[noise] Omitting client's ephemeral pubkey from client's box

Stephen Touset stephen at squareup.com
Tue Jul 29 15:17:17 PDT 2014

On Jul 13, 2014, at 10:47 PM, Trevor Perrin <trevp at trevp.net> wrote:

> Another change:
> In the pipe handshake, the ephemeral public key that begins the
> client's box was redundant, since it was already sent in the client's
> first message.
> I was leaving it in to make the protocol description simpler.  But I
> think there are better arguments to remove it:
> * The server might forget to check that the client's ephemeral public
> key matches in the first and second messages.  I _think_ that's still
> OK, but it would be simpler if we didn't have to worry about that.
> * If Noise pipes are used with a padding scheme that tries to hide
> whether resumption was performed (like [1]), then we'd probably want
> the value omitted.  So that argues for just doing it now.
> * It saves DH_LEN bytes to omit it.
> https://github.com/trevp/noise/wiki/Pipes/_compare/74788e04ea370f5a5364599fefb316111a5e31fe...b70208389b33d56a71c50e4e34a22785e6cc7eea

For the sake of conceptual simplicity, it may be worth redefining the NoiseBox to not actually include the ephemeral key. Then the pipe protocol is:

	Client->Server: C'

	Client<-Server: S' || noise_box((S',s'), (S,s), C', pad_len, app_data, 2)
	# outputs cv_h1

	Client->Server: noise_box((C',c'), (C,c), S', pad_len, app_data, 4, cv_h1)
	# outputs cv_h2

Stephen Touset
stephen at squareup.com

More information about the Noise mailing list