<p dir="ltr">Hi Trevor,</p>
<p dir="ltr">Hopefully it's not too late to discuss this...</p>
<p dir="ltr">It occurred to me that Noise could benefit from having a pre-shared secret option, which could be in use by multiple peers at once. It would provide two nice properties:</p>
<p dir="ltr">1. If a pre-shared secret is provided, MixKey(pre-shared secret) is called during handshake initialization.</p>
<p dir="ltr">Since internet traffic is being collected passively and stored indefinitely, this ensures that if in the future the DH functions are broken, the data is still secured, so long as the pre-shared secret didn't leak from somebody.</p>
<p dir="ltr">2. If a pre-shared secret is provided, the first unencrypted public key written receives a MAC (using hmac or keyed-blake2) using the pre-shared secret.</p>
<p dir="ltr">This provides DoS defense, so that an attacker can not force a server to compute any DH operations, unless he has the pre-shared secret. Without this mitigation, Noise is very very DoS-able.</p>
<p dir="ltr">What do you think?</p>
<p dir="ltr">Jason</p>