[noise] non replayable XK/KK?

[Trevor Perrin]

Another idea for deferred patterns:

Instead of using modifiers or an alphabet soup of 2-letter names, we
could allow substituting X, K, and I with X1, K1, and I1 to move that
party's authentication DH into the next message.

I think this sets us up well for signatures and encryption/KEMs, as
alternatives to DH:  Currently, each 2-letter pattern is either
signature-compatible or encryption-compatible for a party, depending
on whether the authentication DH is used in the sender's message
(signature-compatible) or the receiver's message
(encryption-compatible).  So by using the "1" variants, we could get
all possible signature and encryption-compatible variants for each
base pattern.

This works out to 22 new patterns, I think (see below).  It would be
great if someone would double-check them!

The main design decision comes with KK and IK, which currently use an
"ss" DH in the initial message.  I omitted this from the transformed
patterns, since this "ss" isn't really signature or encryption
compatible.  Also, we could add an "ss?" modifier separately, somewhat
like the "psk?" modifier, that injects an "ss" into specified places,
since "ss" could be added to a lot of other patterns (e.g., "ss" adds
resilience in case of ephemeral key compromise).

Thoughts?


NK(rs):
  <- s
  ...
  -> e, es
  <- e, ee

NK1(rs):
  <- s
  ...
  -> e
  <- e, ee, es

==================

NX(rs):
  -> e
  <- e, ee, s, es

NX1(rs):
  -> e
  <- e, ee, s
  -> es

==================

XK(s, rs):
  <- s
  ...
  -> e, es
  <- e, ee
  -> s, se

X1K(s, rs):
  <- s
  ...
  -> e, es
  <- e, ee
  -> s
  <- se

XK1(s, rs):
  <- s
  ...
  -> e
  <- e, ee, es
  -> s, se

X1K1(s, rs):
  <- s
  ...
  -> e
  <- e, ee, es
  -> s
  <- se

==================

XX(s, rs):
  -> e
  <- e, ee, s, es
  -> s, se

X1X(s, rs):
  -> e
  <- e, ee, s, es
  -> s
  <- se

XX1(s, rs):
  -> e
  <- e, ee, s
  -> es, s, se

X1X1(s, rs):
  -> e
  <- e, ee, s
  -> es, s
  <- se

==================

KN(s):
 -> s
 ...
 -> e
 <- e, ee, se

K1N(s):
  -> s
  ...
  -> e
  <- e, ee
  -> se

==================

KK(s, rs):
 -> s
 <- s
 ...
 -> e, es, ss
 <- e, ee, se

K1K(s, rs):
 -> s
 <- s
 ...
 -> e, es
 <- e, ee
 -> se

KK1(s, rs):
  -> s
  <- s
  ...
  -> e
  <- e, ee, se, es

K1K1(s, rs):
  -> s
  <- s
  ...
  -> e
  <- e, ee, es
  -> se

==================

KX(s, rs):
  -> s
  ...
  -> e
  <- e, ee, se, s, es

K1X(s, rs):
  -> s
  ...
  -> e
  <- e, ee, s, es
  -> se

KX1(s, rs):
  -> s
  ...
  -> e
  <- e, ee, se, s
  -> es

K1X1(s, rs):
  -> s
  ...
  -> e
  <- e, ee, s
  -> es, se


==================

IN(s):
  -> e, s
  <- e, ee, se

I1N(s):
  -> e, s
  <- e, ee
  -> se

==================

IK(s, rs):
  <- s
  ...
  -> e, es, s, ss
  <- e, ee, se

I1K(s, rs):
  <- s
  ...
  -> e, es, s
  <- e, ee
  -> se

IK1(s, rs):
  <- s
  ...
  -> e, s
  <- e, ee, se, es

I1K1(s, rs):
  <- s
  ...
  -> e, s
  <- e, ee, es
  -> se

==================

IX(s, rs):
  -> e, s
  <- e, ee, se, s, es

I1X(s, rs):
  -> e, s
  <- e, ee, es
  -> se

IX1(s, rs):
  -> e, s
  <- e, ee, se, s
  -> es

I1X1(s, rs):
  -> e, s
  <- e, ee, se, s
  -> es


Trevor