0

I'm building a project using libsodium's AEAD + Key Exchange system and want to write a proof justifying the security of the project. I am wondering if I can find a source detailing the exact security definition libsodium's Key Exchange system satisfies.

I know the textbook definition of IND-CCA2 and that AEAD satisfies it, but I'm not sure how to formalize the "combined" security of AEAD using a secret key generated from a Key Exchange algorithm.

More specifically, I'm interested in a proof of the non-existence of a "backdoor" public key that, when exchanged with a private key and then used in encryption, would leak information about that private key.

abacaba
  • 113
  • 4
  • 2
    The answer to the question of 'is it secure?' is yes assuming you use crypto_kx and not just crypto_scalarmult or crypto_box, which don't include the public keys for shared secret/key derivation. This can be a vulnerability, which doesn't seem to be very well known. – samuel-lucas6 Jul 22 '22 at 17:53
  • Thank you! Is there a formal security definition on for which adversary is it secure? I'm mostly interested in the case of a very active adversary that can observe existing public keys and do key exchange with honest users. – abacaba Jul 22 '22 at 18:47
  • I have added some clarification about the problem. – abacaba Jul 22 '22 at 19:14
  • 2
    There are weak public keys for X25519, but libsodium rejects them. That affects shared secrets though, not leaking someone's private key, which shouldn't be possible. However, you can leak an Ed25519 private key when signing a message with the correct public key and then an incorrect public key. – samuel-lucas6 Jul 23 '22 at 09:48
  • Thank you so much for the detailed reply! Is there, to your knowledge, a formal proof justifying the "shouldn't be possible"? – abacaba Jul 24 '22 at 00:56
  • Perhaps read this. There's probably something in the Curve25519 paper. – samuel-lucas6 Jul 24 '22 at 09:29
  • 1
    Thank you so much for your comments! – abacaba Jul 24 '22 at 21:19

0 Answers0