[noise] non replayable XK/KK?

Trevor Perrin trevp at trevp.net
Sun Jan 28 08:59:29 PST 2018


On Sun, Jan 28, 2018 at 10:11 AM, Justin Cormack
<justin at specialbusservice.com> wrote:
>
> Intuitively this may be most useful for where there is
> a pre-message, so there are parts of the handshake that can be done
> in effect by either party. So one choice is initiator vs responder using
> that shared key, so the NKdefer is switching from initiator to responder
> using it. For the KK case this would potentially allow two deferals.
> But maybe there are other useful deferral cases too.

It's hard to say where the line is between useful and
not-useful-but-valid patterns.  But the general case of deferral gets
complicated.  We could potentially "defer" any part of a handshake,
including any of the DH calculations, or transmitting any of the
public keys.

Just starting with XK, below's a non-exhaustive list of 7 "deferred" variants.

Hard to know what to do!  Do we work out a framework of modifiers that
can describe all of these?  Or just start with a simple modifier that
covers some immediate use cases (with the risk it doesn't generalize
well)?

XK(s, rs):
  <- s
  ...
  -> e, es
  <- e, ee
  -> s, se

XKdefer1(s, rs):
  <- s
  ...
  -> e
  <- e, ee, es
  -> s, se

XKdefer2(s, rs):
  <- s
  ...
  -> e
  <- e, ee
  -> es, s, se

XKdefer3(s, rs):
  <- s
  ...
  -> e
  <- e
  -> ee, es, s, se

XKdefer4(s, rs):
  <- s
  ...
  -> e
  <- e
  -> ee, es, s
  <- se

XKdefer5(s, rs):
  <- s
  ...
  -> e
  <- e
  -> ee, es
  <- s, se

XKdefer6(s, rs):
  <- s
  ...
  -> e
  <- e
  -> ee
  <- es
  -> s, se

XKdefer7(s, rs):
  <- s
  ...
  -> e
  <- e
  -> ee
  <- es
  -> s
  <- se

Trevor


More information about the Noise mailing list