[noise] psk analysis, and ss/noss modifiers (was Re: Noise Explorer)

Sun Aug 5 17:02:56 PDT 2018

On Sat, Aug 4, 2018 at 9:36 AM, Nadim Kobeissi <nadim at symbolic.software> wrote:
> Hello everyone,
> In addition to the 13 PSK patterns added last week, the following five new
> PSK patterns have been added today:

Nice, I see you've covered all the PSK patterns in the spec.  Were you
just revalidating the existing properties for the PSK variants, or
were you checking any properties related to the PSK itself?

If you were just checking that adding the PSK doesn't invalidate the
existing properties, I'd wonder if there's some way to get a more
general analysis that adding independent secrets into the KDF can't
harm existing security properties (and also: taking additional outputs
from the KDF can't harm existing security properties, which would be
useful for things like "Independent" ASKs).

Shifting gears:  Another task that would benefit from tooling and
analysis is figuring out modifiers to add and remove "ss" tokens.

To recap: one might want to add a static-static DH to existing
patterns, to improve resistance to ephemeral-key compromise; or one
might want to remove a static-static DH, to improve efficiency.

We could probably do this with a "noss" modifer that deletes "ss", and
also with "ss?" modifiers with ? replaced by the number of the
handshake message that gets "ss" added to it (deleting an existing ss,
if present).

I think adding these to the existing fundamental patterns gets the
following.  Adding these to deferred patterns would take more thought,
and in any case more analysis is needed, and making sure validity
rules are respected:

KKnoss:
  -> s
  <- s
  ...
  -> e, es[, -ss]
  <- e, ee, se

KKss2:
  -> s
  <- s
  ...
  -> e, es
  <- e, ee, se[, ss]

IKnoss:
   <- s
   ...
   -> e, es, s[, -ss]
   <- e, ee, se

IKss2:
   <- s
   ...
   -> e, es, s
   <- e, ee, se[, ss]

XKss3:
  <- s
  ...
  -> e, es
  <- e, ee
  -> s, se[, ss]

XXss3:
  -> e
  <- e, ee, s, es
  -> s, se[, ss]

KXss2:
  -> s
  ...
  -> e
  <- e, ee, se, s, es[, ss]

IXss2:
  -> e, s
  <- e, ee, se, s, es[, ss]

Trevor