Implement Correct Signatue Construction #59
No reviewers
Labels
No Label
applications
BLOCKED
bug
design
duplicate
enhancement
fixed?
funding-needed
help wanted
infrastructure
invalid
payments
qubes
question
ready-for-implementation
refactor
spam
tapir-server
testing
tor
wontfix
No Milestone
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: cwtch.im/cwtch#59
Loading…
Reference in New Issue
No description provided.
Delete Branch "signature"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I thought the code was already aligned with the Paper on this, but it wasn't. This change implements the signature construction as described in the latest version of the paper - we bind signatures to the group id, server and the ciphertext meaning its impossible to reuse signatures in another context unless all 3 are the same (in which case the attack fails because the peer you are trying to trick has access to the full conversation log anyway)
signature := p.SignMessage(message + groupID + group.GroupServer + strconv.Itoa(int(timestamp)) + string(ciphertext))
Still seems to disagree with the paper's
c ←$ Enc(kg, GM)
cm ←$ Ig || Sg || c
s ←$ Sig(sk, cm)
----> cs
I updated the signature construction this morning after thinking through the paper more, it's now much simpler and aligns with the paper.
lgtm
Can you add a diagram of GM construction to the paper tho please in 3.3