[noise] Security Assumptions for Noise Pre-Messages

[Andris]

Hi Trevor

> So they don't really have security properties in the same way as the
> other messages. How they were distributed might have security
> properties
Right. I guess my question might have been unclear. What I wanted to know was what kind of properties Noise requires from this distribution method, whatever it may be.

> I think of the pre-messages as an assumption about the authentic
> knowledge [...]
This sounds to me as if there is some form of authenticity assumption there. Although I might be misunderstanding it. 

However,
> [...] (maybe they were sent in clear, maybe encrypted, etc), but from the
> perspective of the protocol that's using the pre-message keys we can't
> say anything about how that was done.
seems to indicate, that this is not the case. At a second glance, this also seems to suffice and therefore be the safest approach.

Andris


​Sent with ProtonMail Secure Email.​

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On July 20, 2018 5:24 AM, Trevor Perrin <trevp at trevp.net> wrote:

> On Fri, Jul 13, 2018 at 2:13 PM, Andris 4FWkKLqzVVJWx6E at protonmail.com wrote:
> 
> > Hi all,
> > 
> > I have been struggling with this for a while now and haven't been able to
> > 
> > come up with an entirely satisfying answer. Also, it would be useful to have
> > 
> > a more official guidance.
> > 
> > My question is: What security properties can be assumed to hold for keys in
> > 
> > pre-messages?
> 
> Hi Andris,
> 
> I think of the pre-messages as an assumption about the authentic
> 
> knowledge that exists before the protocol starts. So they don't
> 
> really have security properties in the same way as the other messages.
> 
> How they were distributed might have security properties (maybe they
> 
> were sent in clear, maybe encrypted, etc), but from the perspective of
> 
> the protocol that's using the pre-message keys we can't say anything
> 
> about how that was done.
> 
> Now sure how satisfying an answer this is?
> 
> Trevor