[noise] A Noise-based protocol for signatures?

Paul Chiusano paul.chiusano at gmail.com
Tue Jul 19 06:39:26 PDT 2016

Hi there,

I'd like a protocol enabling anyone to verify, non-interactively, and using
only the signer public key, that a message was produced by someone with
knowledge of the corresponding Noise private key. Is this possible?

I am a crypto newbie so apologies if this is a silly question, or if the
suggestion I give below is catastrophically stupid or insecure. :)

I was looking at the one-way patterns here:

Specifically, this one:

Noise_K(s, rs):
  -> s
  <- s
  -> e, dhes, dhss

Suppose I generate a "dummy" keypair for the recipient, then output that in
the clear, then complete the rest of the handshake, where the message I
wish to "sign" is just the encrypted payload after the -> e, dhes, dhss.

To verify, Alice reads the keypair, which is in the clear, then runs the
rest of the handshake using my static public key, then decrypts the
message. Due to the dhss token, decryption should fail unless the sender
really was me or someone with my private key, right?

Is this secure? The full keypair for the "dummy" recipient is transmitted
in the clear as part of the signature, so does knowledge of that private
key and the signature leak any information about my private key? And how
easy would it be for someone to forge a signature?

Another variation on this idea would be to have the "dummy" keypair be
prearranged, so the signer doesn't get to pick it.

And if both these are bad ideas, is there any proposal for doing digital
signatures in Noise that would have good security properties? The key is
that I would like something non-interactive, which can be verified by
anyone with knowledge of the signer public key.

Paul :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160719/a02b8742/attachment.html>

More information about the Noise mailing list