[noise] Questions about Signatures for Noise spec

[Justin Cormack]

(replies inline)

On Mon, 8 Apr 2019 at 12:36, Lucas Manuel Rodriguez
<lucarodriguez at gmail.com> wrote:
>
> Hello folks,
>
> I'm working on a system that relies heavily in public key signatures and I came across the "Signatures for Noise" spec [1].
>
> Knowing it's unofficial/unstable I hope it's ok to ask a couple of questions here.
>
> 1) There's the following paragraph In the "Signature modifiers" section:
>
> "The "sig" modifier can only be used with patterns where "se" is not sent by
> the responder and "es" is not sent by the initiator, and "ss" does not appear.
> Attempting to apply it other patterns is invalid."
>
> It would be nice if you could elaborate those statements.

For "ss" there is no equivalent with signatures; the other two just
point out that you
can only sign an outbound message, signatures don't have the symmetry that DH
does.

> 2) Are you seeing a path towards "hybrid" patterns? Hybrid as in: DH + Signatures, e.g.:
>
> <- s
> ...
> -> e, es, s1, sig
>
> (The above pattern would allow 0-RTT encryption and authentication of initiator via signatures)

We have discussed hybrid patterns, there are some notes from the
January meetup, and I am
planning to do some more work on this. I think they can be useful in
some situations.

> Or are there any problems/vulnerabilities that would prevent this from happening?

You can still replay these, so it is not a solution to all issues,
although if you have another
way to prevent replay it can be useful.

> I'm new to the Noise Framework, so please bear with me :)
>
> [1]: https://github.com/noiseprotocol/noise_sig_spec
>
> Best,
> Lucas Manuel Rodríguez.
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise