<div dir="ltr"><br>On Fri, Jul 1, 2016 at 11:23 PM, Trevor Perrin <<a href="mailto:trevp@trevp.net">trevp@trevp.net</a>> wrote:<br>> "Semi-static keys for Noise Pipes" (9.4):<br><br>Hmm, this needs more thought. I liked the idea of not creating new handshake patterns for semi-ephemeral aka semi-static handshakes. <div><br></div><div>But it's not working out that elegantly, since we still want to bind the original static in the resumed handshake to avoid identity misbinding (a malicious responder provides a semi-static public key from some unrelated service). So we're stuffing the original static in the prologue, which is ugly and not a guaranteed fix, because the unrelated service might not have the same semantics for its prologue.</div><div><br></div><div>An alternative would be to define semi-ephemeral patterns as "transformations" from the non-semi-ephemeral versions. That makes the relationship with the original pattern clear, and more clearly expresses the binding to the original static.</div><div><br></div><div>That would look something like this (original patterns on left, transformed semi-ephemeral ones on right):</div><div><font face="monospace, monospace"><div><br></div><div>Noise_NK(rs): Noise_NKsemi(rs, re): </div><div> <- s <- e, s </div><div> ... ... </div><div> -> e, dhes -> e, dhee </div><div> <- e, dhee <- e, dhee </div><div> </div><div>Noise_XK(s, rs): Noise_XKsemi(s, rs, re): </div><div> <- s <- e, s </div><div> ... ... </div><div> -> e, dhes -> e, dhee </div><div> <- e, dhee <- e, dhee </div><div> -> s, dhse -> s, dhse </div><div> </div><div>Noise_IK(s, rs): Noise_IKsemi(s, rs, re): </div><div> <- s <- e, s </div><div> ... ... </div><div> -> e, dhes, s, dhss -> e, dhee, s, dhse </div><div> <- e, dhee, dhes <- e, dhee, dhes <br></div><div><br></div><div><br></div><div>Trevor</div><div><br></div> </font><br></div></div>