[noise] Variable-length handshake payloads?
Trevor Perrin
trevp at trevp.net
Thu Dec 13 00:55:19 PST 2018
On Wed, Dec 12, 2018 at 8:39 PM Jonas Acres <jonas at acrescrypto.com> wrote:
>
> I am working on a project that uses Noise. We want to:
> 1. Exchange payloads during handshaking (i.e. use the payload fields in WriteMessage/ReadMessage),
> 2. Ensure that all transmitted bytes are indistinguishable from random noise, and
> 3. Have variable-length payloads.
[...]
> 1. Is there an established way to do variable-length payloads during handshaking in Noise that I can use instead?
Hi Jonas,
David had some good references, I'll also mention I2P's NTCP2:
https://geti2p.net/spec/ntcp2
There's not really an established way to do this. Eventually we'll
have a mechanism for deriving "Additional" Symmetric Keys during a
Noise handshake. So that will make it easy to derive a key for
encrypting length fields.
So you might want to keep an eye on or help with that work, but that's
also tied up with some broader symmetric-crypto overhaul things we're
considering, so is probably months away:
https://github.com/noiseprotocol/noise_wiki/wiki/Additional-Symmetric-Keys
Also note that if you want indistinguishability you'll have to do
something with ephemeral public keys (e.g. Elligator or what I2P is
doing), and we haven't standardized that either.
Trevor
More information about the Noise
mailing list