[noise] Yawning's Noise with New Hope Simple
Trevor Perrin
trevp at trevp.net
Mon May 28 10:22:06 PDT 2018
On Sun, May 27, 2018 at 8:55 PM, dawuud <dawuud at riseup.net> wrote:
>
> Hi. For the record, Yawning Angel forked flynn's golang Noise implementation:
>
> https://github.com/katzenpost/noise
>
> so that we can use "Noise_XXhfs_25519+NewHopeSimple_ChaChaPoly_Blake2b" to
> implement our mixnet link layer as specified here:
[...]
> I haven't heard of anyone else doing this with Noise.
> Has anyone else written any Noise protocols using pq crypto hybrid key exchange?
Hi David,
Glad to have you here representing the Katzenpost mixnet effort.
I'm not aware of other users of hybrid forward secrecy + postquantum
KEMs, with Noise.
We've considered a couple approaches towards such handshakes:
(1) The "hfs" modifier described in Rhys Weatherly's "Hybrid Forward
Secrecy" and "New Hope" specs, on the wiki:
https://github.com/noiseprotocol/noise_wiki/wiki . I believe your
work is based on this.
(2) A few months ago I sketched a more complicated set of pattern
modifiers which could describe various combinations of DH, signature,
and KEM key-types and algorithms coexisting in a single protocol:
https://moderncrypto.org/mail-archive/noise/2018/001499.html . So
this scheme could express hybrid forward-secrecy as well as different
flavors of hybrid authentication.
We're close to getting out rev34 of the spec, which includes new
"deferred" patterns. These deferred patterns will give us more
options for using different types of crypto for authentication (i.e.
the deferred patterns will make it possible to use signatures and KEMs
in more cases).
So at that point we should revisit this. One question is whether we
should have a more complex/general naming scheme like (2) which
"hybrid forward-secrecy" is just one instance of, or whether we should
have a special "hfs" modifier to simplify what's likely to be a common
and important case.
Trevor
More information about the Noise
mailing list