[noise] Why encrypted keys are authenticated?

Loup Vaillant David loup at loup-vaillant.fr
Tue May 14 01:22:15 PDT 2019

> > (Honest question: does the attack above look like it would work? It
> > only takes one such example to settle the issue once and for all.)
> Sure, if the app inspects the public key after it's decrypted but
> before it's authenticated you'd have to worry about things like that.

OK, so that's one attack…

> I'm not sure X25519 functions consistently treat the other party's
> public key as a "secret input", that's kind of an edge case.  For
> example, some X25519 implementations will behave differently (return
> an error value) if given a small-order public key, and public-key
> validation is also common for some other types of public keys.

…Aaand that's two. I believe  Libsodium does such validation.

Okay, I give up. Moxie was right: I'm doomed. You were right: we need
those "redundant" tags.

> So I'm not sure your reasoning about "constant time" crypto code
> making this safe is correct.

It was not. I was assuming too much, based on one implementation only
(my own). I should have known better: DJB himself designed his curve in
a way that mitigates some classes of leaks. You did the same with
Noise, and so should I have.


More information about the Noise mailing list