[noise] Potential redesign?

Trevor Perrin trevp at trevp.net
Mon Mar 16 17:51:42 PDT 2015 

I'm considering a redesign of Noise, with the goal of making it a
framework that can express a wider range of DH-based protocols.

The previous Noise had a single box message, and a single pipe
protocol.  So it wasn't optimal for every case, e.g. where clients had
prior knowledge of server keys, or didn't want to do client
authentication:

https://moderncrypto.org/mail-archive/noise/2015/000109.html


So the idea now is that Noise messages could be described with strings
that just list a bunch of DH public keys and calculations in the order
they should be sent / calculated, and libraries should be able to
handle any message described by such a string (a descriptor).

This needs a lot of fleshing out, but I'm curious if people like the basic idea.

https://github.com/trevp/noise/blob/noise2/noise.md


Here's how you can express various protocols with descriptors:

---

The following "Box" protocols represent one-shot messages from a sender to a
recipient.

    Box naming:
     S_ = static key for sender known to recipient
     N_ = no static key for sender
     X_ = static key for sender transmitted to recipient
     _S = static key for recipient known to sender
     _E = static and ephemeral keys for recipient known to sender

    BoxSS(s, rs):            # ~ Nacl crypto_box
      ndhss

    BoxNS(rs):               # ~ public-key encryption
      e, dhes

    BoxXS(s, rs):            # ~ miniLock, old Noise box
      e, dhes, s, dhss

    BoxNE(rs, re):           # ~ public-key encryption + prekey
      e, dhee, dhes

    BoxXE(s, rs, re):        # ~ TripleDH
      e, dhee, dhes, s, dhse

The following Noise protocols represent handshakes where the initiator and
responder exchange messages.

    Handshake naming:

     N_ = no static key for initiator
     X_ = static key for initiator transmitted to responder
     _S = static key for responder known to initiator
     _X = static key for responder transmitted to initiator
     _E = static key and an initial prekey for responder are known
          to the initiator (but responder will also use a fresher
          ephemeral)

    HandshakeNX():           # ~ Ntor (+ server-id-hiding)
    (1)    -> e
    (2)    <- e, dhee, s, dhse

    HandshakeXX(s):          # ~ old Noise pipe
    (1,2)  HandshakeNX()
    (3)    -> s, dhse

    HandshakeNS(rs):
    (1)    BoxNS(rs)
    (2)    <- e, dhee

    HandshakeXS(s, rs):
    (1,2)  HandshakeNS(rs)
    (3)    -> s, dhse

    HandshakeNE(s, rs, re):
    (1)    BoxNE(s, rs, re)
           <- e, dhee

    HandshakeXE(s, rs, re):
    (1)    BoxXE(s, rs, re)
           <- e, dhee, dhse


Trevor

More information about the Noise mailing list