[noise] Noise XK 5 should be a 4?

Trevor Perrin trevp at trevp.net
Mon Apr 29 20:56:04 PDT 2019

On Mon, Apr 29, 2019 at 6:22 PM david wong <davidwong.crypto at gmail.com> wrote:
> I think my brain is farting, but shouldn't XK's last message provide a 4 in dest payload security?

I think the spec is right (5).

> You can send your own e as the server's response and the client's last handshake payload will have weak forward secrecy

Forging the responder(server)'s response requires knowledge of either
the responder's static private key or the initiator's ephemeral
private key.

In the messages marked 5 the sender has authenticated the recipient's
ephemeral using their own (sender) ephemeral and the recipient's
static key, so there's no "weak forward secrecy" issues.


More information about the Noise mailing list