Re: Encrypting to a public key?

[Cy]

On Tue, 7 Jul 2020 22:07:38 +0200
"Schanzenbach, Martin" <mschanzenbach@posteo.de> wrote:

> That would allow you to change P_alice periodically

I would even have the "static" key update periodically, by publishing new ones 
to
something like
gnunet://fs/sks/EB57HGC1FW5TPBTV4SZJWYPBX6H7F6CRMTCD6SS1T02FW37RC6KG/encryption_key
 that
could be polled now and again.

> Note that this eventually leads to a axolotl-style ratchet:
> https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm We use that for CADET.

The double ratchet algorithm would be pretty cool. That's where you do a new DH
exchange under the old shared secret, every X messages, as the first ratchet. 
And hash
the shared secret to get a new one with every single message, as the second 
ratchet,
right? 

> except that you can just send the (ephemeral) P_alice along with ENC(shared 
> secret,
> message).

But wait, couldn't Alice start out using her static ECDSA key too? That way Bob 
would know
who is messaging him, and Alice could then do the DH ratchet thing to switch to 
an
ephemeral key.

Still not sure why everything in gnunet uses EDDSA to sign, but gnunet-identity 
keys are
ECDSA. Are they trying to say that ECDSA is bad for signing, and only good for 
a DH
exchange? Then why are gnunet-identity keys ECDSA? SKS records are signed, 
aren't they? I
remember someone explaining it to me once, but I just couldn't hold it in my 
head.

> The result of the ECDH is already a shared secret. In GNUnet, it is a 512-bit 
> hash.
> This could be used as an 512-bit AES key.
> But, usually you use that to derive a key by adding a salt, like 
> "my-application-salt".

So that Alice and Bob can't... have the same shared secret for two 
applications? Like if
I use "totallysecureapp1.exe" it won't start sending my shared secrets for
"actuallysecureapp.c" to the KGB? Wouldn't the two applications have different 
ECDSA keys
though? I guess they wouldn't be at first, if you always start from two known 
static keys.