[noise] Extra Symmetric Key

Trevor Perrin trevp at trevp.net
Thu May 12 12:09:17 PDT 2016


On Thu, May 12, 2016 at 12:03 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Hi Trevor,
>
> Why not instead just relegate this usage to the existing PSK? That way
> the handshake messages themselves will too be protected.

Then the "extra" exchange would have to be performed prior to the
Noise protocol.  If you wanted to do that, you could certainly use the
PSK mechanism.

But with this design, the extra exchange is overlaid on the Noise
protocol, so no round trips are added.  For example, the Ring-LWE
scheme in the Tor proposal requires the two parties to each send one
message, and uses "Ntor", which is basically:

-> e
<- e, dhee, dhse

So you'd like the client to send its first Ring-LWE message in the
first Noise payload, and have the server send its Ring-LWE message in
the response payload.

Trevor


More information about the Noise mailing list