[noise] Omitting client's ephemeral pubkey from client's box

Trevor Perrin trevp at trevp.net
Sun Jul 13 22:47:04 PDT 2014

Another change:

In the pipe handshake, the ephemeral public key that begins the
client's box was redundant, since it was already sent in the client's
first message.

I was leaving it in to make the protocol description simpler.  But I
think there are better arguments to remove it:

 * The server might forget to check that the client's ephemeral public
key matches in the first and second messages.  I _think_ that's still
OK, but it would be simpler if we didn't have to worry about that.

 * If Noise pipes are used with a padding scheme that tries to hide
whether resumption was performed (like [1]), then we'd probably want
the value omitted.  So that argues for just doing it now.

 * It saves DH_LEN bytes to omit it.


Anyways, sorry for the string of changes, let's all look hard at the
box/pipe protocols for next couple of weeks, hopefully they're close
to done.


[1] https://moderncrypto.org/mail-archive/noise/2014/000002.html

More information about the Noise mailing list