[noise] What needs forward secrecy? (for Disco)

[David Wong]

> I think new crypto algorithms need to provide the same security
> properties as existing crypto.

That's the reason why SHA-3 was so slow to begin with. If a security
is not needed I don't see why it should persist.


> Noise certainly considers the security properties of individual
> handshake messages to be important (e.g. tables in section 7.4 and
> 7.5).  It's totally plausible that an application could care about
> forward-secrecy of, say, 0-RTT data, when considering a compromise
> later in the handshake.

The Split() function introduces forward secrecy with the RATCHET()
function. Would this be enough for 0-RTT? It's certainly enough for
other scenarios.


> Luckily, this hashing is a small fraction of handshake time.

True. But I still don't see strong reasons to introduce it.

David