The current design uses an additional layer of encryption for messages passed back between client and server. This encryption is used after completion of the OPAQUE handshake and is secured under a key K, where K is a key derived from the shared key that is output from this handshake.
I propose we modify this construction by replacing this layer of encryption with a MAC under the derived key K instead. This design preserves the mutual authentication properties of the original. The consequence of this is that a vulnerability in TLS may affect confidentiality, but not mutual authentication. Given our context, I think this is a reasonable tradeoff that
should improve performance. Which is to say, a vulnerability in TLS should not lead to loss of funds/key misuse, which is our primary concern.
The current design uses an additional layer of encryption for messages passed back between client and server. This encryption is used after completion of the OPAQUE handshake and is secured under a key K, where K is a key derived from the shared key that is output from this handshake.
I propose we modify this construction by replacing this layer of encryption with a MAC under the derived key K instead. This design preserves the mutual authentication properties of the original. The consequence of this is that a vulnerability in TLS may affect confidentiality, but not mutual authentication. Given our context, I think this is a reasonable tradeoff that should improve performance. Which is to say, a vulnerability in TLS should not lead to loss of funds/key misuse, which is our primary concern.