[noise] Negotiation and 0-RTT

Alexey Ermishkin scratch.net at gmail.com
Fri Jul 7 00:22:50 PDT 2017 

I'm sorry, what do you mean by transcript, is it the negotiation data? It's perfectly fine for me to use its hash as the prologue.
Why is it not included in the Reinit prologue calculation? 

Otherwise yes, let's get back to the features left

-----Original Message-----
From: Trevor Perrin [mailto:trevp at trevp.net] 
Sent: Friday, July 7, 2017 12:12 PM
To: Alexey Ermishkin <scratch.net at gmail.com>
Cc: noise <noise at moderncrypto.org>
Subject: Re: [noise] Negotiation and 0-RTT

On Fri, Jul 7, 2017 at 2:44 AM, Alexey Ermishkin <scratch.net at gmail.com> wrote:
> Exactly what I was going to suggest!
>
> This looks simpler [...]

I agree this seems simpler.  Let's consider this the front-runner.

There's one point to consider about hashing:

Previously we assumed the initial protocol's "handshake hash" would be used in the fallback prologue.  An alternative would be to include the raw handshake transcript as fallback prologue.

The advantage of using the initial handshake hash is that the client can hash it immediately and just store the hash, instead of having to buffer the initial message so that it can be hashed after the server chooses a hash function.

The advantages of hashing the transcript:
 * Uses the negotiated hash algorithm.  The initial protocol might've used a weaker hash algorithm, whereas the "fallback" protocol uses the server's preferred algorithm.
 * The server isn't required to recognize the client_version before attempting a fallback.  Not sure how useful that is, because the server probably needs to recognize it anyways to get the ephemeral from the initial message, but maybe this is more flexible.

So the prologue for the 2 cases (client_version == server_version, and client_version != server_version) could be:

"NoiseLinkInit" || client_version...negotiation_data

"NoiseLinkReinit" || client_version...server_version

This seems like perhaps the better trade-off.

Are there other details to lock down for negotiation?  If not, we can return to the Simple 1-RTT thread (or start a new one) and try to finalize the details on padding, API, name, and anything else.

Trevor

More information about the Noise mailing list