >
>
> If that is your goal, I don't think Noise is what you want. You'll want
> to look in to Ed25519, ECDSA, etc.
>
> --
> Alex
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160719/0cc517b1/attachment.html>

More information about the Noise mailing list