Hi Michael,
Michael Rogers wrote:
If we're concerned with the server choosing its public material in such a way as to bias the entropy extraction, does that mean that in this case, the attacker is the server, and therefore the server's public material shouldn't be included in the salt?
In a one-way authenticated key exchange we only need to consider adversaries that attempt to impersonate the server. So, yes, we're considering the case where the attacker plays the server role and we're saying that unauthenticated material from the server should not be included in the salt.
Previous versions of prop269 included the server ephemeral shares in the salt, we've removed those in this version.
The remaining values in the salt are: - the server's identity digest, - the server's onion key, and - ephemeral shares from the client.
All of these values are authentic from the client's perspective.
Since we're not including the server shares in the salt, we also had to switch from sending 'auth' to sending HMAC(auth, transcript) in the server response.
Cheers, John