[noise] Omitting client's ephemeral pubkey from client's box
Trevor Perrin
trevp at trevp.net
Sun Jul 13 22:47:04 PDT 2014
Another change:
In the pipe handshake, the ephemeral public key that begins the
client's box was redundant, since it was already sent in the client's
first message.
I was leaving it in to make the protocol description simpler. But I
think there are better arguments to remove it:
* The server might forget to check that the client's ephemeral public
key matches in the first and second messages. I _think_ that's still
OK, but it would be simpler if we didn't have to worry about that.
* If Noise pipes are used with a padding scheme that tries to hide
whether resumption was performed (like [1]), then we'd probably want
the value omitted. So that argues for just doing it now.
* It saves DH_LEN bytes to omit it.
https://github.com/trevp/noise/wiki/Pipes/_compare/74788e04ea370f5a5364599fefb316111a5e31fe...b70208389b33d56a71c50e4e34a22785e6cc7eea
Anyways, sorry for the string of changes, let's all look hard at the
box/pipe protocols for next couple of weeks, hopefully they're close
to done.
Trevor
[1] https://moderncrypto.org/mail-archive/noise/2014/000002.html
More information about the Noise
mailing list