I have no deep knowledge of Strobe, but what if we replaced the initial “Noise_” with any other arbitrary string (may it be StrobevX or whichever)?<br>This would be a clear sign that the following protocol name might need to be parsed following different rules than classic Noise Protocol.<br>Example:<br>STROBEvX_XX_25519_Keccak1660<br><br>Kind regards,<br>Piotr<br><div class="gmail_quote"><div dir="ltr">W dniu niedz., 24.09.2017 o 22:11 Trevor Perrin <<a href="mailto:trevp@trevp.net">trevp@trevp.net</a>> napisał(a):<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Sun, Sep 24, 2017 at 10:34 AM, David Wong <<a href="mailto:davidwong.crypto@gmail.com" target="_blank">davidwong.crypto@gmail.com</a>> wrote:<br>
>> if you implement these functions (with Strobe or anything else) then you will fully support all Noise features.<br>
><br>
> I don't think most ad-hoc implementations will fully support all Noise<br>
> features, for my own library I only support a subset of Noise (which I<br>
> believe was the point of Noise, spend most of the time designing,<br>
> spend minimal time implementing and get rid of most<br>
> configuration/options/agility).<br>
><br>
> When implementing my own, I ended up implementing that `MixKeyAndHash`<br>
> function and realized later on that it was just dead code<br>
<br>
I added a sentence to the MixKeyAndHash description to clarify that:<br>
<br>
"This function is used for handling pre-shared symmetric keys, as<br>
described in Section 9."<br>
<a href="https://github.com/noiseprotocol/noise_spec/blob/rev33test/output/noise.pdf" rel="noreferrer" target="_blank">https://github.com/noiseprotocol/noise_spec/blob/rev33test/output/noise.pdf</a><br>
<br>
Is that better?<br>
<br>
I still think SymmetricState and CipherState descriptions should also<br>
serve the audience of crypto algorithm designers, so it's useful to<br>
completely describe the symmetric-crypto API that Noise relies on.<br>
<br>
<br>
>> #2) Noise_XX_25519_STROBEvX/Keccak1660<br>
><br>
> This makes less sense to me, Keccak1600 is to Strobe what SHA256 is to<br>
> AESGCM (in some way) so I think it should respect the same convention.<br>
<br>
Not sure I follow the analogy, I think all those things are quite different.<br>
<br>
<br>
>> In your proposal (#1) it's not possible to generically parse the symmetric name, you'd have to recognize that "STROBEvX" is not a cipher and trigger different parsing for following components<br>
><br>
> Do you ever need to parse this anyway? This gets hashed and is<br>
> verified in the subsequent authenticated message to make sure the two<br>
> peers speak the same protocol. Is there more to protocol naming?<br>
<br>
Names might be used in other contexts, e.g.<br>
* Human communication and documentation<br>
* Some library APIs are configured by specifying a name string (e.g. Snow)<br>
* Some protocols might pass strings as part of negotiation<br>
* The test vectors use name strings to specify protocols<br>
<br>
If you don't understand "STROBEvX" you're not going to get much value<br>
out of the name in any case, but recognizing whether whether<br>
"STROBEvX" is a cipher (or XOF or something else) would give a reader<br>
or debugger at little more information.<br>
<br>
Maybe it's not a big deal, but I'd prefer to keep the names parseable,<br>
if all else was equal.<br>
<br>
Trevor<br>
_______________________________________________<br>
Noise mailing list<br>
<a href="mailto:Noise@moderncrypto.org" target="_blank">Noise@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/noise" rel="noreferrer" target="_blank">https://moderncrypto.org/mailman/listinfo/noise</a><br>
</blockquote></div>