[noise] MAC'ing recipient public key

Stephen Touset stephen at squareup.com
Wed Jul 30 10:56:34 PDT 2014

On Jul 29, 2014, at 7:03 PM, Trevor Perrin <trevp at trevp.net> wrote:

> On Tue, Jul 29, 2014 at 5:34 PM, Stephen Touset <stephen at squareup.com> wrote:
>> On Jul 13, 2014, at 10:08 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>> Another change:
>>> The recipient pubkey is included in the additional authenticated data
>>> for both box MACs.  This ensures that if the sender can decrypt a box,
>>> it must have been encrypted to the sender's pub key.
>> Do you mean for this to be protection against an active attacker (who can simply ignore the authentication tag), or only to indicate an accidental attempt to decrypt a box you don’t have access to?
> I garbled my explanation.
> It's a property of some elliptic curve systems that your public key
> might be representable as a few different values (this has to do with
> "cofactors"...).   So I could encrypt something that you can decrypt
> even if some weirdo in the middle changed your public key to a
> different representation that you didn't immediately recognize as your
> public key.
> That's often ignored and doesn't really amount to an attack, but it's
> annoying so it's good to "bind" all the public keys some way, such as
> including them in the MAC or encryption.

Ah, thanks. That makes sense. It *looks* like I may have been wrong about the asymmetry between client/server communications. Am I correct in my reading of the spec now that *both* times you include the recipient’s ephemeral public key in the AAD (and not their long-term key)?

Stephen Touset
stephen at squareup.com

More information about the Noise mailing list