Closed FiloSottile closed 4 years ago
Hi Filippo, thanks for pointing this out. There is a new ephemeral key pair generated with every encryption (https://github.com/danielhavir/go-ecies/blob/master/ecies.go#L125). KDF derives the Poly1305 key from the generated ephemeral private key and the provided public key. The ephemeral public key is then serialized along with the encrypted message. Therefore, the key should never be used twice as the probability of collision is very small. Am I missing something?
Ah, yes, I missed the part where the local keypair is always ephemeral. Sorry for the noise.
Hello, I noticed this tool is using x/crypto/poly1305 with a key that seems only derived from public and private key. Poly1305 as implemented by x/crypto/poly1305 can't be used twice with the same key, or its whole security collapses. It's possible this tool allows trivial forgeries once an attacker observes two messages.