[noise] Noise Explorer
Katriel Cohn-Gordon
me at katriel.co.uk
Thu May 24 02:23:39 PDT 2018
> Maybe I missed something, but I thought Karthik was just describing
> the simple case where the sender of a message hasn't authenticated the
> recipient yet.
Ah, I was thinking of the case where one party hasn't authenticated the other *yet*, but is intending to do so later. (If an adversary attempts to forward messages as Karthik described, then this later authentication should fail.)
If the static public keys are in the transcript hash then I agree that this is not a problem. Nadim and I were wondering off-list whether there could be a form of deferred protocol which causes the static key to be left out of the transcript hash, but I don't think there is. It'd have to be some form of post-handshake auth...
Is it worth *explicitly* adding the static public keys to the KDF inputs if they exist, instead of having them present implicitly as one of the messages? That would duplicate them in most cases but avoids doubt.
best,
Katriel
More information about the Noise
mailing list