[noise] Why encrypted keys are authenticated?

David Wong davidwong.crypto at gmail.com
Tue May 14 08:27:31 PDT 2019

>  I was wondering if we
> could reasonably omit that authentication tag without losing any
> security. I believe we can, but I wanted to make sure I didn't miss
> anything.

I was actually wondering the same thing when I designed Disco, where it is way more simple to omit the authentication tag. For example in this message:

   <- e, ee, s, es

I wanted to wait until the payload to send an authentication tag.
In the end it’s easier to model the protocol with the authentication tag. But that’s still an interesting question nonetheless.


More information about the Noise mailing list