[noise] MAC'ing recipient public key

Stephen Touset stephen at squareup.com
Tue Jul 29 17:34:32 PDT 2014

On Jul 13, 2014, at 10:08 PM, Trevor Perrin <trevp at trevp.net> wrote:

> Another change:
> The recipient pubkey is included in the additional authenticated data
> for both box MACs.  This ensures that if the sender can decrypt a box,
> it must have been encrypted to the sender's pub key.

Do you mean for this to be protection against an active attacker (who can simply ignore the authentication tag), or only to indicate an accidental attempt to decrypt a box you don’t have access to? I think the ECDH is strong enough of a deterrent here, and avoids the asymmetry between the AAD using the client ephemeral key during one side of the handshake, and the server long-term key during the other side.

Stephen Touset
stephen at squareup.com

More information about the Noise mailing list