[noise] A Noise-based protocol for signatures?
Alex
alex at centromere.net
Tue Jul 19 08:03:48 PDT 2016
On Tue, 19 Jul 2016 14:24:17 +0000
Paul Chiusano <paul.chiusano at gmail.com> wrote:
> > What if the message is passively intercepted by Mallory? She could
> > then
> run the rest of the handshake herself and derive the same pair of
> TX/RX symmetric keys as Alice would, thus making your secure channel
> completely broken.
>
> That is totally fine. Mallory can also verify the "signature" too if
> she wants. I don't care about transmitting the signature under
> encryption.
>
Messages in Noise aren't signed. There is no signature to verify. In
your setup, Mallory would be able to impersonate you because she will
derive the same TX/RX keys as Alice.
> Think of the use case - I publish a message somewhere public on the
> internet, and others would like to verify the message was produced by
> someone with my private key. So I include after the message a
> "signed" hash of it, using the protocol I gave. We assume that
> verifiers have out-of-band knowledge of my corresponding public key.
>
If that is your goal, I don't think Noise is what you want. You'll want
to look in to Ed25519, ECDSA, etc.
--
Alex
More information about the Noise
mailing list