[noise] A Noise-based protocol for signatures?

Alex alex at centromere.net
Tue Jul 19 07:00:40 PDT 2016

On Tue, 19 Jul 2016 13:39:26 +0000
Paul Chiusano <paul.chiusano at gmail.com> wrote:

> To verify, Alice reads the keypair, which is in the clear, then runs
> the rest of the handshake using my static public key, then decrypts
> the message. Due to the dhss token, decryption should fail unless the
> sender really was me or someone with my private key, right?

What if the message is passively intercepted by Mallory? She could then
run the rest of the handshake herself and derive the same pair of TX/RX
symmetric keys as Alice would, thus making your secure channel
completely broken.

> Is this secure? The full keypair for the "dummy" recipient is
> transmitted in the clear as part of the signature, so does knowledge
> of that private key and the signature leak any information about my
> private key? And how easy would it be for someone to forge a
> signature?

There are no signatures in Noise at this time. The purpose of the
protocol is to securely negotiate a pair of symmetric keys.

> And if both these are bad ideas, is there any proposal for doing
> digital signatures in Noise that would have good security properties?
> The key is that I would like something non-interactive, which can be
> verified by anyone with knowledge of the signer public key.

All three non-interactive handshakes require the recipient to have a
static key and the sender to have knowledge of it. If your goal is to
provide authenticated messages without confidentiality, then I don't
think Noise is the right choice.


More information about the Noise mailing list