Soatok DreamseekerI made a cursed thing in response to a @neilmadden blog post
Sarah Jamie Lewisthank you i hate this.
Parade du Grotesque 💀(Looks at GitHub)
"Is this really insecure?
Not in any obvious way, no.
[...]
Also, I wrote it in PHP."
You absolute MONSTER! 🤣
Hon1nbo@soatok @neilmadden neat concept honestly from an operational security perspective.
Alice is in a hostile environment and communicating with bob. Even if encryption to Bob were to be considered failed, Alice would have deniability unless first party keys were compromised
Still very cursed in practice though. Receiver's key compromised likely means likely signing/verification mechanism compromise. Although Bob could theoretically have tighter control on verification key than receiving keys
Alice is in a hostile environment and communicating with bob. Even if encryption to Bob were to be considered failed, Alice would have deniability unless first party keys were compromised
Still very cursed in practice though. Receiver's key compromised likely means likely signing/verification mechanism compromise. Although Bob could theoretically have tighter control on verification key than receiving keys
@soatok @neilmadden thank you for this.
my evening will soon be ruined by thoughts on this cursed edge case of a opsec model
Luna Lactea@soatok @neilmadden Very weird & cool!
Thad@soatok looks a lot like a Noise_K pattern using the shared key to verify the message HMAC (?). Doesn’t seem like you’d get too much cryptographer side-eye for that. Neil did mention using auth KEM for something similar right? I kinda like it a lot.
1.3.6.1.4.1.61513@soatok @neilmadden that's pretty cool