[noise] non replayable XK/KK?

Justin Cormack justin at specialbusservice.com
Sun Jan 28 10:12:04 PST 2018


On 28 January 2018 at 16:59, Trevor Perrin <trevp at trevp.net> wrote:
> On Sun, Jan 28, 2018 at 10:11 AM, Justin Cormack
> <justin at specialbusservice.com> wrote:
> It's hard to say where the line is between useful and
> not-useful-but-valid patterns.  But the general case of deferral gets
> complicated.  We could potentially "defer" any part of a handshake,
> including any of the DH calculations, or transmitting any of the
> public keys.
>
> Just starting with XK, below's a non-exhaustive list of 7 "deferred" variants.
>
> Hard to know what to do!  Do we work out a framework of modifiers that
> can describe all of these?  Or just start with a simple modifier that
> covers some immediate use cases (with the risk it doesn't generalize
> well)?

It seems to me that there are two rules that are quite general, and maybe could
be added to the spec:

1. forward secrecy rule: always send e as soon as possible
2. DH early DH often rule: always do a DH as soon as you can

Together these define the single form of NN for example.

Then there seems to be an ordering rule:
3. do more ephemeral DH earlier (ee first etc)

And a rather trivial rule:
4. you have to send something if there is nothing for the other party to send

These eliminate many of your versions. Then you are left with the question of
whether what is left has an interestingly different security profile
at any stage
of the handshake, if not then shorter is better.

I don't think there are a lot of meaningful versions, but there are
clearly some,
as the "I." patterns showed and the discussion above. When you add in psk there
are more though...

Justin


More information about the Noise mailing list