[noise] psk analysis, and ss/noss modifiers (was Re: Noise Explorer)

Justin Cormack justin at specialbusservice.com
Sun Sep 2 13:03:00 PDT 2018 

I added a draft doc
https://gist.github.com/justincormack/9cb0c2339739c46de009288f10236f92
for ss/noss to the wiki
https://github.com/noiseprotocol/noise_wiki/wiki/Static-Static-DH-Modifiers

Justin


On 15 August 2018 at 05:29, Nadim Kobeissi <nadim at symbolic.software> wrote:
> Pattern analysis for KKnoss, IKnoss, KKss, KXss, XKss and IKss has begun and
> should be completed within a few hours.
>
> Nadim Kobeissi
> Symbolic Software • https://symbolic.software
> Sent from office
>
>
> On Wed, Aug 15, 2018 at 12:23 AM Justin Cormack
> <justin at specialbusservice.com> wrote:
>>
>> On 14 August 2018 at 16:56, Trevor Perrin <trevp at trevp.net> wrote:
>> > OK, so I think there's 2 questions you're answering with the "ss"
>> > patterns below:
>> >
>> >  * You're using the "late" choice for deferred patterns (which you've
>> > done consistently), and leaving out the "early" option I mentioned.  I
>> > think I agree with this:  If you've chosen to defer the more-important
>> > authentication DHs (se and es), it seems you probably would want to
>> > defer the less-important ss DH that is just supplying a bit more
>> > forward-secrecy against an unusual attack.  Also, this is fairly
>> > simple, and doesn't preclude us adding the other patterns later, if we
>> > think of a reason for them.
>> >
>> >  * You're making KKss and IKss identical with existing KK and IK,
>> > instead of putting the "ss" on the end.  Not sure I agree here, seems
>> > like it gains us more flexibility to have a different option, and
>> > perhaps more consistency to have the "ss" modified patterns always
>> > have "ss" at the end.  Also, it seems possible you might prefer to
>> > skip the early "ss" for denial-of-service or (in KK) identity-hiding
>> > reasons.
>>
>> Ok, well that gives the "always put the ss at the end" rule, which is also
>> pretty simple. There aren't any other possibilities with any of the non
>> deferred patterns anyway, so ok with that choice.
>>
>> > Anyways, I think we're converging on something - if you have time it
>> > would be great to start a spec and link from wiki, also so we can get
>> > Nadim some tentative patterns to analyze.
>>
>> Will do, am away for a bit and not sure how much time I will have
>> immediately
>> but will see.
>>
>> For reference these are the patterns if Nadim has time to analyze...
>>
>> KKnoss:
>>   -> s
>>   <- s
>>   ...
>>   -> e, es
>>   <- e, ee, se
>>
>> IKnoss:
>>   <- s
>>   ...
>>   -> e, es, s
>>   <- e, ee, se
>>
>>
>> KKss:
>>   -> s
>>   <- s
>>   ...
>>   -> e, es
>>   <- e, ee, se, ss
>>
>> KXss:
>>   -> s
>>   ...
>>   -> e
>>   <- e, ee, se, s, es, ss
>>
>> XKss:
>>   <- s
>>   ...
>>   -> e, es
>>   <- e, ee
>>   -> s, se, ss
>>
>> IKss:
>>   <- s
>>   ...
>>   -> e, es, s
>>   <- e, ee, se, ss
>>
>> XXss:
>>   -> e
>>   <- e, ee, s, es
>>   -> s, se, ss
>>
>> IXss:
>>   -> e, s
>>   <- e, ee, se, s, es, ss
>>
>>
>> K1Kss:
>>   -> s
>>   <- s
>>   ...
>>   -> e, es
>>   <- e, ee
>>   -> se, ss
>>
>> KK1ss:
>>   -> s
>>   <- s
>>   ...
>>   -> e
>>   <- e, ee, se, es, ss
>>
>> K1K1ss:
>>   -> s
>>   <- s
>>   ...
>>   -> e
>>   <- e, ee, es
>>   -> se, ss
>>
>> K1Xss:
>>   -> s
>>   ...
>>   -> e
>>   <- e, ee, s, es
>>   -> se, ss
>>
>> KX1ss:
>>   -> s
>>   ...
>>   -> e
>>   <- e, ee, se, s
>>   -> es, ss
>>
>> K1X1ss:
>>   -> s
>>   ...
>>   -> e
>>   <- e, ee, s
>>   -> se, es, ss
>>
>> X1Kss:
>>   <- s
>>   ...
>>   -> e, es
>>   <- e, ee
>>   -> s
>>   <- se, ss
>>
>> XK1ss:
>>   <- s
>>   ...
>>   -> e
>>   <- e, ee, es
>>   -> s, se, ss
>>
>> X1K1ss:
>>   <- s
>>   ...
>>   -> e
>>   <- e, ee, es
>>   -> s
>>   <- se, ss
>>
>> I1Kss:
>>   <- s
>>   ...
>>   -> e, es, s
>>   <- e, ee
>>   -> se, ss
>>
>> IK1ss:
>>   <- s
>>   ...
>>   -> e, s
>>   <- e, ee, se, es, ss
>>
>> I1K1ss:
>>   <- s
>>   ...
>>   -> e, s
>>   <- e, ee, es
>>   -> se, ss
>>
>> X1Xss:
>>   -> e
>>   <- e, ee, s, es
>>   -> s
>>   <- se, ss
>>
>> XX1ss:
>>   -> e
>>   <- e, ee, s
>>   -> es, s, se, ss
>>
>> X1X1ss:
>>   -> e
>>   <- e, ee, s
>>   -> es, s
>>   <- se, ss
>>
>> I1Xss:
>>   -> e, s
>>   <- e, ee, s, es
>>   -> se, ss
>>
>> IX1ss:
>>   -> e, s
>>   <- e, ee, se, s
>>   -> es, ss
>>
>> I1X1ss:
>>   -> e, s
>>   <- e, ee, s
>>   -> se, es, ss
>> _______________________________________________
>> Noise mailing list
>> Noise at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/noise

More information about the Noise mailing list