[noise] non replayable XK/KK?

Trevor Perrin trevp at trevp.net
Fri Feb 2 09:06:37 PST 2018


On Fri, Feb 2, 2018 at 11:20 AM, Justin Cormack
<justin at specialbusservice.com> wrote:
>
> Thinking about this, I can think of some use cases where you might
> want to defer DH,
> eg waiting for confirmation that sender was not spoofing their address.
> eg from
>
> ND(rs):
>   <- s
>   ...
>   -> e
>   <- e, ee, es
>
> We can defer this to
>
> ND(rs):
>   <- s
>   ...
>   -> e
>   <- e
>   -> ee, es
>
> If there is no message being sent by the responder after the handshake
> this can be done automatically,
> as it does not actually affect bits on the wire.


This does affect bits on the wire because there's an implicit
handshake payload after every message.  So even with an empty payload
in the response message, your first case's response message will
contain a 16-byte authentication tag, which your second case won't.

So this just ends up being another pattern, I think, and we face the
same question of whether to name this via 2-letter base names, or
modifiers...

---

While we're brainstorming deferred patterns, here's another case.

We've considered new crypto in the form of a "sig" modifier and token,
which can only be applied to patterns where "es" and "se" are used
with the sender's "s".

But we can also consider new crypto in the form of a "kem" modifier.
A KEM (key encapsulation method) can be thought of as public-key
encryption of a symmetric key, e.g. with RSA.  But post-quantum crypto
is also likely to take the form of KEMs.

KEMs are somewhat the opposite of signatures, when it comes to
authentication:  A "kem" modifier can only be applied to patterns
where "es" and "se" are used with the sender's "e".  In other words:
signatures authenticate the sender, and KEMs authenticate the
receiver, whereas DH can do either.

To prepare for KEM, we'd need to modify the 6 patterns below, I think.
I'll call these "enc" patterns for now, since they basically just use
the DH for encryption:


NX
 -> e
 -< e, ee, s, es

NXenc
 -> e
 <- e, ee, s
 -> es


XX(s, rs):
  -> e
  <- e, ee, s, es
  -> s, se

XXenc(s, rs):
  -> e
  <- e, ee, s
  -> es, s
  <- se


KK(s, rs):
  -> s
  <- s
  ...
  -> e, es, ss
  <- e, ee, se

KKenc(s, rs):
  -> s
  <- s
  ...
  -> e, es
  <- e, ee, se


KX(s, rs):
  -> s
  ...
  -> e
  <- e, ee, se, s, es


KXenc(s, rs):
  -> s
  ...
  -> e
  <- e, ee, se, s
  -> es


IK(s, rs):
  <- s
  ...
  -> e, es, s, ss
  <- e, ee, se

IKenc(s, rs):
  <- s
  ...
  -> e, es, s
  <- e, ee, se


IX(s, rs):
  -> e, s
  <- e, ee, se, s, es

IXenc(s, rs):
  -> e, s
  <- e, ee, se, s
  -> es


Trevor


More information about the Noise mailing list