[noise] Why encrypted keys are authenticated?
Loup Vaillant David
loup at loup-vaillant.fr
Tue May 14 01:22:15 PDT 2019
> > (Honest question: does the attack above look like it would work? It
> > only takes one such example to settle the issue once and for all.)
>
> Sure, if the app inspects the public key after it's decrypted but
> before it's authenticated you'd have to worry about things like that.
OK, so that's one attack…
> I'm not sure X25519 functions consistently treat the other party's
> public key as a "secret input", that's kind of an edge case. For
> example, some X25519 implementations will behave differently (return
> an error value) if given a small-order public key, and public-key
> validation is also common for some other types of public keys.
…Aaand that's two. I believe Libsodium does such validation.
Okay, I give up. Moxie was right: I'm doomed. You were right: we need
those "redundant" tags.
> So I'm not sure your reasoning about "constant time" crypto code
> making this safe is correct.
It was not. I was assuming too much, based on one implementation only
(my own). I should have known better: DJB himself designed his curve in
a way that mitigates some classes of leaks. You did the same with
Noise, and so should I have.
Loup.
More information about the Noise
mailing list