[noise] e empty or not?

Trevor Perrin trevp at trevp.net
Sat Apr 23 13:02:45 PDT 2016


On Sat, Apr 23, 2016 at 12:59 PM, david wong <davidwong.crypto at gmail.com> wrote:
> So you're implying that you could initialize "e" at the start of the
> protocol. Wouldn't that defeat the purpose of an "ephemeral" key?

Yes, it would be a "semi-ephemeral" key then.  There's some discussion
of that in Section 8.6, though there's a lot more that could be said
about that.

Such keys would be useful for reducing the forward-secrecy window of
zero-RTT encrypted data.  Protocols like QUIC or the prekeys in Signal
are examples of this.

Trevor


>
> David
>>
>> On Apr 23 2016, at 2:58 pm, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> Your e variable might be empty at the beginning of a protocol, but
>> once you have sent a message which starts with an e token, it will get
>> populated.
>>
>> Trevor
>>
>>
>> On Sat, Apr 23, 2016 at 12:55 PM, david wong <davidwong.crypto at gmail.com>
>> wrote:
>> > In section 8.1 Pattern validity:
>> >
>> >> Noise patterns must be valid in the following senses:
>> >> Parties must send a fresh ephemeral public key at the start of the
>> >> first
>> >> message they send (i.e. the first token of the first message pattern in
>> >> each
>> >> direction must be "e").
>> >
>> > but in section 2.2:
>> >
>> >> Each party maintains the following variables:
>> >> s, e: The local party's static and ephemeral key pairs (which may be
>> >> empty).
>> >
>> > so can e be empty, or does e have to be here. I'm a bit confused
>> >
>> > David
>> >
>> > _______________________________________________
>> > Noise mailing list
>> > Noise at moderncrypto.org
>> > https://moderncrypto.org/mailman/listinfo/noise
>> >


More information about the Noise mailing list