[messaging] "Short" authentication strings

Tony Arcieri bascule at gmail.com
Tue Jul 8 00:35:38 PDT 2014

On Mon, Jul 7, 2014 at 11:41 PM, Brian Warner <warner at lothar.com> wrote:

> * it sounds like you only care about authenticating the pubkeys, but
>   you're actually encrypting them too. You might be able to simplify
>   things: instead of xsalsa20, just use a keyed MAC (HMAC-SHA256 or bare
>   poly1305 aka "crypto_onetimeauth").

The "one weird trick" of my protocol is to launder key exchanges through a
"broadcast" feed containing both encrypted messages and key exchanges, both
padded to the same size (presently targeting ~64kB) and published to all
recipients (ala a remailer)

I'm interested in what happens when you impose this sort of artificial
constraint and whether it can positively impact a protocol's simplicity. It
seems to have worked out for Twitter.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140708/13ffe978/attachment.html>

More information about the Messaging mailing list