[noise] non replayable XK/KK?

Justin Cormack justin at specialbusservice.com
Tue Feb 20 02:18:51 PST 2018


On 19 February 2018 at 22:48, Trevor Perrin <trevp at trevp.net> wrote:
> Another idea for deferred patterns:
>
> Instead of using modifiers or an alphabet soup of 2-letter names, we
> could allow substituting X, K, and I with X1, K1, and I1 to move that
> party's authentication DH into the next message.
>
> I think this sets us up well for signatures and encryption/KEMs, as
> alternatives to DH:  Currently, each 2-letter pattern is either
> signature-compatible or encryption-compatible for a party, depending
> on whether the authentication DH is used in the sender's message
> (signature-compatible) or the receiver's message
> (encryption-compatible).  So by using the "1" variants, we could get
> all possible signature and encryption-compatible variants for each
> base pattern.
>
> This works out to 22 new patterns, I think (see below).  It would be
> great if someone would double-check them!
>
> The main design decision comes with KK and IK, which currently use an
> "ss" DH in the initial message.  I omitted this from the transformed
> patterns, since this "ss" isn't really signature or encryption
> compatible.  Also, we could add an "ss?" modifier separately, somewhat
> like the "psk?" modifier, that injects an "ss" into specified places,
> since "ss" could be added to a lot of other patterns (e.g., "ss" adds
> resilience in case of ephemeral key compromise).
>
> Thoughts?

This certainly addresses my worry about not being able to remember what all
the new two letter names mean... (Perhaps I should be a modifier too? Though
calling it XI is rather indistinguishable from X1, and I don't think it makes it
clearer and doesn't quite work like these modifiers, so I don't think
changing it helps).
Certainly seems to add the ones that seem useful but not excessively many.

If ss? were to be a modifier, would it be an optional one or still
always appear in
the base KK, IK (where it seems useful)?

Justin


More information about the Noise mailing list