[noise] Pre-shared Secret - preventing DoS, and ensuring post-quantum PFS

Tony Arcieri bascule at gmail.com
Wed Nov 11 15:34:16 PST 2015


On Wed, Nov 11, 2015 at 3:22 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:

> This provides DoS defense, so that an attacker can not force a server to
> compute any DH operations, unless he has the pre-shared secret. Without
> this mitigation, Noise is very very DoS-able.
>
Two things:

1) TLS is very much more DoSable than Noise (due to e.g. RSA signatures,
and most people using RSA). In practice you'll want layer 3/4 mechanisms to
mitigate such a DoS.
2) This does NOT provide post-quantum PFS. That would mean that if the PSK
leaked, and someone built a large quantum computer, you'd still have PFS.
This would not be the case with your construction.

The only way to attain post-quantum PFS is with a post-quantum D-H-alike
key exchange algorithm (e.g. NTRU or Ring-LWE)

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20151111/cb158f43/attachment.html>


More information about the Noise mailing list