<div dir="ltr">> <span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif">What if the message is passively intercepted by Mallory? She could then</span><br style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif"><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif">run the rest of the handshake herself and derive the same pair of TX/RX</span><br style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif"><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif">symmetric keys as Alice would, thus making your secure channel</span><br style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif"><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif">completely broken.</span><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif"><br></span></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif">That is totally fine. Mallory can also verify the "signature" too if she wants. I don't care about transmitting the signature under encryption. </font></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif"><br></font></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif">Think of the use case - I publish a message somewhere public on the internet, and others would like to verify the message was produced by someone with my private key. So I include after the message a "signed" hash of it, using the protocol I gave. We assume that verifiers have </font><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5">out-of-band knowledge of my corresponding public key.</span></div><div><br></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif">> </font><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5">There are no signatures in Noise at this time. The purpose of the</span></div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif">protocol is to securely negotiate a pair of symmetric keys.</span><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif"><br></font></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif">Okay, well treat this as a hypothetical question if you prefer. I am hoping to learn something here. So if the protocol I gave is broken in some way I'd like to understand why... even if it's just pointers to further reading.</font></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif"><br></font></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif">I feel like there should be a clear answer to this, like "don't do that, because then cryptanalysis technique X becomes trivial and it's easy for attacker to learn your private key" or "it's easy for anyone to 'impersonate' your 'signature' using this protocol, via the following procedure..." Or if the answer is "I don't really know, no one has analyzed that, and we cryptographers are a suspicious and conservative bunch, so don't do it", well that's not very satisfying but okay.</font></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif"><br></font></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif">Paul :)</font></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jul 19, 2016 at 10:00 AM Alex <<a href="mailto:alex@centromere.net">alex@centromere.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, 19 Jul 2016 13:39:26 +0000<br>
Paul Chiusano <<a href="mailto:paul.chiusano@gmail.com" target="_blank">paul.chiusano@gmail.com</a>> wrote:<br>
<br>
> To verify, Alice reads the keypair, which is in the clear, then runs<br>
> the rest of the handshake using my static public key, then decrypts<br>
> the message. Due to the dhss token, decryption should fail unless the<br>
> sender really was me or someone with my private key, right?<br>
><br>
<br>
What if the message is passively intercepted by Mallory? She could then<br>
run the rest of the handshake herself and derive the same pair of TX/RX<br>
symmetric keys as Alice would, thus making your secure channel<br>
completely broken.<br>
<br>
> Is this secure? The full keypair for the "dummy" recipient is<br>
> transmitted in the clear as part of the signature, so does knowledge<br>
> of that private key and the signature leak any information about my<br>
> private key? And how easy would it be for someone to forge a<br>
> signature?<br>
><br>
<br>
There are no signatures in Noise at this time. The purpose of the<br>
protocol is to securely negotiate a pair of symmetric keys.<br>
<br>
> And if both these are bad ideas, is there any proposal for doing<br>
> digital signatures in Noise that would have good security properties?<br>
> The key is that I would like something non-interactive, which can be<br>
> verified by anyone with knowledge of the signer public key.<br>
><br>
<br>
All three non-interactive handshakes require the recipient to have a<br>
static key and the sender to have knowledge of it. If your goal is to<br>
provide authenticated messages without confidentiality, then I don't<br>
think Noise is the right choice.<br>
<br>
--<br>
Alex<br>
</blockquote></div>