[noise] A Noise-based protocol for signatures?

Alex alex at centromere.net
Tue Jul 19 08:03:48 PDT 2016

On Tue, 19 Jul 2016 14:24:17 +0000
Paul Chiusano <paul.chiusano at gmail.com> wrote:

> > What if the message is passively intercepted by Mallory? She could
> > then  
> run the rest of the handshake herself and derive the same pair of
> TX/RX symmetric keys as Alice would, thus making your secure channel
> completely broken.
> That is totally fine. Mallory can also verify the "signature" too if
> she wants. I don't care about transmitting the signature under
> encryption.

Messages in Noise aren't signed. There is no signature to verify. In
your setup, Mallory would be able to impersonate you because she will
derive the same TX/RX keys as Alice.

> Think of the use case - I publish a message somewhere public on the
> internet, and others would like to verify the message was produced by
> someone with my private key. So I include after the message a
> "signed" hash of it, using the protocol I gave. We assume that
> verifiers have out-of-band knowledge of my corresponding public key.

If that is your goal, I don't think Noise is what you want. You'll want
to look in to Ed25519, ECDSA, etc.


More information about the Noise mailing list