Nice! Looks carefully thought out. Saltpack is similar to miniLock [1], it would be interesting to see a comparative analysis.
(I have a framework called "Noise" [2] that tackles a few of the same things, but is less similar - it's for DH-based protocols, but doesn't have multi-recipient support as a core feature). Some small observations: (1) If two recipient public keys are identical, this fact would leak in the ciphertext. If I'm one of the recipients I could possibly use this to confirm guesses as to other recipients, by providing their public keys as mine. (2) The MAC keys only depend on the static-static DH output, not the ephemeral-static DH output. So if I compromise Alice's private key, I can tamper with the ciphertext of messages she's previously produced. This would be easy to avoid, if the ephemeral-static DH outputs contributed to the MAC keys. (3) On a similar note, it wouldn't hurt if the static-static DH outputs contributed to the key used for encrypting payloads. That *might* help in the case where a weak RNG is generating bad ephemeral private keys, but somehow the sender's static private key was good. But that's a pretty weird case. Trevor [1] https://github.com/kaepora/miniLock [2] https://github.com/trevp/noise On Tue, Feb 2, 2016 at 7:35 AM, Maxwell Krohn <[email protected]> wrote: > Hi folks, We at keybase.io have taken a stab at the problem Adam Langley > mentioned in his blog post on AEADs [1]: a simple and modern format for > encryption or signing of large messages, that works well when streaming. It > uses NaCl for Crypto and MessagePack for packing/unpacking binary > structures. Additionally, we chose a base62 ASCII armoring to avoid the > common manglings we’ve seen pasting PGP messages into various Web forms. We > have a spec, library and implementations (in Go and Python) if anyone wants > to take a look [2]. Not much non-testing code, only 2.5kLOC in Go. Comments > and feedback are greatly appreciated. Otherwise, feel free to use it in your > applications. The library is designed for easy integration, punting entirely > on key management. Many thanks, Max & Jack > > [1] https://www.imperialviolet.org/2015/05/16/aeads.html > [2] https://saltpack.org > > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging > _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
